summaryrefslogtreecommitdiffstats
path: root/usr.sbin/jail
diff options
context:
space:
mode:
authorjamie <jamie@FreeBSD.org>2012-02-27 22:37:35 +0000
committerjamie <jamie@FreeBSD.org>2012-02-27 22:37:35 +0000
commit6fe59c6c06d9b42a052d1fb76fdbd3237ffba98e (patch)
tree90dfaafdc1a8e275adbb456494f3f02df99d94c7 /usr.sbin/jail
parentce34112a7dc2c5d7092d69bc27eac385caeae9cd (diff)
downloadFreeBSD-src-6fe59c6c06d9b42a052d1fb76fdbd3237ffba98e.zip
FreeBSD-src-6fe59c6c06d9b42a052d1fb76fdbd3237ffba98e.tar.gz
Use the defvs_ruleset paramater when mounting a jail's /dev,
instead of a mount.devfs.ruleset pseudo-parameter.
Diffstat (limited to 'usr.sbin/jail')
-rw-r--r--usr.sbin/jail/command.c24
-rw-r--r--usr.sbin/jail/config.c2
-rw-r--r--usr.sbin/jail/jail.811
-rw-r--r--usr.sbin/jail/jailp.h2
4 files changed, 17 insertions, 22 deletions
diff --git a/usr.sbin/jail/command.c b/usr.sbin/jail/command.c
index 10ff3e2..1c17da0 100644
--- a/usr.sbin/jail/command.c
+++ b/usr.sbin/jail/command.c
@@ -417,6 +417,7 @@ run_command(struct cfjail *j)
break;
case IP_MOUNT_DEVFS:
+ argv = alloca(7 * sizeof(char *));
path = string_param(j->intparams[KP_PATH]);
if (path == NULL) {
jail_warnx(j, "mount.devfs: no path");
@@ -428,22 +429,21 @@ run_command(struct cfjail *j)
down ? "devfs" : NULL) < 0)
return -1;
if (down) {
- argv = alloca(3 * sizeof(char *));
*(const char **)&argv[0] = "/sbin/umount";
argv[1] = devpath;
argv[2] = NULL;
} else {
- argv = alloca(4 * sizeof(char *));
- *(const char **)&argv[0] = _PATH_BSHELL;
- *(const char **)&argv[1] = "-c";
- ruleset = string_param(j->intparams
- [IP_MOUNT_DEVFS_RULESET]);
- argv[2] = alloca(strlen(path) +
- (ruleset ? strlen(ruleset) + 1 : 0) + 56);
- sprintf(argv[2], ". /etc/rc.subr; load_rc_config .; "
- "devfs_mount_jail %s/dev%s%s", path,
- ruleset ? " " : "", ruleset ? ruleset : "");
- argv[3] = NULL;
+ *(const char **)&argv[0] = _PATH_MOUNT;
+ *(const char **)&argv[1] = "-t";
+ *(const char **)&argv[2] = "devfs";
+ ruleset = string_param(j->intparams[KP_DEVFS_RULESET]);
+ if (!ruleset)
+ ruleset = "4"; /* devfsrules_jail */
+ argv[3] = alloca(11 + strlen(ruleset));
+ sprintf(argv[3], "-oruleset=%s", ruleset);
+ *(const char **)&argv[4] = ".";
+ argv[5] = devpath;
+ argv[6] = NULL;
}
break;
diff --git a/usr.sbin/jail/config.c b/usr.sbin/jail/config.c
index 941a446..7080a59 100644
--- a/usr.sbin/jail/config.c
+++ b/usr.sbin/jail/config.c
@@ -81,7 +81,6 @@ static const struct ipspec intparams[] = {
#endif
[IP_MOUNT] = {"mount", PF_INTERNAL},
[IP_MOUNT_DEVFS] = {"mount.devfs", PF_INTERNAL | PF_BOOL},
- [IP_MOUNT_DEVFS_RULESET]= {"mount.devfs.ruleset", PF_INTERNAL},
[IP_MOUNT_FSTAB] = {"mount.fstab", PF_INTERNAL},
[IP_STOP_TIMEOUT] = {"stop.timeout", PF_INTERNAL | PF_INT},
[IP_VNET_INTERFACE] = {"vnet.interface", PF_INTERNAL},
@@ -99,6 +98,7 @@ static const struct ipspec intparams[] = {
[KP_ALLOW_SET_HOSTNAME]= {"allow.set_hostname", 0},
[KP_ALLOW_SOCKET_AF] = {"allow.socket_af", 0},
[KP_ALLOW_SYSVIPC] = {"allow.sysvipc", 0},
+ [KP_DEVFS_RULESET] = {"devfs_ruleset", 0},
[KP_ENFORCE_STATFS] = {"enforce_statfs", 0},
[KP_HOST_HOSTNAME] = {"host.hostname", 0},
#ifdef INET
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index 9214543..3ad23e5 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -693,15 +693,10 @@ format file containing filesystems to mount before creating a jail.
.It Va mount.devfs
Mount a
.Xr devfs
- filesystem on the chrooted /dev directory, and run
-.Xr devfs 8
+filesystem on the chrooted /dev directory, and apply the ruleset in the
+.Va devfs_ruleset
+parameter (or a default of ruleset 4: devfsrules_jail)
to restrict the devices visible inside the prison.
-.It Va mount.devfs.ruleset
-The ruleset from
-.Xr devfs.rules 5
-to use when mounting a devfs filesystem.
-The default ruleset is
-.Dq devfsrules_jail .
.It Va allow.dying
Allow making changes to a
.Va dying
diff --git a/usr.sbin/jail/jailp.h b/usr.sbin/jail/jailp.h
index 65cd88c..226ecd4 100644
--- a/usr.sbin/jail/jailp.h
+++ b/usr.sbin/jail/jailp.h
@@ -93,7 +93,6 @@ enum intparam {
#endif
IP_MOUNT, /* Mount points in fstab(5) form */
IP_MOUNT_DEVFS, /* Mount /dev under prison root */
- IP_MOUNT_DEVFS_RULESET, /* Ruleset for the devfs mount */
IP_MOUNT_FSTAB, /* A standard fstab(5) file */
IP_STOP_TIMEOUT, /* Time to wait after sending SIGTERM */
IP_VNET_INTERFACE, /* Assign interface(s) to vnet jail */
@@ -111,6 +110,7 @@ enum intparam {
KP_ALLOW_SET_HOSTNAME,
KP_ALLOW_SOCKET_AF,
KP_ALLOW_SYSVIPC,
+ KP_DEVFS_RULESET,
KP_ENFORCE_STATFS,
KP_HOST_HOSTNAME,
#ifdef INET
OpenPOWER on IntegriCloud