diff options
author | mike <mike@FreeBSD.org> | 2003-04-09 03:04:12 +0000 |
---|---|---|
committer | mike <mike@FreeBSD.org> | 2003-04-09 03:04:12 +0000 |
commit | 6067525913c2a13f7785f6d88dc81df85cde5812 (patch) | |
tree | 058bbdc564bcc891a28e1adb5f67a45e806274e2 | |
parent | 79d60009e2bdcbd2cc1dacebff7139856d04ee1a (diff) | |
download | FreeBSD-src-6067525913c2a13f7785f6d88dc81df85cde5812.zip FreeBSD-src-6067525913c2a13f7785f6d88dc81df85cde5812.tar.gz |
o Add jls(8) for listing active jails.
o Add jexec(8) to execute a command in an existing jail.
o Add -j option for killall(1) to kill all processes in a specified
jail.
o Add -i option to jail(8) to output jail ID of newly created jail.
-rw-r--r-- | usr.bin/killall/killall.1 | 9 | ||||
-rw-r--r-- | usr.bin/killall/killall.c | 23 | ||||
-rw-r--r-- | usr.sbin/Makefile | 2 | ||||
-rw-r--r-- | usr.sbin/jail/jail.8 | 34 | ||||
-rw-r--r-- | usr.sbin/jail/jail.c | 21 | ||||
-rw-r--r-- | usr.sbin/jexec/Makefile | 7 | ||||
-rw-r--r-- | usr.sbin/jexec/jexec.8 | 52 | ||||
-rw-r--r-- | usr.sbin/jexec/jexec.c | 62 | ||||
-rw-r--r-- | usr.sbin/jls/Makefile | 7 | ||||
-rw-r--r-- | usr.sbin/jls/jls.8 | 50 | ||||
-rw-r--r-- | usr.sbin/jls/jls.c | 77 |
11 files changed, 320 insertions, 24 deletions
diff --git a/usr.bin/killall/killall.1 b/usr.bin/killall/killall.1 index 9c81346..3614e3f 100644 --- a/usr.bin/killall/killall.1 +++ b/usr.bin/killall/killall.1 @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 25, 1995 +.Dd April 8, 2003 .Os .Dt KILLALL 1 .Sh NAME @@ -39,6 +39,7 @@ .Op Fl m .Op Fl s .Op Fl z +.Op Fl j Ar jid .Op Fl u Ar user .Op Fl t Ar tty .Op Fl c Ar procname @@ -89,6 +90,9 @@ The signal may be specified either as a name (with or without a leading .Dv SIG ) , or numerically. +.It Fl j Ar jid +Kill processes in the jail specified by +.Ar jid . .It Fl u Ar user Limit potentially matching processes to those belonging to the specified @@ -133,7 +137,8 @@ Diagnostic messages will only be printed if requested by options. .Sh SEE ALSO .Xr kill 1 , -.Xr sysctl 3 +.Xr sysctl 3 , +.Xr jail 8 .Sh HISTORY The .Nm diff --git a/usr.bin/killall/killall.c b/usr.bin/killall/killall.c index b1fcc25..4c2b06a 100644 --- a/usr.bin/killall/killall.c +++ b/usr.bin/killall/killall.c @@ -29,6 +29,7 @@ __FBSDID("$FreeBSD$"); #include <sys/param.h> +#include <sys/jail.h> #include <sys/stat.h> #include <sys/user.h> #include <sys/sysctl.h> @@ -49,7 +50,9 @@ static void __dead2 usage(void) { - fprintf(stderr, "usage: killall [-l] [-v] [-m] [-sig] [-u user] [-t tty] [-c cmd] [cmd]...\n"); + fprintf(stderr, "usage: killall [-l] [-v] [-m] [-sig] [-j jid]\n"); + fprintf(stderr, + " [-u user] [-t tty] [-c cmd] [cmd]...\n"); fprintf(stderr, "At least one option or argument to specify processes must be given.\n"); exit(1); } @@ -110,6 +113,7 @@ main(int ac, char **av) int vflag = 0; int sflag = 0; int dflag = 0; + int jflag = 0; int mflag = 0; int zflag = 0; uid_t uid = 0; @@ -122,6 +126,7 @@ main(int ac, char **av) const char *const *p; char *ep; int errors = 0; + int jid; int mib[4]; size_t miblen; int st, nprocs; @@ -142,6 +147,18 @@ main(int ac, char **av) if (**av == '-') { ++*av; switch (**av) { + case 'j': + ++*av; + if (**av == '\0') + ++av; + --ac; + jflag++; + jid = strtol(*av, &ep, 10); + if (!*av || *ep) + errx(1, "illegal jid: %s", *av); + if (jail_attach(jid) == -1) + err(1, "jail_attach(): %d", jid); + break; case 'u': ++*av; if (**av == '\0') @@ -206,7 +223,7 @@ main(int ac, char **av) } } - if (user == NULL && tty == NULL && cmd == NULL && ac == 0) + if (user == NULL && tty == NULL && cmd == NULL && !jflag && ac == 0) usage(); if (tty) { @@ -324,6 +341,8 @@ main(int ac, char **av) matched = 0; } } + if (jflag && thispid == getpid()) + matched = 0; if (matched == 0) continue; if (ac > 0) diff --git a/usr.sbin/Makefile b/usr.sbin/Makefile index b0fc31f..905c2e2 100644 --- a/usr.sbin/Makefile +++ b/usr.sbin/Makefile @@ -45,6 +45,8 @@ SUBDIR= IPXrouted \ inetd \ iostat \ jail \ + jexec \ + jls \ kbdcontrol \ kbdmap \ kernbb \ diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 1d6d05a..5317e05 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -33,7 +33,7 @@ .\" .\" $FreeBSD$ .\" -.Dd December 12, 2001 +.Dd April 8, 2003 .Dt JAIL 8 .Os .Sh NAME @@ -41,6 +41,7 @@ .Nd "imprison process and its descendants" .Sh SYNOPSIS .Nm +.Op Fl i .Op Fl u Ar username .Ar path hostname ip-number command ... .Sh DESCRIPTION @@ -50,6 +51,8 @@ utility imprisons a process and all future descendants. .Pp The options are as follows: .Bl -tag -width ".Fl u Ar username" +.It Fl i +Output the jail identifier of the newly created jail. .It Fl u Ar username The user name as whom the .Ar command @@ -275,6 +278,9 @@ and other processes running within the jail using with the .Ql J flag appearing beside jailed processes. +To see an active list of jails, use the +.Xr jls 8 +utility. You should also be able to .Xr telnet 1 to the hostname or IP address of the jailed environment, and log @@ -304,12 +310,16 @@ Depending on the intended use of the jail, you may also want to run .Pa /etc/rc.shutdown from within the jail. -Currently there is no way to insert new processes -into a jail, so you must first log into the jail before performing these -actions. +To kill processes from outside the jail, use the +.Xr jexec 8 +utility in conjuction with the one of the +.Xr kill 1 +commands above, or use the +.Xr killall 1 +utility with the +.Fl j +option. .Pp -To kill processes from outside the jail, you must individually identify the -PID of each process to be killed. The .Pa /proc/ Ns Ar pid Ns Pa /status file contains, as its last field, the hostname of the jail in which the @@ -335,11 +345,6 @@ Just add the following line to .Pa /etc/sysctl.conf : .Pp .Dl security.jail.set_hostname_allowed=0 -.Pp -In a future version of -.Fx , -the mechanisms for managing jails will be -more refined. .Ss "Sysctl MIB Entries" Certain aspects of the jail containments environment may be modified from the host environment using @@ -388,15 +393,19 @@ As such, this functionality is disabled by default, but can be enabled by setting this MIB entry to 1. .El .Sh SEE ALSO +.Xr killall 1 , .Xr newaliases 1 , .Xr ps 1 , .Xr chroot 2 , .Xr jail 2 , +.Xr jail_attach 2 , .Xr procfs 5 , .Xr rc.conf 5 , .Xr sysctl.conf 5 , .Xr halt 8 , .Xr inetd 8 , +.Xr jexec 8 , +.Xr jls 8 , .Xr mount_devfs 8 , .Xr named 8 , .Xr reboot 8 , @@ -423,8 +432,7 @@ who contributed it to wrote the extended documentation, found a few bugs, added a few new features, and cleaned up the userland jail environment. .Sh BUGS -Jail currently lacks strong management functionality, such as the ability -to deliver signals to all processes in a jail, and to allow access to +Jail currently lacks the ability to allow access to specific jail information via .Xr ps 1 as opposed to diff --git a/usr.sbin/jail/jail.c b/usr.sbin/jail/jail.c index 332be28..87bc483 100644 --- a/usr.sbin/jail/jail.c +++ b/usr.sbin/jail/jail.c @@ -34,20 +34,24 @@ main(int argc, char **argv) struct jail j; struct passwd *pwd; struct in_addr in; - int ch, groups[NGROUPS], ngroups; + int ch, groups[NGROUPS], i, iflag, ngroups; char *username; + iflag = 0; username = NULL; - while ((ch = getopt(argc, argv, "u:")) != -1) + while ((ch = getopt(argc, argv, "iu:")) != -1) { switch (ch) { + case 'i': + iflag = 1; + break; case 'u': username = optarg; break; default: usage(); - break; } + } argc -= optind; argv += optind; if (argc < 4) @@ -73,8 +77,11 @@ main(int argc, char **argv) if (inet_aton(argv[2], &in) == 0) errx(1, "Could not make sense of ip-number: %s", argv[2]); j.ip_number = ntohl(in.s_addr); - if (jail(&j) != 0) + i = jail(&j); + if (i == -1) err(1, "jail"); + if (iflag) + printf("%d\n", i); if (username != NULL) { if (setgroups(ngroups, groups) != 0) err(1, "setgroups"); @@ -87,14 +94,14 @@ main(int argc, char **argv) } if (execv(argv[3], argv + 3) != 0) err(1, "execv: %s", argv[3]); - exit (0); + exit(0); } static void usage(void) { - (void)fprintf(stderr, "%s\n", - "Usage: jail [-u username] path hostname ip-number command ..."); + (void)fprintf(stderr, + "usage: jail [-i] [-u username] path hostname ip-number command ...\n"); exit(1); } diff --git a/usr.sbin/jexec/Makefile b/usr.sbin/jexec/Makefile new file mode 100644 index 0000000..87e9926 --- /dev/null +++ b/usr.sbin/jexec/Makefile @@ -0,0 +1,7 @@ +# $FreeBSD$ + +PROG= jexec +MAN= jexec.8 +WARNS?= 6 + +.include <bsd.prog.mk> diff --git a/usr.sbin/jexec/jexec.8 b/usr.sbin/jexec/jexec.8 new file mode 100644 index 0000000..bab886c --- /dev/null +++ b/usr.sbin/jexec/jexec.8 @@ -0,0 +1,52 @@ +.\" +.\" Copyright (c) 2003 Mike Barcroft <mike@FreeBSD.org> +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd April 8, 2003 +.Dt JEXEC 8 +.Os +.Sh NAME +.Nm jexec +.Nd "excute a command inside an existing jail" +.Sh SYNOPSIS +.Nm +.Ar jid command ... +.Sh DESCRIPTION +The +.Nm +utility excutes +.Ar command +inside the jail identified by, +.Ar jid. +.Sh SEE ALSO +.Xr jail_attach 2 , +.Xr jail 8 , +.Xr jls 8 +.Sh HISTORY +The +.Nm +utility was added in +.Fx 5.1 . diff --git a/usr.sbin/jexec/jexec.c b/usr.sbin/jexec/jexec.c new file mode 100644 index 0000000..90f117e --- /dev/null +++ b/usr.sbin/jexec/jexec.c @@ -0,0 +1,62 @@ +/*- + * Copyright (c) 2003 Mike Barcroft <mike@FreeBSD.org> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include <sys/param.h> +#include <sys/jail.h> + +#include <err.h> +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> + +static void usage(void); + +int +main(int argc, char *argv[]) +{ + int jid; + + if (argc < 3) + usage(); + jid = (int)strtol(argv[1], NULL, 10); + if (jail_attach(jid) == -1) + err(1, "jail_attach(): %d", jid); + if (chdir("/") == -1) + err(1, "chdir(): /"); + if (execv(argv[2], argv + 2) == -1) + err(1, "execv(): %s", argv[2]); + exit(0); +} + +static void +usage(void) +{ + + fprintf(stderr, "usage: jexec jid command [...]\n"); + exit(1); +} diff --git a/usr.sbin/jls/Makefile b/usr.sbin/jls/Makefile new file mode 100644 index 0000000..3968946 --- /dev/null +++ b/usr.sbin/jls/Makefile @@ -0,0 +1,7 @@ +# $FreeBSD$ + +PROG= jls +MAN= jls.8 +WARNS?= 6 + +.include <bsd.prog.mk> diff --git a/usr.sbin/jls/jls.8 b/usr.sbin/jls/jls.8 new file mode 100644 index 0000000..4dc68c7 --- /dev/null +++ b/usr.sbin/jls/jls.8 @@ -0,0 +1,50 @@ +.\" +.\" Copyright (c) 2003 Mike Barcroft <mike@FreeBSD.org> +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd April 8, 2003 +.Dt JLS 8 +.Os +.Sh NAME +.Nm jls +.Nd "list active jails" +.Sh SYNOPSIS +.Nm +.Sh DESCRIPTION +The +.Nm +utility lists all active jails. +Each jail is represented by one row which contains the following columns: +jail identifier (JID), IP address, hostname, and path. +.Sh SEE ALSO +.Xr jail 2 , +.Xr jail 8 , +.Xr jexec 8 +.Sh HISTORY +The +.Nm +utility was added in +.Fx 5.1 . diff --git a/usr.sbin/jls/jls.c b/usr.sbin/jls/jls.c new file mode 100644 index 0000000..2a34adc --- /dev/null +++ b/usr.sbin/jls/jls.c @@ -0,0 +1,77 @@ +/*- + * Copyright (c) 2003 Mike Barcroft <mike@FreeBSD.org> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#include <sys/param.h> +#include <sys/jail.h> +#include <sys/sysctl.h> + +#include <arpa/inet.h> +#include <err.h> +#include <errno.h> +#include <limits.h> +#include <stdio.h> +#include <stdlib.h> + + +int +main(void) +{ + struct xprison *sxp, *xp; + struct in_addr in; + size_t i, len; + + if (sysctlbyname("security.jail.list", NULL, &len, NULL, 0) == -1) + err(1, "sysctlbyname(): security.jail.list"); +retry: + if (len <= 0) + exit(0); + sxp = xp = calloc(len, 1); + if (sxp == NULL) + err(1, "malloc()"); + + if (sysctlbyname("security.jail.list", xp, &len, NULL, 0) == -1) { + if (errno == ENOMEM) { + free(sxp); + goto retry; + } + err(1, "sysctlbyname(): security.jail.list", NULL); + } + if (len < sizeof(*xp) || len % sizeof(*xp) || + xp->pr_version != XPRISON_VERSION) + errx(1, "Kernel and userland out of sync"); + + printf(" JID IP Address Hostname Path\n"); + for (i = 0; i < len / sizeof(*xp); i++) { + in.s_addr = ntohl(xp->pr_ip); + printf("%6d %-12.12s %-29.29s %.77s\n", + xp->pr_id, inet_ntoa(in), xp->pr_host, xp->pr_path); + xp++; + } + free(sxp); + exit(0); +} |