diff options
| author | sjg <sjg@FreeBSD.org> | 2013-10-13 02:35:19 +0000 |
|---|---|---|
| committer | sjg <sjg@FreeBSD.org> | 2013-10-13 02:35:19 +0000 |
| commit | 7fcd33c1faf567506b5c0b4148c7a15a10788a5d (patch) | |
| tree | 2c6f4d1ca5d1c643faea64e1f4c90105a1ab406a /etc | |
| parent | 2a59274eda20cc626e28052fff7aa8b7bf6a3683 (diff) | |
| parent | 5cca672bb0892f1c5da630c34a1f98e2de4d7064 (diff) | |
| download | FreeBSD-src-7fcd33c1faf567506b5c0b4148c7a15a10788a5d.zip FreeBSD-src-7fcd33c1faf567506b5c0b4148c7a15a10788a5d.tar.gz | |
Merge head@256284
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/Makefile | 21 | ||||
| -rw-r--r-- | etc/defaults/periodic.conf | 2 | ||||
| -rw-r--r-- | etc/defaults/rc.conf | 40 | ||||
| -rw-r--r-- | etc/ftpusers | 6 | ||||
| -rw-r--r-- | etc/group | 1 | ||||
| -rw-r--r-- | etc/master.passwd | 1 | ||||
| -rw-r--r-- | etc/mtree/BIND.chroot.dist | 35 | ||||
| -rw-r--r-- | etc/mtree/BIND.include.dist | 22 | ||||
| -rw-r--r-- | etc/mtree/BSD.include.dist | 2 | ||||
| -rw-r--r-- | etc/mtree/BSD.var.dist | 6 | ||||
| -rw-r--r-- | etc/mtree/Makefile | 10 | ||||
| -rw-r--r-- | etc/network.subr | 245 | ||||
| -rw-r--r-- | etc/periodic/daily/Makefile | 4 | ||||
| -rw-r--r-- | etc/portsnap.conf | 1 | ||||
| -rw-r--r-- | etc/rc.d/Makefile | 17 | ||||
| -rwxr-xr-x | etc/rc.d/NETWORKING | 2 | ||||
| -rwxr-xr-x | etc/rc.d/ctld | 22 | ||||
| -rwxr-xr-x | etc/rc.d/iscsictl | 20 | ||||
| -rwxr-xr-x | etc/rc.d/iscsid | 20 | ||||
| -rwxr-xr-x | etc/rc.d/jail | 869 | ||||
| -rwxr-xr-x | etc/rc.d/local_unbound | 91 | ||||
| -rwxr-xr-x | etc/rc.d/netif | 68 | ||||
| -rwxr-xr-x | etc/rc.d/sendmail | 7 | ||||
| -rwxr-xr-x | etc/rc.d/sshd | 105 | ||||
| -rw-r--r-- | etc/rc.subr | 31 |
25 files changed, 774 insertions, 874 deletions
diff --git a/etc/Makefile b/etc/Makefile index ae52d79..ff8efc5 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -142,12 +142,6 @@ MTREE= BSD.include.dist BSD.root.dist BSD.usr.dist BSD.var.dist .if ${MK_SENDMAIL} != "no" MTREE+= BSD.sendmail.dist .endif -.if ${MK_BIND} != "no" -MTREE+= BIND.chroot.dist -.if ${MK_BIND_LIBS} != "no" -MTREE+= BIND.include.dist -.endif -.endif .if ${MK_DEBUG_FILES} != "no" MTREE+= BSD.debug.dist .endif @@ -242,14 +236,11 @@ distribution: ${BSM_ETC_RESTRICTED_FILES} ${BSM_ETC_DIR} cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 0500 \ ${BSM_ETC_EXEC_FILES} ${BSM_ETC_DIR} -.if ${MK_BIND_MTREE} != "no" - if [ ! -e ${DESTDIR}/etc/namedb ]; then \ - ln -s ../var/named/etc/namedb ${DESTDIR}/etc/namedb; \ +.if ${MK_UNBOUND} != "no" + if [ ! -e ${DESTDIR}/etc/unbound ]; then \ + ${INSTALL_SYMLINK} ../var/unbound ${DESTDIR}/etc/unbound; \ fi .endif -.if ${MK_BIND_ETC} != "no" - ${_+_}cd ${.CURDIR}/namedb; ${MAKE} install -.endif .if ${MK_SENDMAIL} != "no" ${_+_}cd ${.CURDIR}/sendmail; ${MAKE} distribution .endif @@ -323,12 +314,6 @@ MTREES= mtree/BSD.root.dist / \ .if ${MK_DEBUG_FILES} != "no" MTREES+= mtree/BSD.debug.dist /usr/lib .endif -.if ${MK_BIND_LIBS} != "no" -MTREES+= mtree/BIND.include.dist /usr/include -.endif -.if ${MK_BIND_MTREE} != "no" -MTREES+= mtree/BIND.chroot.dist /var/named -.endif .if ${MK_GROFF} != "no" MTREES+= mtree/BSD.groff.dist /usr .endif diff --git a/etc/defaults/periodic.conf b/etc/defaults/periodic.conf index 9fb6859..9078577 100644 --- a/etc/defaults/periodic.conf +++ b/etc/defaults/periodic.conf @@ -190,7 +190,7 @@ weekly_noid_dirs="/" # Look here # 400.status-pkg weekly_status_pkg_enable="NO" # Find out-of-date pkgs pkg_version=pkg_version # Use this program -pkg_version_index=/usr/ports/INDEX-10 # Use this index file +pkg_version_index=/usr/ports/INDEX-11 # Use this index file # 450.status-security weekly_status_security_enable="YES" # Security check diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 47d5145..b7a9a0e 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -263,9 +263,14 @@ syslogd_flags="-s" # Flags to syslogd (if enabled). inetd_enable="NO" # Run the network daemon dispatcher (YES/NO). inetd_program="/usr/sbin/inetd" # path to inetd, if you want a different one. inetd_flags="-wW -C 60" # Optional flags to inetd +iscsid_enable="NO" # iSCSI initiator daemon. +iscsictl_enable="NO" # iSCSI initiator autostart. +iscsictl_flags="-Aa" # Optional flags to iscsictl. hastd_enable="NO" # Run the HAST daemon (YES/NO). hastd_program="/sbin/hastd" # path to hastd, if you want a different one. hastd_flags="" # Optional flags to hastd. +ctld_enable="NO" # CAM Target Layer / iSCSI target daemon. +local_unbound_enable="NO" # local caching resolver # # named. It may be possible to run named in a sandbox, man security for # details. @@ -669,44 +674,11 @@ mixer_enable="YES" # Run the sound mixer. opensm_enable="NO" # Opensm(8) for infiniband devices defaults to off ############################################################## -### Jail Configuration ####################################### +### Jail Configuration (see rc.conf(5) manual page) ########## ############################################################## jail_enable="NO" # Set to NO to disable starting of any jails jail_parallel_start="NO" # Start jails in the background jail_list="" # Space separated list of names of jails -jail_set_hostname_allow="YES" # Allow root user in a jail to change its hostname -jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail -jail_sysvipc_allow="NO" # Allow SystemV IPC use from within a jail - -# -# To use rc's built-in jail infrastructure create entries for -# each jail, specified in jail_list, with the following variables. -# NOTES: -# - replace 'example' with the jail's name. -# - except rootdir, hostname, ip and the _multi<n> addresses, -# all of the following variables may be made global jail variables -# if you don't specify a jail name (ie. jail_interface, jail_devfs_ruleset). -# -#jail_example_rootdir="/usr/jail/default" # Jail's root directory -#jail_example_hostname="default.domain.com" # Jail's hostname -#jail_example_interface="" # Jail's interface variable to create IP aliases on -#jail_example_fib="0" # Routing table for setfib(1) -#jail_example_ip="192.0.2.10,2001:db8::17" # Jail's primary IPv4 and IPv6 address -#jail_example_ip_multi0="2001:db8::10" # and another IPv6 address -#jail_example_exec_start="/bin/sh /etc/rc" # command to execute in jail for starting -#jail_example_exec_afterstart0="/bin/sh command" # command to execute after the one for - # starting the jail. More than one can be - # specified using a trailing number -#jail_example_exec_stop="/bin/sh /etc/rc.shutdown" # command to execute in jail for stopping -#jail_example_devfs_enable="NO" # mount devfs in the jail -#jail_example_devfs_ruleset="ruleset_name" # devfs ruleset to apply to jail - - # usually you want "devfsrules_jail". -#jail_example_fdescfs_enable="NO" # mount fdescfs in the jail -#jail_example_procfs_enable="NO" # mount procfs in jail -#jail_example_mount_enable="NO" # mount/umount jail's fs -#jail_example_fstab="" # fstab(5) for mount/umount -#jail_example_flags="-l -U root" # flags for jail(8) -#jail_example_parameters="allow.raw_sockets=1" # extra parameters for this jail ############################################################## ### Define source_rc_confs, the mechanism used by /etc/rc.* ## diff --git a/etc/ftpusers b/etc/ftpusers index adb9dcf..da89623 100644 --- a/etc/ftpusers +++ b/etc/ftpusers @@ -13,7 +13,11 @@ games news man sshd +smmsp +mailnull +_atf bind +unbound proxy _pflogd _dhcp @@ -23,5 +27,3 @@ auditdistd www hast nobody -mailnull -smmsp @@ -19,6 +19,7 @@ mailnull:*:26: _atf:*:27: guest:*:31: bind:*:53: +unbound:*:59: proxy:*:62: authpf:*:63: _pflogd:*:64: diff --git a/etc/master.passwd b/etc/master.passwd index f979940..7585471 100644 --- a/etc/master.passwd +++ b/etc/master.passwd @@ -15,6 +15,7 @@ smmsp:*:25:25::0:0:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/no mailnull:*:26:26::0:0:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin _atf:*:27:27::0:0:& pseudo-user:/nonexistent:/usr/sbin/nologin bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin +unbound:*:59:59::0:0:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin _pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin diff --git a/etc/mtree/BIND.chroot.dist b/etc/mtree/BIND.chroot.dist deleted file mode 100644 index 95423db..0000000 --- a/etc/mtree/BIND.chroot.dist +++ /dev/null @@ -1,35 +0,0 @@ -# $FreeBSD$ -# -# Please see the file src/etc/mtree/README before making changes to this file. -# - -/set type=dir uname=root gname=wheel mode=0755 -. - dev mode=0555 - .. - etc - namedb - dynamic uname=bind - .. - master - .. - slave uname=bind - .. - working uname=bind - .. - .. - .. -/set type=dir uname=bind gname=wheel mode=0755 - var uname=root - dump - .. - log - .. - run - named - .. - .. - stats - .. - .. -.. diff --git a/etc/mtree/BIND.include.dist b/etc/mtree/BIND.include.dist deleted file mode 100644 index 534794a..0000000 --- a/etc/mtree/BIND.include.dist +++ /dev/null @@ -1,22 +0,0 @@ -# $FreeBSD$ -# -# Please see the file src/etc/mtree/README before making changes to this file. -# - -/set type=dir uname=root gname=wheel mode=0755 -. - bind - .. - bind9 - .. - dns - .. - dst - .. - isc - .. - isccc - .. - isccfg - .. -.. diff --git a/etc/mtree/BSD.include.dist b/etc/mtree/BSD.include.dist index dbfbfc9..76cdf94 100644 --- a/etc/mtree/BSD.include.dist +++ b/etc/mtree/BSD.include.dist @@ -249,8 +249,6 @@ .. libmilter .. - lwres - .. lzma .. machine diff --git a/etc/mtree/BSD.var.dist b/etc/mtree/BSD.var.dist index 196ee42..f4faeed 100644 --- a/etc/mtree/BSD.var.dist +++ b/etc/mtree/BSD.var.dist @@ -63,13 +63,9 @@ .. msgs uname=daemon .. - named - .. preserve .. run - named uname=bind gname=bind - .. ppp gname=network mode=0770 .. wpa_supplicant @@ -97,6 +93,8 @@ vi.recover mode=01777 .. .. + unbound uname=unbound gname=unbound mode=0755 + .. yp .. .. diff --git a/etc/mtree/Makefile b/etc/mtree/Makefile index 06aeb19..3228c6c 100644 --- a/etc/mtree/Makefile +++ b/etc/mtree/Makefile @@ -2,21 +2,13 @@ .include <bsd.own.mk> -FILES= ${_BIND.chroot.dist} \ - ${_BIND.include.dist} \ - ${_BSD.debug.dist} \ +FILES= ${_BSD.debug.dist} \ BSD.include.dist \ BSD.root.dist \ ${_BSD.sendmail.dist} \ BSD.usr.dist \ BSD.var.dist -.if ${MK_BIND} != "no" -_BIND.chroot.dist= BIND.chroot.dist -.if ${MK_BIND_LIBS} != "no" -_BIND.include.dist= BIND.include.dist -.endif -.endif .if ${MK_DEBUG_FILES} != "no" _BSD.debug.dist= BSD.debug.dist .endif diff --git a/etc/network.subr b/etc/network.subr index 7dfb328..f92cab1 100644 --- a/etc/network.subr +++ b/etc/network.subr @@ -48,9 +48,11 @@ ifn_start() ifscript_up ${ifn} && cfg=0 ifconfig_up ${ifn} && cfg=0 - afexists inet && ipv4_up ${ifn} && cfg=0 - afexists inet6 && ipv6_up ${ifn} && cfg=0 - afexists ipx && ipx_up ${ifn} && cfg=0 + if ! noafif $ifn; then + afexists inet && ipv4_up ${ifn} && cfg=0 + afexists inet6 && ipv6_up ${ifn} && cfg=0 + afexists ipx && ipx_up ${ifn} && cfg=0 + fi childif_create ${ifn} && cfg=0 return $cfg @@ -68,9 +70,11 @@ ifn_stop() [ -z "$ifn" ] && err 1 "ifn_stop called without an interface" - afexists ipx && ipx_down ${ifn} && cfg=0 - afexists inet6 && ipv6_down ${ifn} && cfg=0 - afexists inet && ipv4_down ${ifn} && cfg=0 + if ! noafif $ifn; then + afexists ipx && ipx_down ${ifn} && cfg=0 + afexists inet6 && ipv6_down ${ifn} && cfg=0 + afexists inet && ipv4_down ${ifn} && cfg=0 + fi ifconfig_down ${ifn} && cfg=0 ifscript_down ${ifn} && cfg=0 childif_destroy ${ifn} && cfg=0 @@ -78,6 +82,41 @@ ifn_stop() return $cfg } +# ifn_vnetup ifn +# Move ifn to the specified vnet jail. +# +ifn_vnetup() +{ + + ifn_vnet0 $1 vnet +} + +# ifn_vnetdown ifn +# Reclaim ifn from the specified vnet jail. +# +ifn_vnetdown() +{ + + ifn_vnet0 $1 -vnet +} + +# ifn_vnet0 ifn action +# Helper function for ifn_vnetup and ifn_vnetdown. +# +ifn_vnet0() +{ + local _ifn _cfg _action _vnet + _ifn="$1" + _action="$2" + _cfg=1 + + if _vnet=$(vnetif $_ifn); then + ${IFCONFIG_CMD} $_ifn $_action $_vnet && _cfg=0 + fi + + return $_cfg +} + # ifconfig_up if # Evaluate ifconfig(8) arguments for interface $if and # run ifconfig(8) with those arguments. It returns 0 if @@ -103,7 +142,7 @@ ifconfig_up() fi # inet6 specific - if afexists inet6; then + if ! noafif $1 && afexists inet6; then if checkyesno ipv6_activate_all_interfaces; then _ipv6_opts="-ifdisabled" elif [ "$1" != "lo0" ]; then @@ -280,24 +319,27 @@ _ifconfig_getargs() # args such as DHCP and WPA. ifconfig_getargs() { - local _tmpargs _arg _args + local _tmpargs _arg _args _vnet _tmpargs=`_ifconfig_getargs $1 $2` if [ $? -eq 1 ]; then return 1 fi _args= + _vnet=0 for _arg in $_tmpargs; do - case $_arg in - [Dd][Hh][Cc][Pp]) ;; - [Nn][Oo][Aa][Uu][Tt][Oo]) ;; - [Nn][Oo][Ss][Yy][Nn][Cc][Dd][Hh][Cc][Pp]) ;; - [Ss][Yy][Nn][Cc][Dd][Hh][Cc][Pp]) ;; - [Ww][Pp][Aa]) ;; - [Hh][Oo][Ss][Tt][Aa][Pp]) ;; - *) + case $_arg:$_vnet in + [Dd][Hh][Cc][Pp]:0) ;; + [Nn][Oo][Aa][Uu][Tt][Oo]:0) ;; + [Nn][Oo][Ss][Yy][Nn][Cc][Dd][Hh][Cc][Pp]:0) ;; + [Ss][Yy][Nn][Cc][Dd][Hh][Cc][Pp]:0) ;; + [Ww][Pp][Aa]:0) ;; + [Hh][Oo][Ss][Tt][Aa][Pp]:0) ;; + vnet:0) _vnet=1 ;; + *:1) _vnet=0 ;; + *:0) _args="$_args $_arg" - ;; + ;; esac done @@ -422,6 +464,25 @@ hostapif() return 1 } +# vnetif if +# Returns 0 and echo jail if "vnet" keyword is specified on the +# interface, and 1 otherwise. +vnetif() +{ + local _tmpargs _arg _vnet + _tmpargs=`_ifconfig_getargs $1` + + _vnet=0 + for _arg in $_tmpargs; do + case $_arg:$_vnet in + vnet:0) _vnet=1 ;; + *:1) echo $_arg; return 0 ;; + esac + done + + return 1 +} + # afexists af # Returns 0 if the address family is enabled in the kernel # 1 otherwise. @@ -463,6 +524,7 @@ noafif() case $_if in pflog[0-9]*|\ pfsync[0-9]*|\ + usbus[0-9]*|\ an[0-9]*|\ ath[0-9]*|\ ipw[0-9]*|\ @@ -654,18 +716,16 @@ ipv4_down() ifalias ${_if} inet -alias && _ret=0 - inetList="`${IFCONFIG_CMD} ${_if} | grep 'inet ' | tr "\n" "$_ifs"`" + inetList="`${IFCONFIG_CMD} ${_if} | grep 'inet ' | tr "\n\t" "$_ifs"`" oldifs="$IFS" IFS="$_ifs" for _inet in $inetList ; do # get rid of extraneous line case $_inet in - "") break ;; - \ inet\ *|inet\ *) ;; - *) continue ;; + inet\ *) ;; + *) continue ;; esac - [ -z "$_inet" ] && break _inet=`expr "$_inet" : '.*\(inet \([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\).*'` @@ -696,13 +756,16 @@ ipv6_down() ipv6_prefix_hostid_addr_common ${_if} -alias && _ret=0 ifalias ${_if} inet6 -alias && _ret=0 - inetList="`${IFCONFIG_CMD} ${_if} | grep 'inet6 ' | tr "\n" "$_ifs"`" + inetList="`${IFCONFIG_CMD} ${_if} | grep 'inet6 ' | tr "\n\t" "$_ifs"`" oldifs="$IFS" IFS="$_ifs" for _inet6 in $inetList ; do # get rid of extraneous line - [ -z "$_inet6" ] && break + case $_inet in + inet6\ *) ;; + *) continue ;; + esac _inet6=`expr "$_inet6" : '.*\(inet6 \([0-9a-f:]*\)\).*'` @@ -1197,8 +1260,7 @@ ifscript_down() # clone_up() { - local _prefix _list ifn ifopt _iflist _n tmpargs - _prefix= + local _list ifn ifopt _iflist _n tmpargs _list= _iflist=$* @@ -1210,15 +1272,34 @@ clone_up() ""|$ifn|$ifn\ *|*\ $ifn\ *|*\ $ifn) ;; *) continue ;; esac - # Skip if ifn already exists. - if ${IFCONFIG_CMD} $ifn > /dev/null 2>&1; then - continue - fi - ${IFCONFIG_CMD} ${ifn} create `get_if_var ${ifn} create_args_IF` - if [ $? -eq 0 ]; then - _list="${_list}${_prefix}${ifn}" - [ -z "$_prefix" ] && _prefix=' ' - fi + case $ifn in + epair[0-9]*) + # epair(4) uses epair[0-9] for creation and + # epair[0-9][ab] for configuration. + # + # Skip if ${ifn}a or ${ifn}b already exist. + if ${IFCONFIG_CMD} ${ifn}a > /dev/null 2>&1; then + continue + elif ${IFCONFIG_CMD} ${ifn}b > /dev/null 2>&1; then + continue + fi + ${IFCONFIG_CMD} ${ifn} create \ + `get_if_var ${ifn} create_args_IF` + if [ $? -eq 0 ]; then + _list="$_list ${ifn}a ${ifn}b" + fi + ;; + *) + # Skip if ${ifn} already exists. + if ${IFCONFIG_CMD} $ifn > /dev/null 2>&1; then + continue + fi + ${IFCONFIG_CMD} ${ifn} create \ + `get_if_var ${ifn} create_args_IF` + if [ $? -eq 0 ]; then + _list="$_list $ifn" + fi + esac done if [ -n "$gif_interfaces" ]; then warn "\$gif_interfaces is obsolete. Use \$cloned_interfaces instead." @@ -1244,16 +1325,15 @@ clone_up() ;; esac if [ $? -eq 0 ]; then - _list="${_list}${_prefix}${ifn}" - [ -z "$_prefix" ] && _prefix=' ' + _list="$_list $ifn" fi tmpargs=$(get_if_var $ifn gifconfig_IF) eval ifconfig_${ifn}=\"tunnel \$tmpargs\" done - if [ -n "${_list}" ]; then - echo "Created clone interfaces: ${_list}." + if [ -n "${_list# }" ]; then + echo "Created clone interfaces: ${_list# }." fi - debug "Cloned: ${_list}" + debug "Cloned: ${_list# }" } # clone_down @@ -1262,8 +1342,7 @@ clone_up() # clone_down() { - local _prefix _list ifn ifopt _iflist _sticky - _prefix= + local _list ifn _difn ifopt _iflist _sticky _list= _iflist=$* @@ -1285,20 +1364,40 @@ clone_down() ""|$ifn|$ifn\ *|*\ $ifn\ *|*\ $ifn) ;; *) continue ;; esac - # Skip if ifn does not exist. - if ! ${IFCONFIG_CMD} $ifn > /dev/null 2>&1; then - continue - fi - ${IFCONFIG_CMD} -n ${ifn} destroy - if [ $? -eq 0 ]; then - _list="${_list}${_prefix}${ifn}" - [ -z "$_prefix" ] && _prefix=' ' - fi + case $ifn in + epair[0-9]*) + # Note: epair(4) uses epair[0-9] for removal and + # epair[0-9][ab] for configuration. + # + # Skip if both of ${ifn}a and ${ifn}b do not exist. + if ${IFCONFIG_CMD} ${ifn}a > /dev/null 2>&1; then + _difn=${ifn}a + elif ${IFCONFIG_CMD} ${ifn}b > /dev/null 2>&1; then + _difn=${ifn}b + else + continue + fi + ${IFCONFIG_CMD} -n $_difn destroy + if [ $? -eq 0 ]; then + _list="$_list ${ifn}a ${ifn}b" + fi + ;; + *) + # Skip if ifn does not exist. + if ! ${IFCONFIG_CMD} $ifn > /dev/null 2>&1; then + continue + fi + ${IFCONFIG_CMD} -n ${ifn} destroy + if [ $? -eq 0 ]; then + _list="$_list $ifn" + fi + ;; + esac done - if [ -n "${_list}" ]; then - echo "Destroyed clone interfaces: ${_list}." + if [ -n "${_list# }" ]; then + echo "Destroyed clone interfaces: ${_list# }." fi - debug "Destroyed clones: ${_list}" + debug "Destroyed clones: ${_list# }" } # childif_create @@ -1573,17 +1672,33 @@ list_net_interfaces() fi done _tmplist="${_lo}${_tmplist# }" - ;; + ;; *) - _tmplist="${network_interfaces} ${cloned_interfaces}" - + for _if in ${network_interfaces} ${cloned_interfaces}; do + # epair(4) uses epair[0-9] for creation and + # epair[0-9][ab] for configuration. + case $_if in + epair[0-9]*) + _tmplist="$_tmplist ${_if}a ${_if}b" + ;; + *) + _tmplist="$_tmplist $_if" + ;; + esac + done + # # lo0 is effectively mandatory, so help prevent foot-shooting # case "$_tmplist" in - lo0|'lo0 '*|*' lo0'|*' lo0 '*) ;; # This is fine, do nothing - *) _tmplist="lo0 ${_tmplist}" ;; - esac + lo0|'lo0 '*|*' lo0'|*' lo0 '*) + # This is fine, do nothing + _tmplist="${_tmplist# }" ;; + *) + _tmplist="lo0 ${_tmplist# }" + ;; + esac + ;; esac _list= @@ -1595,14 +1710,14 @@ list_net_interfaces() _list="${_list# } ${_if}" fi done - ;; + ;; dhcp) for _if in ${_tmplist} ; do if dhcpif $_if; then _list="${_list# } ${_if}" fi done - ;; + ;; noautoconf) for _if in ${_tmplist} ; do if ! ipv6_autoconfif $_if && \ @@ -1610,17 +1725,17 @@ list_net_interfaces() _list="${_list# } ${_if}" fi done - ;; + ;; autoconf) for _if in ${_tmplist} ; do if ipv6_autoconfif $_if; then _list="${_list# } ${_if}" fi done - ;; + ;; *) _list=${_tmplist} - ;; + ;; esac echo $_list diff --git a/etc/periodic/daily/Makefile b/etc/periodic/daily/Makefile index 5a4e2d2..6909e30 100644 --- a/etc/periodic/daily/Makefile +++ b/etc/periodic/daily/Makefile @@ -24,10 +24,6 @@ FILES= 100.clean-disks \ FILES+= 310.accounting .endif -.if ${MK_BIND_NAMED} != "no" -FILES+= 470.status-named -.endif - .if ${MK_CALENDAR} != "no" FILES+= 300.calendar .endif diff --git a/etc/portsnap.conf b/etc/portsnap.conf index eca429f..d308260 100644 --- a/etc/portsnap.conf +++ b/etc/portsnap.conf @@ -32,3 +32,4 @@ KEYPRINT=9b5feee6d69f170e3dd0a2c8e469ddbd64f13f978f2f3aede40c98633216c330 # List of INDEX files to build and the DESCRIBE file to use for each INDEX INDEX-8 DESCRIBE.8 INDEX INDEX-9 DESCRIBE.9 +INDEX INDEX-10 DESCRIBE.10 diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile index 3defd97..e51e2f8 100644 --- a/etc/rc.d/Makefile +++ b/etc/rc.d/Makefile @@ -21,15 +21,16 @@ FILES= DAEMON \ auditd \ auditdistd \ bgfsck \ - bluetooth \ + ${_bluetooth} \ bootparams \ bridge \ bsnmpd \ - bthidd \ + ${_bthidd} \ ccd \ cleanvar \ cleartmp \ cron \ + ctld \ ddb \ defaultroute \ devd \ @@ -47,7 +48,7 @@ FILES= DAEMON \ gptboot \ gssd \ hastd \ - hcsecd \ + ${_hcsecd} \ hostapd \ hostid \ hostid_save \ @@ -62,6 +63,8 @@ FILES= DAEMON \ ipnat \ ipsec \ ${_ipxrouted} \ + iscsictl \ + iscsid \ jail \ kadmind \ kerberos \ @@ -147,6 +150,7 @@ FILES= DAEMON \ tmp \ ${_ubthidhci} \ ugidfw \ + ${_unbound} \ ${_utx} \ var \ virecover \ @@ -178,9 +182,16 @@ _nscd= nscd .endif .if ${MK_BLUETOOTH} != "no" +_bluetooth= bluetooth +_bthidd= bthidd +_hcsecd= hcsecd _ubthidhci= ubthidhci .endif +.if ${MK_UNBOUND} != "no" +_unbound= local_unbound +.endif + .if ${MK_UTMPX} != "no" _utx= utx .endif diff --git a/etc/rc.d/NETWORKING b/etc/rc.d/NETWORKING index 71cf26d..c86150f 100755 --- a/etc/rc.d/NETWORKING +++ b/etc/rc.d/NETWORKING @@ -6,7 +6,7 @@ # PROVIDE: NETWORKING NETWORK # REQUIRE: netif netoptions routing ppp ipfw stf faith # REQUIRE: defaultroute routed mrouted route6d mroute6d resolv bridge -# REQUIRE: static_arp static_ndp +# REQUIRE: static_arp static_ndp local_unbound # This is a dummy dependency, for services which require networking # to be operational before starting. diff --git a/etc/rc.d/ctld b/etc/rc.d/ctld new file mode 100755 index 0000000..87fb816 --- /dev/null +++ b/etc/rc.d/ctld @@ -0,0 +1,22 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: ctld +# REQUIRE: FILESYSTEMS +# BEFORE: DAEMON +# KEYWORD: nojail + +. /etc/rc.subr + +name="ctld" +rcvar="ctld_enable" +pidfile="/var/run/${name}.pid" +command="/usr/sbin/${name}" +required_files="/etc/ctl.conf" +required_modules="ctl" +extra_commands="reload" + +load_rc_config $name +run_rc_command "$1" diff --git a/etc/rc.d/iscsictl b/etc/rc.d/iscsictl new file mode 100755 index 0000000..0925e0a --- /dev/null +++ b/etc/rc.d/iscsictl @@ -0,0 +1,20 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: iscsictl +# REQUIRE: NETWORK iscsid +# BEFORE: DAEMON +# KEYWORD: nojail + +. /etc/rc.subr + +name="iscsictl" +rcvar="iscsictl_enable" +command="/usr/bin/${name}" +command_args="${iscsictl_flags}" +required_modules="iscsi" + +load_rc_config $name +run_rc_command "$1" diff --git a/etc/rc.d/iscsid b/etc/rc.d/iscsid new file mode 100755 index 0000000..287631d --- /dev/null +++ b/etc/rc.d/iscsid @@ -0,0 +1,20 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: iscsid +# REQUIRE: NETWORK +# BEFORE: DAEMON +# KEYWORD: nojail + +. /etc/rc.subr + +name="iscsid" +rcvar="iscsid_enable" +pidfile="/var/run/${name}.pid" +command="/usr/sbin/${name}" +required_modules="iscsi" + +load_rc_config $name +run_rc_command "$1" diff --git a/etc/rc.d/jail b/etc/rc.d/jail index f19983f..63e489a 100755 --- a/etc/rc.d/jail +++ b/etc/rc.d/jail @@ -8,81 +8,138 @@ # BEFORE: securelevel # KEYWORD: nojail shutdown -# WARNING: This script deals with untrusted data (the data and -# processes inside the jails) and care must be taken when changing the -# code related to this! If you have any doubt whether a change is -# correct and have security impact, please get the patch reviewed by -# the FreeBSD Security Team prior to commit. - . /etc/rc.subr name="jail" rcvar="jail_enable" -start_precmd="jail_prestart" start_cmd="jail_start" +start_postcmd="jail_warn" stop_cmd="jail_stop" +config_cmd="jail_config" +console_cmd="jail_console" +status_cmd="jail_status" +extra_commands="config console status" +: ${jail_conf:=/etc/jail.conf} +: ${jail_program:=/usr/sbin/jail} +: ${jail_consolecmd:=/bin/sh} +: ${jail_jexec:=/usr/sbin/jexec} +: ${jail_jls:=/usr/sbin/jls} + +need_dad_wait= + +# extact_var jail name param num defval +# Extract value from ${jail_$jail_$name} or ${jail_$name} and +# set it to $param. If not defined, $defval is used. +# When $num is [0-9]*, ${jail_$jail_$name$num} are looked up and +# $param is set by using +=. +# When $num is YN or NY, the value is interpret as boolean. +extract_var() +{ + local i _j _name _param _num _def _name1 _name2 + _j=$1 + _name=$2 + _param=$3 + _num=$4 + _def=$5 + + case $_num in + YN) + _name1=jail_${_j}_${_name} + _name2=jail_${_name} + eval $_name1=\"\${$_name1:-\${$_name2:-$_def}}\" + if checkyesno $_name1; then + echo " $_param = 1;" + else + echo " $_param = 0;" + fi + ;; + NY) + _name1=jail_${_j}_${_name} + _name2=jail_${_name} + eval $_name1=\"\${$_name1:-\${$_name2:-$_def}}\" + if checkyesno $_name1; then + echo " $_param = 0;" + else + echo " $_param = 1;" + fi + ;; + [0-9]*) + i=$_num + while : ; do + _name1=jail_${_j}_${_name}${i} + _name2=jail_${_name}${i} + eval _tmpargs=\"\${$_name1:-\${$_name2:-$_def}}\" + if [ -n "$_tmpargs" ]; then + echo " $_param += \"$_tmpargs\";" + else + break; + fi + i=$(($i + 1)) + done + ;; + *) + _name1=jail_${_j}_${_name} + _name2=jail_${_name} + eval _tmpargs=\"\${$_name1:-\${$_name2:-$_def}}\" + if [ -n "$_tmpargs" ]; then + echo " $_param = \"$_tmpargs\";" + fi + ;; + esac +} -# init_variables _j -# Initialize the various jail variables for jail _j. +# parse_options _j +# Parse options and create a temporary configuration file if necessary. # -init_variables() +parse_options() { - _j="$1" + local _j + _j=$1 + _confwarn=0 if [ -z "$_j" ]; then - warn "init_variables: you must specify a jail" + warn "parse_options: you must specify a jail" return fi - + eval _jconf=\"\${jail_${_j}_conf:-/etc/jail.${_j}.conf}\" eval _rootdir=\"\$jail_${_j}_rootdir\" - _devdir="${_rootdir}/dev" - _fdescdir="${_devdir}/fd" - _procdir="${_rootdir}/proc" eval _hostname=\"\$jail_${_j}_hostname\" + if [ -z "$_rootdir" -o \ + -z "$_hostname" ]; then + if [ -r "$_jconf" ]; then + _conf="$_jconf" + return 0 + elif [ -r "$jail_conf" ]; then + _conf="$jail_conf" + return 0 + else + warn "Invalid configuration for $_j " \ + "(no jail.conf, no hostname, or no path). " \ + "Jail $_j was ignored." + fi + return 1 + fi eval _ip=\"\$jail_${_j}_ip\" - eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\" - eval _exec=\"\$jail_${_j}_exec\" - - i=0 - while : ; do - eval _exec_prestart${i}=\"\${jail_${_j}_exec_prestart${i}:-\${jail_exec_prestart${i}}}\" - [ -z "$(eval echo \"\$_exec_prestart${i}\")" ] && break - i=$((i + 1)) - done - - eval _exec_start=\"\${jail_${_j}_exec_start:-${jail_exec_start}}\" - - i=1 - while : ; do - eval _exec_afterstart${i}=\"\${jail_${_j}_exec_afterstart${i}:-\${jail_exec_afterstart${i}}}\" - [ -z "$(eval echo \"\$_exec_afterstart${i}\")" ] && break - i=$((i + 1)) - done - - i=0 - while : ; do - eval _exec_poststart${i}=\"\${jail_${_j}_exec_poststart${i}:-\${jail_exec_poststart${i}}}\" - [ -z "$(eval echo \"\$_exec_poststart${i}\")" ] && break - i=$((i + 1)) - done - - i=0 - while : ; do - eval _exec_prestop${i}=\"\${jail_${_j}_exec_prestop${i}:-\${jail_exec_prestop${i}}}\" - [ -z "$(eval echo \"\$_exec_prestop${i}\")" ] && break - i=$((i + 1)) - done - - eval _exec_stop=\"\${jail_${_j}_exec_stop:-${jail_exec_stop}}\" - - i=0 - while : ; do - eval _exec_poststop${i}=\"\${jail_${_j}_exec_poststop${i}:-\${jail_exec_poststop${i}}}\" - [ -z "$(eval echo \"\$_exec_poststop${i}\")" ] && break - i=$((i + 1)) - done + if [ -z "$_ip" ] && ! check_kern_features vimage; then + warn "no ipaddress specified and no vimage support. " \ + "Jail $_j was ignored." + return 1 + fi + _conf=/var/run/jail.${_j}.conf + # + # To relieve confusion, show a warning message. + # + _confwarn=1 + if [ -r "$jail_conf" -o -r "$_jconf" ]; then + warn "$_conf is created and used for jail $_j." + fi + /usr/bin/install -m 0644 -o root -g wheel /dev/null $_conf || return 1 + eval : \${jail_${_j}_flags:=${jail_flags}} + eval _exec=\"\$jail_${_j}_exec\" + eval _exec_start=\"\$jail_${_j}_exec_start\" + eval _exec_stop=\"\$jail_${_j}_exec_stop\" if [ -n "${_exec}" ]; then # simple/backward-compatible execution _exec_start="${_exec}" @@ -96,285 +153,104 @@ init_variables() fi fi fi - - # The default jail ruleset will be used by rc.subr if none is specified. - eval _ruleset=\"\${jail_${_j}_devfs_ruleset:-${jail_devfs_ruleset}}\" - eval _devfs=\"\${jail_${_j}_devfs_enable:-${jail_devfs_enable}}\" - [ -z "${_devfs}" ] && _devfs="NO" - eval _fdescfs=\"\${jail_${_j}_fdescfs_enable:-${jail_fdescfs_enable}}\" - [ -z "${_fdescfs}" ] && _fdescfs="NO" - eval _procfs=\"\${jail_${_j}_procfs_enable:-${jail_procfs_enable}}\" - [ -z "${_procfs}" ] && _procfs="NO" - - eval _mount=\"\${jail_${_j}_mount_enable:-${jail_mount_enable}}\" - [ -z "${_mount}" ] && _mount="NO" - # "/etc/fstab.${_j}" will be used for {,u}mount(8) if none is specified. - eval _fstab=\"\${jail_${_j}_fstab:-${jail_fstab}}\" - [ -z "${_fstab}" ] && _fstab="/etc/fstab.${_j}" - eval _flags=\"\${jail_${_j}_flags:-${jail_flags}}\" - [ -z "${_flags}" ] && _flags="-l -U root" - eval _consolelog=\"\${jail_${_j}_consolelog:-${jail_consolelog}}\" - [ -z "${_consolelog}" ] && _consolelog="/var/log/jail_${_j}_console.log" + eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\" eval _parameters=\"\${jail_${_j}_parameters:-${jail_parameters}}\" - [ -z "${_parameters}" ] && _parameters="" - eval _fib=\"\${jail_${_j}_fib:-${jail_fib}}\" - - # Debugging aid - # - debug "$_j devfs enable: $_devfs" - debug "$_j fdescfs enable: $_fdescfs" - debug "$_j procfs enable: $_procfs" - debug "$_j mount enable: $_mount" - debug "$_j hostname: $_hostname" - debug "$_j ip: $_ip" - jail_show_addresses ${_j} - debug "$_j interface: $_interface" - debug "$_j fib: $_fib" - debug "$_j root: $_rootdir" - debug "$_j devdir: $_devdir" - debug "$_j fdescdir: $_fdescdir" - debug "$_j procdir: $_procdir" - debug "$_j ruleset: $_ruleset" - debug "$_j fstab: $_fstab" - - i=0 - while : ; do - eval out=\"\${_exec_prestart${i}:-''}\" - if [ -z "$out" ]; then - break - fi - debug "$_j exec pre-start #${i}: ${out}" - i=$((i + 1)) - done - - debug "$_j exec start: $_exec_start" - - i=1 - while : ; do - eval out=\"\${_exec_afterstart${i}:-''}\" + eval _fstab=\"\${jail_${_j}_fstab:-${jail_fstab:-/etc/fstab.$_j}}\" + ( + date +"# Generated by rc.d/jail at %Y-%m-%d %H:%M:%S" + echo "$_j {" + extract_var $_j hostname host.hostname - "" + extract_var $_j rootdir path - "" + if [ -n "$_ip" ]; then + extract_var $_j interface interface - "" + jail_handle_ips_option $_ip $_interface + alias=0 + while : ; do + eval _x=\"\$jail_${_jail}_ip_multi${alias}\" + [ -z "$_x" ] && break - if [ -z "$out" ]; then - break; + jail_handle_ips_option $_x $_interface + alias=$(($alias + 1)) + done + case $need_dad_wait in + 1) + # Sleep to let DAD complete before + # starting services. + echo " exec.start += \"sleep " \ + $(($(${SYSCTL_N} net.inet6.ip6.dad_count) + 1)) \ + "\";" + ;; + esac + # These are applicable only to non-vimage jails. + extract_var $_j fib exec.fib - "" + extract_var $_j socket_unixiproute_only \ + allow.raw_sockets NY YES + else + echo " vnet;" + extract_var $_j vnet_interface vnet.interface - "" fi - debug "$_j exec after start #${i}: ${out}" - i=$((i + 1)) - done - - i=0 - while : ; do - eval out=\"\${_exec_poststart${i}:-''}\" - if [ -z "$out" ]; then - break + echo " exec.clean;" + echo " exec.system_user = \"root\";" + echo " exec.jail_user = \"root\";" + extract_var $_j exec_prestart exec.prestart 0 "" + extract_var $_j exec_poststart exec.poststart 0 "" + extract_var $_j exec_prestop exec.prestop 0 "" + extract_var $_j exec_poststop exec.poststop 0 "" + + echo " exec.start += \"$_exec_start\";" + extract_var $_j exec_afterstart exec.start 1 "" + echo " exec.stop = \"$_exec_stop\";" + + extract_var $_j consolelog exec.consolelog - \ + /var/log/jail_${_j}_console.log + + eval : \${jail_${_j}_devfs_enable:=${jail_devfs_enable:-NO}} + if checkyesno jail_${_j}_devfs_enable; then + echo " mount.devfs;" + case $_ruleset in + "") ;; + [0-9]*) echo " devfs_ruleset = \"$_ruleset\";" ;; + devfsrules_jail) + # XXX: This is the default value, + # Let jail(8) to use the default because + # mount(8) only accepts an integer. + # This should accept a ruleset name. + ;; + *) warn "devfs_ruleset must be integer." ;; + esac + if [ -r $_fstab ]; then + echo " mount.fstab = \"$_fstab\";" + fi fi - debug "$_j exec post-start #${i}: ${out}" - i=$((i + 1)) - done - i=0 - while : ; do - eval out=\"\${_exec_prestop${i}:-''}\" - if [ -z "$out" ]; then - break + eval : \${jail_${_j}_fdescfs_enable:=${jail_fdescfs_enable:-NO}} + if checkyesno jail_${_j}_fdescfs_enable; then + echo " mount += " \ + "\"fdescfs ${_rootdir%/}/dev/fd fdescfs rw 0 0\";" fi - debug "$_j exec pre-stop #${i}: ${out}" - i=$((i + 1)) - done - - debug "$_j exec stop: $_exec_stop" - - i=0 - while : ; do - eval out=\"\${_exec_poststop${i}:-''}\" - if [ -z "$out" ]; then - break + eval : \${jail_${_j}_procfs_enable:=${jail_procfs_enable:-NO}} + if checkyesno jail_${_j}_procfs_enable; then + echo " mount += " \ + "\"procfs ${_rootdir%/}/proc procfs rw 0 0\";" fi - debug "$_j exec post-stop #${i}: ${out}" - i=$((i + 1)) - done - - debug "$_j flags: $_flags" - debug "$_j consolelog: $_consolelog" - debug "$_j parameters: $_parameters" - if [ -z "${_hostname}" ]; then - err 3 "$name: No hostname has been defined for ${_j}" - fi - if [ -z "${_rootdir}" ]; then - err 3 "$name: No root directory has been defined for ${_j}" - fi -} + echo " ${_parameters};" -# set_sysctl rc_knob mib msg -# If the mib sysctl is set according to what rc_knob -# specifies, this function does nothing. However if -# rc_knob is set differently than mib, then the mib -# is set accordingly and msg is displayed followed by -# an '=" sign and the word 'YES' or 'NO'. -# -set_sysctl() -{ - _knob="$1" - _mib="$2" - _msg="$3" - - _current=`${SYSCTL} -n $_mib 2>/dev/null` - if checkyesno $_knob ; then - if [ "$_current" -ne 1 ]; then - echo -n " ${_msg}=YES" - ${SYSCTL} 1>/dev/null ${_mib}=1 - fi - else - if [ "$_current" -ne 0 ]; then - echo -n " ${_msg}=NO" - ${SYSCTL} 1>/dev/null ${_mib}=0 + eval : \${jail_${_j}_mount_enable:=${jail_mount_enable:-NO}} + if checkyesno jail_${_j}_mount_enable; then + echo " allow.mount;" >> $_conf fi - fi -} -# is_current_mountpoint() -# Is the directory mount point for a currently mounted file -# system? -# -is_current_mountpoint() -{ - local _dir _dir2 - - _dir=$1 + extract_var $_j set_hostname_allow allow.set_hostname YN NO + extract_var $_j sysvipc_allow allow.sysvipc YN NO + echo "}" + ) >> $_conf - _dir=`echo $_dir | sed -Ee 's#//+#/#g' -e 's#/$##'` - [ ! -d "${_dir}" ] && return 1 - _dir2=`df ${_dir} | tail +2 | awk '{ print $6 }'` - [ "${_dir}" = "${_dir2}" ] - return $? + return 0 } -# is_symlinked_mountpoint() -# Is a mount point, or any of its parent directories, a symlink? -# -is_symlinked_mountpoint() -{ - local _dir - - _dir=$1 - - [ -L "$_dir" ] && return 0 - [ "$_dir" = "/" ] && return 1 - is_symlinked_mountpoint `dirname $_dir` - return $? -} - -# secure_umount -# Try to unmount a mount point without being vulnerable to -# symlink attacks. -# -secure_umount() -{ - local _dir - - _dir=$1 - - if is_current_mountpoint ${_dir}; then - umount -f ${_dir} >/dev/null 2>&1 - else - debug "Nothing mounted on ${_dir} - not unmounting" - fi -} - - -# jail_umount_fs -# This function unmounts certain special filesystems in the -# currently selected jail. The caller must call the init_variables() -# routine before calling this one. -# -jail_umount_fs() -{ - local _device _mountpt _rest - - if checkyesno _fdescfs; then - if [ -d "${_fdescdir}" ] ; then - secure_umount ${_fdescdir} - fi - fi - if checkyesno _devfs; then - if [ -d "${_devdir}" ] ; then - secure_umount ${_devdir} - fi - fi - if checkyesno _procfs; then - if [ -d "${_procdir}" ] ; then - secure_umount ${_procdir} - fi - fi - if checkyesno _mount; then - [ -f "${_fstab}" ] || warn "${_fstab} does not exist" - tail -r ${_fstab} | while read _device _mountpt _rest; do - case ":${_device}" in - :#* | :) - continue - ;; - esac - secure_umount ${_mountpt} - done - fi -} - -# jail_mount_fstab() -# Mount file systems from a per jail fstab while trying to -# secure against symlink attacks at the mount points. -# -# If we are certain we cannot secure against symlink attacks we -# do not mount all of the file systems (since we cannot just not -# mount the file system with the problematic mount point). -# -# The caller must call the init_variables() routine before -# calling this one. -# -jail_mount_fstab() -{ - local _device _mountpt _rest - - while read _device _mountpt _rest; do - case ":${_device}" in - :#* | :) - continue - ;; - esac - if is_symlinked_mountpoint ${_mountpt}; then - warn "${_mountpt} has symlink as parent - not mounting from ${_fstab}" - return - fi - done <${_fstab} - mount -a -F "${_fstab}" -} - -# jail_show_addresses jail -# Debug print the input for the given _multi aliases -# for a jail for init_variables(). -# -jail_show_addresses() -{ - local _j _type alias - _j="$1" - alias=0 - - if [ -z "${_j}" ]; then - warn "jail_show_addresses: you must specify a jail" - return - fi - - while : ; do - eval _addr=\"\$jail_${_j}_ip_multi${alias}\" - if [ -n "${_addr}" ]; then - debug "${_j} ip_multi${alias}: $_addr" - alias=$((${alias} + 1)) - else - break - fi - done -} - -# jail_extract_address argument +# jail_extract_address argument iface # The second argument is the string from one of the _ip # or the _multi variables. In case of a comma separated list # only one argument must be passed in at a time. @@ -382,8 +258,9 @@ jail_show_addresses() # jail_extract_address() { - local _i + local _i _interface _i=$1 + _interface=$2 if [ -z "${_i}" ]; then warn "jail_extract_address: called without input" @@ -439,21 +316,21 @@ jail_extract_address() _mask=${_mask:-/32} elif [ "${_type}" = "inet6" ]; then - # In case _maske is not set for IPv6, use /128. - _mask=${_mask:-/128} + # In case _maske is not set for IPv6, use /64. + _mask=${_mask:-/64} fi } -# jail_handle_ips_option {add,del} input +# jail_handle_ips_option input iface # Handle a single argument imput which can be a comma separated # list of addresses (theoretically with an option interface and # prefix/netmask/prefixlen). # jail_handle_ips_option() { - local _x _action _type _i - _action=$1 - _x=$2 + local _x _type _i _iface + _x=$1 + _iface=$2 if [ -z "${_x}" ]; then # No IP given. This can happen for the primary address @@ -468,294 +345,146 @@ jail_handle_ips_option() *,*) # Extract the first argument and strip it off the list. _i=`expr "${_x}" : '^\([^,]*\)'` _x=`expr "${_x}" : "^[^,]*,\(.*\)"` - ;; + ;; *) _i=${_x} _x="" - ;; + ;; esac _type="" - _iface="" _addr="" _mask="" - jail_extract_address "${_i}" + jail_extract_address $_i $_iface # make sure we got an address. - case "${_addr}" in + case $_addr in "") continue ;; *) ;; esac # Append address to list of addresses for the jail command. - case "${_type}" in + case $_type in inet) - case "${_addrl}" in - "") _addrl="${_addr}" ;; - *) _addrl="${_addrl},${_addr}" ;; - esac - ;; + echo " ip4.addr += \"${_addr}${_mask}\";" + ;; inet6) - case "${_addr6l}" in - "") _addr6l="${_addr}" ;; - *) _addr6l="${_addr6l},${_addr}" ;; - esac - ;; - esac - - # Configure interface alias if requested by a given interface - # and if we could correctly parse everything. - case "${_iface}" in - "") continue ;; - esac - case "${_type}" in - inet) ;; - inet6) ipv6_address_count=$((ipv6_address_count + 1)) ;; - *) warn "Could not determine address family. Not going" \ - "to ${_action} address '${_addr}' for ${_jail}." - continue - ;; - esac - case "${_action}" in - add) ifconfig ${_iface} ${_type} ${_addr}${_mask} alias - ;; - del) # When removing the IP, ignore the _mask. - ifconfig ${_iface} ${_type} ${_addr} -alias - ;; + echo " ip6.addr += \"${_addr}${_mask}\";" + need_dad_wait=1 + ;; esac done } -# jail_ips {add,del} -# Extract the comma separated list of addresses and return them -# for the jail command. -# Handle more than one address via the _multi option as well. -# If an interface is given also add/remove an alias for the -# address with an optional netmask. -# -jail_ips() +jail_config() { - local _action - _action=$1 - - case "${_action}" in - add) ;; - del) ;; - *) warn "jail_ips: invalid action '${_action}'" - return - ;; + case $1 in + _ALL) return ;; esac - - # Handle addresses. - ipv6_address_count=0 - jail_handle_ips_option ${_action} "${_ip}" - # Handle jail_xxx_ip_multi<N> - alias=0 - while : ; do - eval _x=\"\$jail_${_jail}_ip_multi${alias}\" - case "${_x}" in - "") break ;; - *) jail_handle_ips_option ${_action} "${_x}" - alias=$((${alias} + 1)) - ;; - esac + for _jail in $@; do + if parse_options $_jail; then + echo "$_jail: parameters are in $_conf." + fi done - case ${ipv6_address_count} in - 0) ;; - *) # Sleep 1 second to let DAD complete before starting services. - sleep 1 - ;; +} + +jail_console() +{ + # One argument that is not _ALL. + case $#:$1 in + 1:_ALL) err 3 "Specify a jail name." ;; + 1:*) ;; + *) err 3 "Specify a jail name." ;; esac + eval _cmd=\${jail_$1_consolecmd:-$jail_consolecmd} + $jail_jexec $1 $_cmd } -jail_prestart() +jail_status() { - if checkyesno jail_parallel_start; then - command_args='&' - fi + + $jail_jls -N } jail_start() { - echo -n 'Configuring jails:' - set_sysctl jail_set_hostname_allow security.jail.set_hostname_allowed \ - set_hostname_allow - set_sysctl jail_socket_unixiproute_only \ - security.jail.socket_unixiproute_only unixiproute_only - set_sysctl jail_sysvipc_allow security.jail.sysvipc_allowed \ - sysvipc_allow - echo '.' - + if [ $# = 0 ]; then + return + fi echo -n 'Starting jails:' - _tmp_dir=`mktemp -d /tmp/jail.XXXXXXXX` || \ - err 3 "$name: Can't create temp dir, exiting..." - for _jail in ${jail_list} - do - init_variables $_jail - if [ -f /var/run/jail_${_jail}.id ]; then - echo -n " [${_hostname} already running (/var/run/jail_${_jail}.id exists)]" - continue; - fi - _addrl="" - _addr6l="" - jail_ips "add" - if [ -n "${_fib}" ]; then - _setfib="setfib -F '${_fib}'" + case $1 in + _ALL) + echo -n ' ' + command=$jail_program + rc_flags=$jail_flags + command_args="-f $jail_conf -c" + $command $rc_flags $command_args "*" + echo '.' + return + ;; + esac + _tmp=`mktemp -t jail` || exit 3 + for _jail in $@; do + parse_options $_jail || continue + + eval rc_flags=\${jail_${_j}_flags:-$jail_flags} + eval command=\${jail_${_j}_program:-$jail_program} + if checkyesno jail_parallel_start; then + command_args="-i -f $_conf -c $_jail &" else - _setfib="" - fi - if checkyesno _mount; then - info "Mounting fstab for jail ${_jail} (${_fstab})" - if [ ! -f "${_fstab}" ]; then - err 3 "$name: ${_fstab} does not exist" - fi - jail_mount_fstab - fi - if checkyesno _devfs; then - # If devfs is already mounted here, skip it. - df -t devfs "${_devdir}" >/dev/null - if [ $? -ne 0 ]; then - if is_symlinked_mountpoint ${_devdir}; then - warn "${_devdir} has symlink as parent - not starting jail ${_jail}" - continue - fi - info "Mounting devfs on ${_devdir}" - devfs_mount_jail "${_devdir}" ${_ruleset} - # Transitional symlink for old binaries - if [ ! -L "${_devdir}/log" ]; then - ln -sf ../var/run/log "${_devdir}/log" - fi - fi - - # XXX - It seems symlinks don't work when there - # is a devfs(5) device of the same name. - # Jail console output - # __pwd="`pwd`" - # cd "${_devdir}" - # ln -sf ../var/log/console console - # cd "$__pwd" - fi - if checkyesno _fdescfs; then - if is_symlinked_mountpoint ${_fdescdir}; then - warn "${_fdescdir} has symlink as parent, not mounting" - else - info "Mounting fdescfs on ${_fdescdir}" - mount -t fdescfs fdesc "${_fdescdir}" - fi - fi - if checkyesno _procfs; then - if is_symlinked_mountpoint ${_procdir}; then - warn "${_procdir} has symlink as parent, not mounting" - else - info "Mounting procfs onto ${_procdir}" - if [ -d "${_procdir}" ] ; then - mount -t procfs proc "${_procdir}" - fi - fi + command_args="-i -f $_conf -c $_jail" fi - _tmp_jail=${_tmp_dir}/jail.$$ - - i=0 - while : ; do - eval out=\"\${_exec_prestart${i}:-''}\" - [ -z "$out" ] && break - ${out} - i=$((i + 1)) - done - - eval ${_setfib} jail -n ${_jail} ${_flags} -i -c path=${_rootdir} host.hostname=${_hostname} \ - ${_addrl:+ip4.addr=\"${_addrl}\"} ${_addr6l:+ip6.addr=\"${_addr6l}\"} \ - ${_parameters} command=${_exec_start} > ${_tmp_jail} 2>&1 \ - </dev/null - - if [ "$?" -eq 0 ] ; then - _jail_id=$(head -1 ${_tmp_jail}) - i=1 - while : ; do - eval out=\"\${_exec_afterstart${i}:-''}\" - - if [ -z "$out" ]; then - break; - fi - - jexec "${_jail_id}" ${out} - i=$((i + 1)) - done - - echo -n " $_hostname" - tail +2 ${_tmp_jail} >${_consolelog} - echo ${_jail_id} > /var/run/jail_${_jail}.id - - i=0 - while : ; do - eval out=\"\${_exec_poststart${i}:-''}\" - [ -z "$out" ] && break - ${out} - i=$((i + 1)) - done + if $command $rc_flags $command_args \ + >> $_tmp 2>&1 </dev/null; then + echo -n " ${_hostname:-${_jail}}" else - jail_umount_fs - jail_ips "del" - echo " cannot start jail \"${_jail}\": " - tail +2 ${_tmp_jail} + echo " cannot start jail \"${_hostname:-${jail}}\": " + tail +2 $_tmp fi - rm -f ${_tmp_jail} + rm -f $_tmp done - rmdir ${_tmp_dir} echo '.' } jail_stop() { + if [ $# = 0 ]; then + return + fi echo -n 'Stopping jails:' - for _jail in ${jail_list} - do - if [ -f "/var/run/jail_${_jail}.id" ]; then - _jail_id=$(cat /var/run/jail_${_jail}.id) - if [ ! -z "${_jail_id}" ]; then - init_variables $_jail - - i=0 - while : ; do - eval out=\"\${_exec_prestop${i}:-''}\" - [ -z "$out" ] && break - ${out} - i=$((i + 1)) - done - - if [ -n "${_exec_stop}" ]; then - eval env -i /usr/sbin/jexec ${_jail_id} ${_exec_stop} \ - >> ${_consolelog} 2>&1 - fi - killall -j ${_jail_id} -TERM > /dev/null 2>&1 - sleep 1 - killall -j ${_jail_id} -KILL > /dev/null 2>&1 - jail_umount_fs - echo -n " $_hostname" - - i=0 - while : ; do - eval out=\"\${_exec_poststop${i}:-''}\" - [ -z "$out" ] && break - ${out} - i=$((i + 1)) - done - fi - jail_ips "del" - rm /var/run/jail_${_jail}.id - else - echo " cannot stop jail ${_jail}. No jail id in /var/run" + case $1 in + _ALL) + echo -n ' ' + command=$jail_program + rc_flags=$jail_flags + command_args="-f $jail_conf -r" + $command $rc_flags $command_args "*" + echo '.' + return + ;; + esac + for _jail in $@; do + parse_options $_jail || continue + eval command=\${jail_${_j}_program:-$jail_program} + if $command -q -f $_conf -r $_jail; then + echo -n " ${_hostname:-${_jail}}" fi done echo '.' } +jail_warn() +{ + + # To relieve confusion, show a warning message. + case $_confwarn in + 1) warn "Per-jail configuration via jail_* variables " \ + "is obsolete. Please consider to migrate to $jail_conf." + ;; + esac +} + load_rc_config $name -cmd="$1" -if [ $# -gt 0 ]; then - shift -fi -if [ -n "$*" ]; then - jail_list="$*" -fi - -run_rc_command "${cmd}" +case $# in +1) run_rc_command $@ ${jail_list:-_ALL} ;; +*) run_rc_command $@ ;; +esac diff --git a/etc/rc.d/local_unbound b/etc/rc.d/local_unbound new file mode 100755 index 0000000..ed69c19 --- /dev/null +++ b/etc/rc.d/local_unbound @@ -0,0 +1,91 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: local_unbound +# REQUIRE: FILESYSTEMS netif resolv +# KEYWORD: shutdown + +. /etc/rc.subr + +name="local_unbound" +desc="local caching forwarding resolver" +rcvar="local_unbound_enable" + +command="/usr/sbin/unbound" +extra_commands="anchor configtest reload setup" +start_precmd="local_unbound_prestart" +reload_precmd="local_unbound_configtest" +anchor_cmd="local_unbound_anchor" +configtest_cmd="local_unbound_configtest" +setup_cmd="local_unbound_setup" +pidfile="/var/run/${name}.pid" + +: ${local_unbound_workdir:=/var/unbound} +: ${local_unbound_config:=${local_unbound_workdir}/unbound.conf} +: ${local_unbound_flags:=-c${local_unbound_config}} +: ${local_unbound_forwardconf:=${local_unbound_workdir}/forward.conf} +: ${local_unbound_anchor:=${local_unbound_workdir}/root.key} +: ${local_unbound_forwarders:=} + +load_rc_config $name + +do_as_unbound() +{ + echo "$@" | su -m unbound +} + +# +# Retrieve or update the DNSSEC root anchor +# +local_unbound_anchor() +{ + do_as_unbound /usr/sbin/unbound-anchor -a ${local_unbound_anchor} + # we can't trust the exit code - check if the file exists + [ -f ${local_unbound_anchor} ] +} + +# +# Check the unbound configuration file +# +local_unbound_configtest() +{ + do_as_unbound /usr/sbin/unbound-checkconf ${local_unbound_config} +} + +# +# Create the unbound configuration file and update resolv.conf to +# point to unbound. +# +local_unbound_setup() +{ + echo "Performing initial setup." + /usr/sbin/local-unbound-setup -n \ + -u unbound \ + -w ${local_unbound_workdir} \ + -c ${local_unbound_config} \ + -f ${local_unbound_forwardconf} \ + -a ${local_unbound_anchor} \ + ${local_unbound_forwarders} +} + +# +# Before starting, check that the configuration file and root anchor +# exist. If not, attempt to generate them. +# +local_unbound_prestart() +{ + # Create configuration file + if [ ! -f ${local_unbound_config} ] ; then + run_rc_command setup + fi + + # Retrieve DNSSEC root key + if [ ! -f ${local_unbound_anchor} ] ; then + run_rc_command anchor + fi +} + +load_rc_config $name +run_rc_command "$1" diff --git a/etc/rc.d/netif b/etc/rc.d/netif index 7aac42d..daece80 100755 --- a/etc/rc.d/netif +++ b/etc/rc.d/netif @@ -39,7 +39,9 @@ stop_cmd="network_stop" cloneup_cmd="clone_up" clonedown_cmd="clone_down" clear_cmd="doclear" -extra_commands="cloneup clonedown clear" +vnetup_cmd="vnet_up" +vnetdown_cmd="vnet_down" +extra_commands="cloneup clonedown clear vnetup vnetdown" cmdifn= set_rcvar_obsolete ipv6_enable ipv6_activate_all_interfaces @@ -72,7 +74,7 @@ network_start() ifnet_rename $cmdifn # Configure the interface(s). - network_common ifn_start + network_common ifn_start $cmdifn if [ -f /etc/rc.d/ipfilter ] ; then # Resync ipfilter @@ -109,7 +111,7 @@ network_stop0() cmdifn=$* # Deconfigure the interface(s) - network_common ifn_stop + network_common ifn_stop $cmdifn # Destroy cloned interfaces if [ -n "$_clone_down" ]; then @@ -123,13 +125,27 @@ network_stop0() fi } +vnet_up() +{ + cmdifn=$* + + network_common ifn_vnetup $cmdifn +} + +vnet_down() +{ + cmdifn=$* + + network_common ifn_vnetdown $cmdifn +} + # network_common routine # Common configuration subroutine for network interfaces. This # routine takes all the preparatory steps needed for configuriing # an interface and then calls $routine. network_common() { - local _cooked_list _fail _func _ok _str + local _cooked_list _tmp_list _fail _func _ok _str _cmdifn _func= @@ -137,26 +153,45 @@ network_common() err 1 "network_common(): No function name specified." else _func="$1" + shift fi # Set the scope of the command (all interfaces or just one). # _cooked_list= - if [ -n "$cmdifn" ]; then + _tmp_list= + _cmdifn=$* + if [ -n "$_cmdifn" ]; then # Don't check that the interface(s) exist. We need to run # the down code even when the interface doesn't exist to # kill off wpa_supplicant. # XXXBED: is this really true or does wpa_supplicant die? # if so, we should get rid of the devd entry - _cooked_list="$cmdifn" + _cooked_list="$_cmdifn" else _cooked_list="`list_net_interfaces`" fi + # Expand epair[0-9] to epair[0-9][ab]. + for ifn in $_cooked_list; do + case ${ifn#epair} in + [0-9]*[ab]) ;; # Skip epair[0-9]*[ab]. + [0-9]*) + for _str in $_cooked_list; do + case $_str in + $ifn) _tmp_list="$_tmp_list ${ifn}a ${ifn}b" ;; + *) _tmp_list="$_tmp_list ${ifn}" ;; + esac + done + _cooked_list=${_tmp_list# } + ;; + esac + done + _dadwait= _fail= _ok= - for ifn in ${_cooked_list}; do + for ifn in ${_cooked_list# }; do # Skip if ifn does not exist. case $_func in ifn_stop) @@ -179,7 +214,7 @@ network_common() # inet6 address configuration needs sleep for DAD. case ${_func}:${_dadwait} in - ifn_start:1) + ifn_start:1|ifn_vnetup:1|ifn_vnetdown:1) sleep `${SYSCTL_N} net.inet6.ip6.dad_count` sleep 1 ;; @@ -190,12 +225,25 @@ network_common() case ${_func} in ifn_start) _str='Starting' - ;; + ;; ifn_stop) _str='Stopping' - ;; + ;; + ifn_vnetup) + _str='Moving' + ;; + ifn_vnetdown) + _str='Reclaiming' + ;; esac echo "${_str} Network:${_ok}." + case ${_func} in + ifn_vnetup) + # Clear _ok not to do "ifconfig $ifn" + # because $ifn is no longer in the current vnet. + _ok= + ;; + esac if check_startmsgs; then for ifn in ${_ok}; do /sbin/ifconfig ${ifn} diff --git a/etc/rc.d/sendmail b/etc/rc.d/sendmail index 7c3f660..712bb3e 100755 --- a/etc/rc.d/sendmail +++ b/etc/rc.d/sendmail @@ -80,20 +80,17 @@ required_files= if checkyesno sendmail_submit_enable; then name="sendmail_submit" rcvar="sendmail_submit_enable" - start_cmd="${command} ${sendmail_submit_flags}" run_rc_command "$1" fi if checkyesno sendmail_outbound_enable; then name="sendmail_outbound" rcvar="sendmail_outbound_enable" - start_cmd="${command} ${sendmail_outbound_flags}" run_rc_command "$1" fi -name="sendmail_clientmqueue" +name="sendmail_msp_queue" rcvar="sendmail_msp_queue_enable" -start_cmd="${command} ${sendmail_msp_queue_flags}" -pidfile="${sendmail_mspq_pidfile:-/var/spool/clientmqueue/sm-client.pid}" +pidfile="${sendmail_msp_queue_pidfile:-/var/spool/clientmqueue/sm-client.pid}" required_files="/etc/mail/submit.cf" run_rc_command "$1" diff --git a/etc/rc.d/sshd b/etc/rc.d/sshd index 490a1c7..5ad1b10 100755 --- a/etc/rc.d/sshd +++ b/etc/rc.d/sshd @@ -14,80 +14,59 @@ rcvar="sshd_enable" command="/usr/sbin/${name}" keygen_cmd="sshd_keygen" start_precmd="sshd_precmd" -reload_precmd="sshd_precmd" -restart_precmd="sshd_precmd" +reload_precmd="sshd_configtest" +restart_precmd="sshd_configtest" configtest_cmd="sshd_configtest" pidfile="/var/run/${name}.pid" extra_commands="configtest keygen reload" -timeout=300 +: ${sshd_rsa1_enable:="yes"} +: ${sshd_rsa_enable:="yes"} +: ${sshd_dsa_enable:="yes"} +: ${sshd_ecdsa_enable:="yes"} -user_reseed() +sshd_keygen_alg() { - ( - seeded=`sysctl -n kern.random.sys.seeded 2>/dev/null` - if [ "x${seeded}" != "x" ] && [ ${seeded} -eq 0 ] ; then - warn "Setting entropy source to blocking mode." - echo "====================================================" - echo "Type a full screenful of random junk to unblock" - echo "it and remember to finish with <enter>. This will" - echo "timeout in ${timeout} seconds, but waiting for" - echo "the timeout without typing junk may make the" - echo "entropy source deliver predictable output." - echo "" - echo "Just hit <enter> for fast+insecure startup." - echo "====================================================" - sysctl kern.random.sys.seeded=0 2>/dev/null - read -t ${timeout} junk - echo "${junk}" `sysctl -a` `date` > /dev/random + local alg=$1 + local ALG="$(echo $alg | tr a-z A-Z)" + local keyfile + + if ! checkyesno "sshd_${alg}_enable" ; then + return 0 fi - ) -} -sshd_keygen() -{ - ( - umask 022 + case $alg in + rsa1) + keyfile="/etc/ssh/ssh_host_key" + ;; + rsa|dsa|ecdsa) + keyfile="/etc/ssh/ssh_host_${alg}_key" + ;; + *) + return 1 + ;; + esac - # Can't do anything if ssh is not installed - [ -x /usr/bin/ssh-keygen ] || { + if [ ! -x /usr/bin/ssh-keygen ] ; then warn "/usr/bin/ssh-keygen does not exist." return 1 - } - - if [ -f /etc/ssh/ssh_host_key ]; then - echo "You already have an RSA host key" \ - "in /etc/ssh/ssh_host_key" - echo "Skipping protocol version 1 RSA Key Generation" - else - /usr/bin/ssh-keygen -t rsa1 -b 1024 \ - -f /etc/ssh/ssh_host_key -N '' - fi - - if [ -f /etc/ssh/ssh_host_dsa_key ]; then - echo "You already have a DSA host key" \ - "in /etc/ssh/ssh_host_dsa_key" - echo "Skipping protocol version 2 DSA Key Generation" - else - /usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N '' fi - if [ -f /etc/ssh/ssh_host_rsa_key ]; then - echo "You already have an RSA host key" \ - "in /etc/ssh/ssh_host_rsa_key" - echo "Skipping protocol version 2 RSA Key Generation" + if [ -f "${keyfile}" ] ; then + info "$ALG host key exists." else - /usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N '' + echo "Generating $ALG host key." + /usr/bin/ssh-keygen -q -t $alg -f "$keyfile" -N "" + /usr/bin/ssh-keygen -l -f "$keyfile.pub" fi +} - if [ -f /etc/ssh/ssh_host_ecdsa_key ]; then - echo "You already have an ECDSA host key" \ - "in /etc/ssh/ssh_host_ecdsa_key" - echo "Skipping protocol version 2 ECDSA Key Generation" - else - /usr/bin/ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N '' - fi - ) +sshd_keygen() +{ + sshd_keygen_alg rsa1 + sshd_keygen_alg rsa + sshd_keygen_alg dsa + sshd_keygen_alg ecdsa } sshd_configtest() @@ -98,14 +77,8 @@ sshd_configtest() sshd_precmd() { - if [ ! -f /etc/ssh/ssh_host_key -o \ - ! -f /etc/ssh/ssh_host_dsa_key -o \ - ! -f /etc/ssh/ssh_host_ecdsa_key -o \ - ! -f /etc/ssh/ssh_host_rsa_key ]; then - user_reseed - run_rc_command keygen - fi - sshd_configtest + run_rc_command keygen + run_rc_command configtest } load_rc_config $name diff --git a/etc/rc.subr b/etc/rc.subr index bce2257..152b70e 100644 --- a/etc/rc.subr +++ b/etc/rc.subr @@ -546,6 +546,8 @@ check_startmsgs() # # rcvar Display what rc.conf variable is used (if any). # +# enabled Return true if the service is enabled. +# # Variables available to methods, and after run_rc_command() has # completed: # @@ -614,7 +616,7 @@ run_rc_command() eval _override_command=\$${name}_program command=${_override_command:-$command} - _keywords="start stop restart rcvar $extra_commands" + _keywords="start stop restart rcvar enabled $extra_commands" rc_pid= _pidcmd= _procname=${procname:-${command}} @@ -635,6 +637,11 @@ run_rc_command() rc_usage $_keywords fi + if [ "$rc_arg" = "enabled" ] ; then + checkyesno ${rcvar} + return $? + fi + if [ -n "$flags" ]; then # allow override from environment rc_flags=$flags else @@ -1456,28 +1463,6 @@ devfs_domount() return 0 } -# devfs_mount_jail dir [ruleset] -# Mounts a devfs file system appropriate for jails -# on the directory dir. If ruleset is specified, the ruleset -# it names will be used instead. If present, ruleset must -# be the name of a ruleset as defined in a devfs.rules(5) file. -# This function returns non-zero if an error occurs. -# -devfs_mount_jail() -{ - local jdev rs _me - jdev="$1" - [ -n "$2" ] && rs=$2 || rs="devfsrules_jail" - _me="devfs_mount_jail" - - devfs_init_rulesets - if ! devfs_domount "$jdev" $rs; then - warn "$_me: devfs was not mounted on $jdev" - return 1 - fi - return 0 -} - # Provide a function for normalizing the mounting of memory # filesystems. This should allow the rest of the code here to remain # as close as possible between 5-current and 4-stable. |
