Add libjail, a (somewhat) simpler interface to the jail_set and jail_get

system calls and the security.jail.param sysctls. Approved by: bz (mentor)
author: jamie <jamie@FreeBSD.org> 2009-06-24 18:18:35 +0000
committer: jamie <jamie@FreeBSD.org> 2009-06-24 18:18:35 +0000
commit: 7c0019fd3084503b16686588e9e052c1a6b6c371 (patch)
tree: a9cec75f7b2e1076b5455019e71bbc78faac9225 /usr.sbin/jail
parent: bd3587c757355e28ac6abbaf11703661599270bb (diff)
download: FreeBSD-src-7c0019fd3084503b16686588e9e052c1a6b6c371.zip
FreeBSD-src-7c0019fd3084503b16686588e9e052c1a6b6c371.tar.gz
2 files changed, 25 insertions, 184 deletions
diff --git a/usr.sbin/jail/Makefile b/usr.sbin/jail/Makefile
index e92ced0..74fd6c4 100644
--- a/usr.sbin/jail/Makefile
+++ b/usr.sbin/jail/Makefile
@@ -4,8 +4,8 @@
 
 PROG=	jail
 MAN=	jail.8
-DPADD=	${LIBUTIL}
-LDADD=	-lutil
+DPADD=	${LIBJAIL} ${LIBUTIL}
+LDADD=	-ljail -lutil
 
 WARNS?=	6
 
diff --git a/usr.sbin/jail/jail.c b/usr.sbin/jail/jail.c
index 9d9b979..666d034 100644
--- a/usr.sbin/jail/jail.c
+++ b/usr.sbin/jail/jail.c
@@ -32,7 +32,6 @@ __FBSDID("$FreeBSD$");
 #include <sys/jail.h>
 #include <sys/socket.h>
 #include <sys/sysctl.h>
-#include <sys/uio.h>
 
 #include <arpa/inet.h>
 #include <netinet/in.h>
@@ -41,6 +40,7 @@ __FBSDID("$FreeBSD$");
 #include <err.h>
 #include <errno.h>
 #include <grp.h>
+#include <jail.h>
 #include <login_cap.h>
 #include <netdb.h>
 #include <paths.h>
@@ -50,15 +50,7 @@ __FBSDID("$FreeBSD$");
 #include <string.h>
 #include <unistd.h>
 
-#define	SJPARAM		"security.jail.param"
-#define	ERRMSG_SIZE	256
-
-struct param {
-	struct iovec name;
-	struct iovec value;
-};
-
-static struct param *params;
+static struct jailparam *params;
 static char **param_values;
 static int nparams;
 
@@ -113,7 +105,6 @@ int
 main(int argc, char **argv)
 {
 	login_cap_t *lcap = NULL;
-	struct iovec rparams[2];
 	struct passwd *pwd = NULL;
 	gid_t *groups;
 	size_t sysvallen;
@@ -121,8 +112,8 @@ main(int argc, char **argv)
 	int hflag, iflag, Jflag, lflag, rflag, uflag, Uflag;
 	long ngroups_max;
 	unsigned pi;
-	char *ep, *jailname, *securelevel, *username, *JidFile;
-	char errmsg[ERRMSG_SIZE], enforce_statfs[4];
+	char *jailname, *securelevel, *username, *JidFile;
+	char enforce_statfs[4];
 	static char *cleanenv;
 	const char *shell, *p = NULL;
 	FILE *fp;
@@ -176,16 +167,9 @@ main(int argc, char **argv)
 			jail_set_flags |= JAIL_UPDATE;
 			break;
 		case 'r':
-			jid = strtoul(optarg, &ep, 10);
-			if (!*optarg || *ep) {
-				*(const void **)&rparams[0].iov_base = "name";
-				rparams[0].iov_len = sizeof("name");
-				rparams[1].iov_base = optarg;
-				rparams[1].iov_len = strlen(optarg) + 1;
-				jid = jail_get(rparams, 2, 0);
-				if (jid < 0)
-					errx(1, "unknown jail: %s", optarg);
-			}
+			jid = jail_getid(optarg);
+			if (jid < 0)
+				errx(1, "%s", jail_errmsg);
 			rflag = 1;
 			break;
 		default:
@@ -280,21 +264,16 @@ main(int argc, char **argv)
 	if (ip6_addr != NULL)
 		set_param("ip6.addr", ip6_addr);
 #endif
-	errmsg[0] = 0;
-	set_param("errmsg", errmsg);
 
 	if (Jflag) {
 		fp = fopen(JidFile, "w");
 		if (fp == NULL)
 			errx(1, "Could not create JidFile: %s", JidFile);
 	}
-	jid = jail_set(&params->name, 2 * nparams,
+	jid = jailparam_set(params, nparams, 
 	    jail_set_flags ? jail_set_flags : JAIL_CREATE | JAIL_ATTACH);
-	if (jid < 0) {
-		if (errmsg[0] != '\0')
-			errx(1, "%s", errmsg);
-		err(1, "jail_set");
-	}
+	if (jid < 0)
+		errx(1, "%s", jail_errmsg);
 	if (iflag) {
 		printf("%d\n", jid);
 		fflush(stdout);
@@ -303,10 +282,9 @@ main(int argc, char **argv)
 		if (jail_set_flags) {
 			fprintf(fp, "jid=%d", jid);
 			for (i = 0; i < nparams; i++)
-				if (strcmp(params[i].name.iov_base, "jid") &&
-				    strcmp(params[i].name.iov_base, "errmsg")) {
+				if (strcmp(params[i].jp_name, "jid")) {
 					fprintf(fp, " %s",
-					    (char *)params[i].name.iov_base);
+					    (char *)params[i].jp_name);
 					if (param_values[i]) {
 						putc('=', fp);
 						quoted_print(fp,
@@ -316,19 +294,19 @@ main(int argc, char **argv)
 			fprintf(fp, "\n");
 		} else {
 			for (i = 0; i < nparams; i++)
-				if (!strcmp(params[i].name.iov_base, "path"))
+				if (!strcmp(params[i].jp_name, "path"))
 					break;
 #ifdef INET6
 			fprintf(fp, "%d\t%s\t%s\t%s%s%s\t%s\n",
 			    jid, i < nparams
-			    ? (char *)params[i].value.iov_base : argv[0],
+			    ? (char *)params[i].jp_value : argv[0],
 			    argv[1], ip4_addr ? ip4_addr : "",
 			    ip4_addr && ip4_addr[0] && ip6_addr && ip6_addr[0]
 			    ? "," : "", ip6_addr ? ip6_addr : "", argv[3]);
 #else
 			fprintf(fp, "%d\t%s\t%s\t%s\t%s\n",
 			    jid, i < nparams
-			    ? (char *)params[i].value.iov_base : argv[0],
+			    ? (char *)params[i].jp_value : argv[0],
 			    argv[1], ip4_addr ? ip4_addr : "", argv[3]);
 #endif
 		}
@@ -497,14 +475,8 @@ quoted_print(FILE *fp, char *str)
 static void
 set_param(const char *name, char *value)
 {
-	struct param *param;
-	char *ep, *p;
-	size_t buflen, mlen;
-	int i, nval, mib[CTL_MAXNAME];
-	struct {
-		int i;
-		char s[MAXPATHLEN];
-	} buf;
+	struct jailparam *param;
+	int i;
 
 	static int paramlistsize;
 
@@ -517,9 +489,10 @@ set_param(const char *name, char *value)
 
 	/* Check for repeat parameters */
 	for (i = 0; i < nparams; i++)
-		if (!strcmp(name, params[i].name.iov_base)) {
+		if (!strcmp(name, params[i].jp_name)) {
+			jailparam_free(params + i, 1);
 			memcpy(params + i, params + i + 1,
-			    (--nparams - i) * sizeof(struct param));
+			    (--nparams - i) * sizeof(struct jailparam));
 			break;
 		}
 
@@ -542,141 +515,9 @@ set_param(const char *name, char *value)
 	/* Look up the paramter. */
 	param_values[nparams] = value;
 	param = params + nparams++;
-	*(const void **)&param->name.iov_base = name;
-	param->name.iov_len = strlen(name) + 1;
-	/* Trivial values - no value or errmsg. */
-	if (value == NULL) {
-		param->value.iov_base = NULL;
-		param->value.iov_len = 0;
-		return;
-	}
-	if (!strcmp(name, "errmsg")) {
-		param->value.iov_base = value;
-		param->value.iov_len = ERRMSG_SIZE;
-		return;
-	}
-	mib[0] = 0;
-	mib[1] = 3;
-	snprintf(buf.s, sizeof(buf.s), SJPARAM ".%s", name);
-	mlen = sizeof(mib) - 2 * sizeof(int);
-	if (sysctl(mib, 2, mib + 2, &mlen, buf.s, strlen(buf.s)) < 0)
-		errx(1, "unknown parameter: %s", name);
-	mib[1] = 4;
-	buflen = sizeof(buf);
-	if (sysctl(mib, (mlen / sizeof(int)) + 2, &buf, &buflen, NULL, 0) < 0)
-		err(1, "sysctl(0.4.%s)", name);
-	/*
-	 * See if this is an array type.
-	 * Treat non-arrays as an array of one.
-	 */
-	p = strchr(buf.s, '\0');
-	nval = 1;
-	if (p - 2 >= buf.s && !strcmp(p - 2, ",a")) {
-		if (value[0] == '\0' ||
-		    (value[0] == '-' && value[1] == '\0')) {
-			param->value.iov_base = value;
-			param->value.iov_len = 0;
-			return;
-		}
-		p[-2] = 0;
-		for (p = strchr(value, ','); p; p = strchr(p + 1, ',')) {
-			*p = '\0';
-			nval++;
-		}
-	}
-	
-	/* Set the values according to the parameter type. */
-	switch (buf.i & CTLTYPE) {
-	case CTLTYPE_INT:
-	case CTLTYPE_UINT:
-		param->value.iov_len = nval * sizeof(int);
-		break;
-	case CTLTYPE_LONG:
-	case CTLTYPE_ULONG:
-		param->value.iov_len = nval * sizeof(long);
-		break;
-	case CTLTYPE_STRUCT:
-		if (!strcmp(buf.s, "S,in_addr"))
-			param->value.iov_len = nval * sizeof(struct in_addr);
-#ifdef INET6
-		else if (!strcmp(buf.s, "S,in6_addr"))
-			param->value.iov_len = nval * sizeof(struct in6_addr);
-#endif
-		else
-			errx(1, "%s: unknown parameter structure (%s)",
-			    name, buf.s);
-		break;
-	case CTLTYPE_STRING:
-		if (!strcmp(name, "path")) {
-			param->value.iov_base = malloc(MAXPATHLEN);
-			if (param->value.iov_base == NULL)
-				err(1, "malloc");
-			if (realpath(value, param->value.iov_base) == NULL)
-				err(1, "%s: realpath(%s)", name, value);
-			if (chdir(param->value.iov_base) != 0)
-				err(1, "chdir: %s",
-				    (char *)param->value.iov_base);
-		} else
-			param->value.iov_base = value;
-		param->value.iov_len = strlen(param->value.iov_base) + 1;
-		return;
-	default:
-		errx(1, "%s: unknown parameter type %d (%s)",
-		    name, buf.i, buf.s);
-	}
-	param->value.iov_base = malloc(param->value.iov_len);
-	for (i = 0; i < nval; i++) {
-		switch (buf.i & CTLTYPE) {
-		case CTLTYPE_INT:
-			((int *)param->value.iov_base)[i] =
-			    strtol(value, &ep, 10);
-			if (ep[0] != '\0')
-				errx(1, "%s: non-integer value \"%s\"",
-				    name, value);
-			break;
-		case CTLTYPE_UINT:
-			((unsigned *)param->value.iov_base)[i] =
-			    strtoul(value, &ep, 10);
-			if (ep[0] != '\0')
-				errx(1, "%s: non-integer value \"%s\"",
-				    name, value);
-			break;
-		case CTLTYPE_LONG:
-			((long *)param->value.iov_base)[i] =
-			    strtol(value, &ep, 10);
-			if (ep[0] != '\0')
-			    errx(1, "%s: non-integer value \"%s\"",
-				name, value);
-			break;
-		case CTLTYPE_ULONG:
-			((unsigned long *)param->value.iov_base)[i] =
-			    strtoul(value, &ep, 10);
-			if (ep[0] != '\0')
-			    errx(1, "%s: non-integer value \"%s\"",
-				name, value);
-			break;
-		case CTLTYPE_STRUCT:
-			if (!strcmp(buf.s, "S,in_addr")) {
-				if (inet_pton(AF_INET, value,
-				    &((struct in_addr *)
-				    param->value.iov_base)[i]) != 1)
-					errx(1, "%s: not an IPv4 address: %s",
-					    name, value);
-			}
-#ifdef INET6
-			else if (!strcmp(buf.s, "S,in6_addr")) {
-				if (inet_pton(AF_INET6, value,
-				    &((struct in6_addr *)
-				    param->value.iov_base)[i]) != 1)
-					errx(1, "%s: not an IPv6 address: %s",
-					    name, value);
-			}
-#endif
-		}
-		if (i > 0)
-			value[-1] = ',';
-		value = strchr(value, '\0') + 1;
-	}
+	if (jailparam_init(param, name) < 0 ||
+	    jailparam_import(param, value) < 0)
+		errx(1, "%s", jail_errmsg);
 }
 
 static void
author	jamie <jamie@FreeBSD.org>	2009-06-24 18:18:35 +0000
committer	jamie <jamie@FreeBSD.org>	2009-06-24 18:18:35 +0000
commit	7c0019fd3084503b16686588e9e052c1a6b6c371 (patch)
tree	a9cec75f7b2e1076b5455019e71bbc78faac9225 /usr.sbin/jail
parent	bd3587c757355e28ac6abbaf11703661599270bb (diff)
download	FreeBSD-src-7c0019fd3084503b16686588e9e052c1a6b6c371.zip FreeBSD-src-7c0019fd3084503b16686588e9e052c1a6b6c371.tar.gz