| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
| |
Fix up the order in which jail creation processes are run, to preserve
the config file's order in the non-parallel-start case.
PR: 209112
|
|
|
|
| |
Submitted by: Jimmy Olgeni
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Note the existence of module-specific jail paramters, starting with the
linux.* parameters when linux emulation is loaded.
MFC r298585:
Encapsulate SYSV IPC objects in jails. Define per-module parameters
sysvmsg, sysvsem, and sysvshm, with the following bahavior:
inherit: allow full access to the IPC primitives. This is the same as
the current setup with allow.sysvipc is on. Jails and the base system
can see (and moduly) each other's objects, which is generally considered
a bad thing (though may be useful in some circumstances).
disable: all no access, same as the current setup with allow.sysvipc off.
new: A jail may see use the IPC objects that it has created. It also
gets its own IPC key namespace, so different jails may have their own
objects using the same key value. The parent jail (or base system) can
see the jail's IPC objects, but not its keys.
PR: 48471
|
|
|
|
|
|
| |
Make jail(8) interpret escape codes in fstab the same as getfsent(3).
PR: 208663
|
|
|
|
|
|
|
|
|
|
|
| |
Add support to the jail framework to be able to mount linsysfs(5) and linprocfs(5).
PR: 207179
Requested by: thomas@gibfest.dk
Reviewed by: jamie, bapt
Approved by: re (gjb)
Sponsored by: gandi.net
Differential Revision: https://reviews.freebsd.org/D5390
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clear errno before calling getpw*.
MFC r294196:
Don't bother checking an ip[46].addr netmask/prefixlen. This is already
handled by ifconfig, and it was doing it wrong when the paramater included
extra ifconfig options.
PR: 205926
|
|
|
|
| |
Fix a ton of speelling errors
|
|
|
|
|
|
|
| |
Fix transposed words in man page.
PR: 201752
Reviewed by: gjb
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Fix offset calculation in variable substitution
in jail.conf. The following did not work correctly:
A="A_${B}_C_${D}"
B="BBBBB"
D="DDDD_${E}_FFFFF"
E="EEEEE"
- Implement PF_IMMUTABLE flag and apply it to "name" and "jid" in
jail.conf parameters. This flag disallows redefinition of the parameter.
"name" and/or "jid" are automatically defined in jail.conf by using
the jail names at the front of jail parameter definitions. However,
one could override them by using a variable with the same name like
$name = "foo". This confused the parser and could end up with SIGSEGV.
Note that this change also affects a case when all of parameters are
defined in the command line arguments, not in jail.conf. Specifically,
"jail -c name=j1 name=j2" no longer works. This should be harmless.
Approved by: re (gjb)
|
|
|
|
|
|
|
|
|
|
|
| |
Allow the kern.osrelease and kern.osreldate sysctl values to be set in a
jail's creation parameters. This allows the kernel version to be reliably
spoofed within the jail whether examined directly with sysctl or
indirectly with the uname -r and -K options.
Export the new osreldate and osrelease jail parms in jail_get(2).
Fix line wrap.
|
|
|
|
|
|
|
|
|
| |
Add mount.procfs jail parameter, so procfs can be mounted when a prison's
root is in its fstab.
Also fix a typo while I'm at it.
PR: 197237 197066
|
|
|
|
|
|
|
| |
Add allow.mount.fdescfs jail flag.
PR: 192951
Submitted by: ruben@verweg.com
|
|
|
|
|
|
|
|
| |
Setgid before running a command as a specified user. Previously only
initgroups(3) was called, what isn't quite enough. This brings jail(8)
in line with jexec(8), which was already doing the right thing.
PR: 195984
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Review pass through jail.8
Replace usage of "prison" with "jail", since that term has mostly dropped
out of use. Note once at the beginning that the "prison" term is equivalent,
but do not use it otherwise. [1]
Some grammar issues.
Some mdoc formatting fixes.
Consistently use \(em for em dashes, with spaces around it.
Avoid contractions.
Prefer ssh to telnet.
PR: 176832 [1]
|
|
|
|
|
|
|
| |
Reword an awkward option description
PR: 191726
Submitted by: yaneurabeya gmail.com
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added support for extra ifconfig args to jail ip4.addr & ip6.addr params
This allows for CARP interfaces to be used in jails e.g.
ip4.addr = "em0|10.10.1.20/32 vhid 1 pass MyPass advskew 100"
r269340 will not be MFC'ed as mentioned due to the slim window and the
amount of additional commits required to support it.
Sponsored by: Multiplay
|
|
|
|
|
|
|
|
|
|
|
|
| |
r261832:
Add cross references between rc.conf(5) and jail.conf(5).
r261833:
Add commas (,) to the list in the SEE ALSO section, to match most
other manuals.
r261834:
Bump .Dd forgotten in r261832.
|
|
|
|
|
|
|
|
|
|
|
| |
- Add mount.fdescfs parameter to jail(8). This is similar to
mount.devfs but mounts fdescfs. The mount happens just after
mount.devfs.
- rc.d/jail now displays whole error message from jail(8) when a jail
fails to start.
Approved by: re (gjb)
|
|
|
|
|
|
|
|
|
|
|
|
| |
command line options. The "jail_<jname>_*" rc.conf(5) variables for
per-jail configuration are automatically converted to
/var/run/jail.<jname>.conf before the jail(8) utility is invoked.
This is transparently backward compatible.
- Fix a minor bug in jail(8) which prevented it from returning false
when jail -r failed.
Approved by: re (glebius)
|
| |
|
|
|
|
| |
Reported by: tinderbox
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This compiler flag enforces that that people either mark variables
static or use an external declarations for the variable, similar to how
-Wmissing-prototypes works for functions.
Due to the fact that Yacc/Lex generate code that cannot trivially be
changed to not warn because of this (lots of yy* variables), add a
NO_WMISSING_VARIABLE_DECLARATIONS that can be used to turn off this
specific compiler warning.
Announced on: toolchain@
|
|
|
|
|
|
|
|
|
| |
when stopping jails. This matters particularly for nested filesystem
mounts.
PR: kern/177325
Submitted by: Harald Schmalzbauer
MFC after: 3 days
|
| |
|
|
|
|
| |
(i.e. on an unknown parameter), to avoid freeing bogus pointers.
|
| |
|
|
|
|
|
|
|
|
| |
and null-terminated at the same time, because they're later passed to
libjail as null-terminated. That means I also need to add a nul byte when
comma-combining array parameters.
MFC after: 6 days
|
|
|
|
|
|
|
|
| |
properly parsed for interface prefixes and netmask suffixes. This was
already done for the old-style (fixed) command line, but missed for
the new-style.
MFC after: 1 week
|
|
|
|
|
|
|
|
|
|
|
| |
Remove a bogus null terminator when stripping the netmask from
IP addresses. This was causing later addresses in a comma-separated
string to disappear.
Use memcpy instead of strcpy. This could just cause Bad Things.
PR: 170832
MFC after: 1 week
|
|
|
|
|
|
| |
PR: bin/169490
Submitted by: amdmi3
MFC after: 2 weeks
|
| |
|
|
|
|
| |
before any commands run. /etc/rc.d/jail depends on this.
|
|
|
|
| |
Submitted by: Mateusz Guzik <mjguzik gmail.com>
|
|
|
|
|
|
|
| |
PR: 168016
Submitted by: Nobuyuki Koganemaru
Approved by: gjb
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
| |
- old yacc(1) use to magicially append stdlib.h, while new one don't
- new yacc(1) do declare yyparse by itself, fix redundant declaration of
'yyparse'
Approved by: des (mentor)
|
| |
|
|
|
|
|
|
| |
PR: 167804
Submitted by: Nobuyuki Koganemaru (kogane!jp.freebsd.org)
MFC after: 3 days
|
| |
|
| |
|
|
|
|
|
|
| |
enum values and zeroes. This keeps clang happy (and is just good form).
Submitted by: dim
|
| |
|
| |
|
|\
| |
| |
| |
| |
| | |
currently done by /etc/rc.d/jail.
MFC after: 3 months
|
| |
| |
| |
| | |
instead of a mount.devfs.ruleset pseudo-parameter.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Document the potential for jail escape.
From r224615:
Always disable mount and unmount for jails with enforce_statfs==2.
From r231267:
A new jail(8) option "devfs_ruleset" defines the ruleset enforcement for
mounting devfs inside jails. A value of -1 disables mounting devfs in
jails, a value of zero means no restrictions. Nested jails can only
have mounting devfs disabled or inherit parent's enforcement as jails are
not allowed to view or manipulate devfs(8) rules.
From r232059:
To improve control over the use of mount(8) inside a jail(8), introduce
a new jail parameter node with the following parameters:
allow.mount.devfs:
allow mounting the devfs filesystem inside a jail
allow.mount.nullfs:
allow mounting the nullfs filesystem inside a jail
From r232186:
allow.mount.zfs:
allow mounting the zfs filesystem inside a jail
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Some errors printed the jail name for unnamed (command line) jails.
Attempting to create an already-existing jail from the command line
returned with no error (even for non-root) due to bad logic in
start_state.
Ignore kvm_proc errors, which are typically caused by permission
problems. Instead, stop ignoring permission errors when removing
a jail (but continue to silently ignore other errors, i.e. the
jail no longer existing). This makes non-root attempts at removing
a jail give a clearer error message.
|
| |
| |
| |
| | |
(but continue to flag when from a config file).
|