From 6fe59c6c06d9b42a052d1fb76fdbd3237ffba98e Mon Sep 17 00:00:00 2001 From: jamie Date: Mon, 27 Feb 2012 22:37:35 +0000 Subject: Use the defvs_ruleset paramater when mounting a jail's /dev, instead of a mount.devfs.ruleset pseudo-parameter. --- usr.sbin/jail/command.c | 24 ++++++++++++------------ usr.sbin/jail/config.c | 2 +- usr.sbin/jail/jail.8 | 11 +++-------- usr.sbin/jail/jailp.h | 2 +- 4 files changed, 17 insertions(+), 22 deletions(-) (limited to 'usr.sbin') diff --git a/usr.sbin/jail/command.c b/usr.sbin/jail/command.c index 10ff3e2..1c17da0 100644 --- a/usr.sbin/jail/command.c +++ b/usr.sbin/jail/command.c @@ -417,6 +417,7 @@ run_command(struct cfjail *j) break; case IP_MOUNT_DEVFS: + argv = alloca(7 * sizeof(char *)); path = string_param(j->intparams[KP_PATH]); if (path == NULL) { jail_warnx(j, "mount.devfs: no path"); @@ -428,22 +429,21 @@ run_command(struct cfjail *j) down ? "devfs" : NULL) < 0) return -1; if (down) { - argv = alloca(3 * sizeof(char *)); *(const char **)&argv[0] = "/sbin/umount"; argv[1] = devpath; argv[2] = NULL; } else { - argv = alloca(4 * sizeof(char *)); - *(const char **)&argv[0] = _PATH_BSHELL; - *(const char **)&argv[1] = "-c"; - ruleset = string_param(j->intparams - [IP_MOUNT_DEVFS_RULESET]); - argv[2] = alloca(strlen(path) + - (ruleset ? strlen(ruleset) + 1 : 0) + 56); - sprintf(argv[2], ". /etc/rc.subr; load_rc_config .; " - "devfs_mount_jail %s/dev%s%s", path, - ruleset ? " " : "", ruleset ? ruleset : ""); - argv[3] = NULL; + *(const char **)&argv[0] = _PATH_MOUNT; + *(const char **)&argv[1] = "-t"; + *(const char **)&argv[2] = "devfs"; + ruleset = string_param(j->intparams[KP_DEVFS_RULESET]); + if (!ruleset) + ruleset = "4"; /* devfsrules_jail */ + argv[3] = alloca(11 + strlen(ruleset)); + sprintf(argv[3], "-oruleset=%s", ruleset); + *(const char **)&argv[4] = "."; + argv[5] = devpath; + argv[6] = NULL; } break; diff --git a/usr.sbin/jail/config.c b/usr.sbin/jail/config.c index 941a446..7080a59 100644 --- a/usr.sbin/jail/config.c +++ b/usr.sbin/jail/config.c @@ -81,7 +81,6 @@ static const struct ipspec intparams[] = { #endif [IP_MOUNT] = {"mount", PF_INTERNAL}, [IP_MOUNT_DEVFS] = {"mount.devfs", PF_INTERNAL | PF_BOOL}, - [IP_MOUNT_DEVFS_RULESET]= {"mount.devfs.ruleset", PF_INTERNAL}, [IP_MOUNT_FSTAB] = {"mount.fstab", PF_INTERNAL}, [IP_STOP_TIMEOUT] = {"stop.timeout", PF_INTERNAL | PF_INT}, [IP_VNET_INTERFACE] = {"vnet.interface", PF_INTERNAL}, @@ -99,6 +98,7 @@ static const struct ipspec intparams[] = { [KP_ALLOW_SET_HOSTNAME]= {"allow.set_hostname", 0}, [KP_ALLOW_SOCKET_AF] = {"allow.socket_af", 0}, [KP_ALLOW_SYSVIPC] = {"allow.sysvipc", 0}, + [KP_DEVFS_RULESET] = {"devfs_ruleset", 0}, [KP_ENFORCE_STATFS] = {"enforce_statfs", 0}, [KP_HOST_HOSTNAME] = {"host.hostname", 0}, #ifdef INET diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 9214543..3ad23e5 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -693,15 +693,10 @@ format file containing filesystems to mount before creating a jail. .It Va mount.devfs Mount a .Xr devfs - filesystem on the chrooted /dev directory, and run -.Xr devfs 8 +filesystem on the chrooted /dev directory, and apply the ruleset in the +.Va devfs_ruleset +parameter (or a default of ruleset 4: devfsrules_jail) to restrict the devices visible inside the prison. -.It Va mount.devfs.ruleset -The ruleset from -.Xr devfs.rules 5 -to use when mounting a devfs filesystem. -The default ruleset is -.Dq devfsrules_jail . .It Va allow.dying Allow making changes to a .Va dying diff --git a/usr.sbin/jail/jailp.h b/usr.sbin/jail/jailp.h index 65cd88c..226ecd4 100644 --- a/usr.sbin/jail/jailp.h +++ b/usr.sbin/jail/jailp.h @@ -93,7 +93,6 @@ enum intparam { #endif IP_MOUNT, /* Mount points in fstab(5) form */ IP_MOUNT_DEVFS, /* Mount /dev under prison root */ - IP_MOUNT_DEVFS_RULESET, /* Ruleset for the devfs mount */ IP_MOUNT_FSTAB, /* A standard fstab(5) file */ IP_STOP_TIMEOUT, /* Time to wait after sending SIGTERM */ IP_VNET_INTERFACE, /* Assign interface(s) to vnet jail */ @@ -111,6 +110,7 @@ enum intparam { KP_ALLOW_SET_HOSTNAME, KP_ALLOW_SOCKET_AF, KP_ALLOW_SYSVIPC, + KP_DEVFS_RULESET, KP_ENFORCE_STATFS, KP_HOST_HOSTNAME, #ifdef INET -- cgit v1.1