diff options
author | hrs <hrs@FreeBSD.org> | 2013-10-12 17:46:13 +0000 |
---|---|---|
committer | hrs <hrs@FreeBSD.org> | 2013-10-12 17:46:13 +0000 |
commit | 2a6361507410ac1bd935b61f13d48c2512bb6cc3 (patch) | |
tree | 0048bc06e3c532564c02909ee0434f7e88e55d3a /usr.sbin/jail | |
parent | 70d85b1cf39bf4f4d66a66b27b197046221e67f9 (diff) | |
download | FreeBSD-src-2a6361507410ac1bd935b61f13d48c2512bb6cc3.zip FreeBSD-src-2a6361507410ac1bd935b61f13d48c2512bb6cc3.tar.gz |
MFC 256385:
- Add mount.fdescfs parameter to jail(8). This is similar to
mount.devfs but mounts fdescfs. The mount happens just after
mount.devfs.
- rc.d/jail now displays whole error message from jail(8) when a jail
fails to start.
Approved by: re (gjb)
Diffstat (limited to 'usr.sbin/jail')
-rw-r--r-- | usr.sbin/jail/command.c | 33 | ||||
-rw-r--r-- | usr.sbin/jail/config.c | 1 | ||||
-rw-r--r-- | usr.sbin/jail/jail.8 | 20 | ||||
-rw-r--r-- | usr.sbin/jail/jail.c | 2 | ||||
-rw-r--r-- | usr.sbin/jail/jailp.h | 1 |
5 files changed, 51 insertions, 6 deletions
diff --git a/usr.sbin/jail/command.c b/usr.sbin/jail/command.c index 452a079..04a4514 100644 --- a/usr.sbin/jail/command.c +++ b/usr.sbin/jail/command.c @@ -106,7 +106,12 @@ next_command(struct cfjail *j) case IP_MOUNT_DEVFS: if (!bool_param(j->intparams[IP_MOUNT_DEVFS])) continue; - /* FALLTHROUGH */ + j->comstring = &dummystring; + break; + case IP_MOUNT_FDESCFS: + if (!bool_param(j->intparams[IP_MOUNT_FDESCFS])) + continue; + j->comstring = &dummystring; case IP__OP: case IP_STOP_TIMEOUT: j->comstring = &dummystring; @@ -452,6 +457,32 @@ run_command(struct cfjail *j) } break; + case IP_MOUNT_FDESCFS: + argv = alloca(7 * sizeof(char *)); + path = string_param(j->intparams[KP_PATH]); + if (path == NULL) { + jail_warnx(j, "mount.fdescfs: no path"); + return -1; + } + devpath = alloca(strlen(path) + 8); + sprintf(devpath, "%s/dev/fd", path); + if (check_path(j, "mount.fdescfs", devpath, 0, + down ? "fdescfs" : NULL) < 0) + return -1; + if (down) { + *(const char **)&argv[0] = "/sbin/umount"; + argv[1] = devpath; + argv[2] = NULL; + } else { + *(const char **)&argv[0] = _PATH_MOUNT; + *(const char **)&argv[1] = "-t"; + *(const char **)&argv[2] = "fdescfs"; + *(const char **)&argv[3] = "."; + argv[4] = devpath; + argv[5] = NULL; + } + break; + case IP_COMMAND: if (j->name != NULL) goto default_command; diff --git a/usr.sbin/jail/config.c b/usr.sbin/jail/config.c index a201f31..5796708 100644 --- a/usr.sbin/jail/config.c +++ b/usr.sbin/jail/config.c @@ -83,6 +83,7 @@ static const struct ipspec intparams[] = { #endif [IP_MOUNT] = {"mount", PF_INTERNAL | PF_REV}, [IP_MOUNT_DEVFS] = {"mount.devfs", PF_INTERNAL | PF_BOOL}, + [IP_MOUNT_FDESCFS] = {"mount.fdescfs", PF_INTERNAL | PF_BOOL}, [IP_MOUNT_FSTAB] = {"mount.fstab", PF_INTERNAL}, [IP_STOP_TIMEOUT] = {"stop.timeout", PF_INTERNAL | PF_INT}, [IP_VNET_INTERFACE] = {"vnet.interface", PF_INTERNAL}, diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 88d69f9..4a16e9a 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 23, 2013 +.Dd October 12, 2013 .Dt JAIL 8 .Os .Sh NAME @@ -682,7 +682,7 @@ to. An alias for each address will be added to the interface before the prison is created, and will be removed from the interface after the prison is removed. -.It Op Va ip4.addr +.It Va ip4.addr In addition to the IP addresses that are passed to the kernel, and interface and/or a netmask may also be specified, in the form .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar netmask . @@ -691,7 +691,7 @@ will be added to that interface, as it is with the .Va interface parameter. If a netmask in either dotted-quad or CIDR form is given after IP address, it will be used when adding the IP alias. -.It Op Va ip6.addr +.It Va ip6.addr In addition to the IP addresses that are passed to the kernel, and interface and/or a prefix may also be specified, in the form .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar prefix . @@ -722,11 +722,19 @@ An format file containing filesystems to mount before creating a jail. .It Va mount.devfs Mount a -.Xr devfs -filesystem on the chrooted /dev directory, and apply the ruleset in the +.Xr devfs 5 +filesystem on the chrooted +.Pa /dev +directory, and apply the ruleset in the .Va devfs_ruleset parameter (or a default of ruleset 4: devfsrules_jail) to restrict the devices visible inside the prison. +.It Va mount.fdescfs +Mount a +.Xr fdescfs 5 +filesystem on the chrooted +.Pa /dev/fd +directory. .It Va allow.dying Allow making changes to a .Va dying @@ -1165,6 +1173,8 @@ environment of the first jail. .Xr ps 1 , .Xr quota 1 , .Xr jail_set 2 , +.Xr devfs 5 , +.Xr fdescfs 5 , .Xr jail.conf 5 , .Xr procfs 5 , .Xr rc.conf 5 , diff --git a/usr.sbin/jail/jail.c b/usr.sbin/jail/jail.c index 9930dbb..661c4ad 100644 --- a/usr.sbin/jail/jail.c +++ b/usr.sbin/jail/jail.c @@ -92,6 +92,7 @@ static const enum intparam startcommands[] = { IP_MOUNT, IP__MOUNT_FROM_FSTAB, IP_MOUNT_DEVFS, + IP_MOUNT_FDESCFS, IP_EXEC_PRESTART, IP__OP, IP_VNET_INTERFACE, @@ -108,6 +109,7 @@ static const enum intparam stopcommands[] = { IP_STOP_TIMEOUT, IP__OP, IP_EXEC_POSTSTOP, + IP_MOUNT_FDESCFS, IP_MOUNT_DEVFS, IP__MOUNT_FROM_FSTAB, IP_MOUNT, diff --git a/usr.sbin/jail/jailp.h b/usr.sbin/jail/jailp.h index 63995b2..3f89392 100644 --- a/usr.sbin/jail/jailp.h +++ b/usr.sbin/jail/jailp.h @@ -95,6 +95,7 @@ enum intparam { #endif IP_MOUNT, /* Mount points in fstab(5) form */ IP_MOUNT_DEVFS, /* Mount /dev under prison root */ + IP_MOUNT_FDESCFS, /* Mount /dev/fd under prison root */ IP_MOUNT_FSTAB, /* A standard fstab(5) file */ IP_STOP_TIMEOUT, /* Time to wait after sending SIGTERM */ IP_VNET_INTERFACE, /* Assign interface(s) to vnet jail */ |