blob: 25e59a457cad8115e0a84444ba3afac1c123a3d6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: jail
# REQUIRE: LOGIN
# BEFORE: securelevel
# KEYWORD: FreeBSD shutdown
. /etc/rc.subr
name="jail"
rcvar=`set_rcvar`
start_cmd="jail_start"
stop_cmd="jail_stop"
# init_variables _j
# Initialize the various jail variables for jail _j.
#
init_variables()
{
_j="$1"
if [ -z "$_j" ]; then
warn "init_variables: you must specify a jail"
return
fi
eval jail_rootdir=\"\$jail_${_j}_rootdir\"
jail_devdir="${jail_rootdir}/dev"
jail_fdescdir="${jail_devdir}/fd"
jail_procdir="${jail_rootdir}/proc"
eval jail_hostname=\"\$jail_${_j}_hostname\"
eval jail_ip=\"\$jail_${_j}_ip\"
eval jail_exec=\"\$jail_${_j}_exec\"
[ -z "${jail_exec}" ] && jail_exec="/bin/sh /etc/rc"
# The default jail ruleset will be used by rc.subr if none is specified.
eval jail_ruleset=\"\$jail_${_j}_devfs_ruleset\"
eval jail_devfs=\"\$jail_${_j}_devfs_enable\"
[ -z "${jail_devfs}" ] && jail_devfs="NO"
eval jail_fdescfs=\"\$jail_${_j}_fdescfs_enable\"
[ -z "${jail_fdescfs}" ] && jail_fdescfs="NO"
eval jail_procfs=\"\$jail_${_j}_procfs_enable\"
[ -z "${jail_procfs}" ] && jail_procfs="NO"
# Debuggin aid
#
debug "$_j devfs enable: $jail_devfs"
debug "$_j fdescfs enable: $jail_fdescfs"
debug "$_j procfs enable: $jail_procfs"
debug "$_j hostname: $jail_hostname"
debug "$_j ip: $jail_ip"
debug "$_j root: $jail_rootdir"
debug "$_j devdir: $jail_devdir"
debug "$_j fdescdir: $jail_fdescdir"
debug "$_j procdir: $jail_procdir"
debug "$_j ruleset: $jail_ruleset"
}
jail_start()
{
echo -n 'Configuring jails:'
echo -n ' set_hostname_allowed='
if checkyesno jail_set_hostname_allow ; then
echo -n 'YES'
${SYSCTL_W} 1>/dev/null security.jail.set_hostname_allowed=1
else
echo -n 'NO'
${SYSCTL_W} 1>/dev/null security.jail.set_hostname_allowed=0
fi
echo -n ' unixiproute_only='
if checkyesno jail_socket_unixiproute_only ; then
echo -n 'YES'
${SYSCTL_W} 1>/dev/null security.jail.socket_unixiproute_only=1
else
echo -n 'NO'
${SYSCTL_W} 1>/dev/null security.jail.socket_unixiproute_only=0
fi
echo -n ' sysvipc_allow='
if checkyesno jail_sysvipc_allow ; then
echo -n 'YES'
${SYSCTL_W} 1>/dev/null security.jail.sysvipc_allowed=1
else
echo -n 'NO'
${SYSCTL_W} 1>/dev/null security.jail.sysvipc_allowed=0
fi
echo '.'
echo -n 'Starting Jails:'
for _jail in ${jail_list}
do
init_variables $_jail
if checkyesno jail_devfs; then
info "Mounting devfs on ${jail_devdir}"
devfs_mount_jail "${jail_devdir}" ${jail_ruleset}
# Transitional symlink for old binaries
if [ ! -L ${jail_devdir}/log ]; then
devfs_link ${jail_devdir} ../var/run/log log
fi
# Jail console output
devfs_link ${jail_devdir} ../var/log/console console
fi
if checkyesno jail_fdescfs; then
info "Mounting fdescfs on ${jail_fdescdir}"
mount -t fdescfs fdesc "${jail_fdescdir}"
fi
if checkyesno jail_procfs; then
info "Mounting procfs onto ${jail_procdir}"
if [ -d ${jail_procdir} ] ; then
mount -t procfs proc "${jail_procdir}"
fi
fi
jail 1>/dev/null 2>&1 \
${jail_rootdir} ${jail_hostname} ${jail_ip} ${jail_exec}
[ "$?" -eq 0 ] && echo -n " $jail_hostname"
done
echo '.'
}
jail_stop()
{
echo 'Stopping all jails.'
if checkyesno jail_stop_jailer; then
rc_pid=$(ps aux | grep "jailer" | awk '$8 ~ /.*J/ {print $2};')
else
rc_pid=$(ps aux | awk '$8 ~ /.*J/ {print $2};')
fi
if [ -n "${rc_pid}" ]; then
kill -TERM $rc_pid
wait_for_pids $rc_pid
fi
for _jail in ${jail_list}
do
init_variables $_jail
if checkyesno jail_devfs; then
if [ -d ${jail_devdir} ] ; then
umount -f ${jail_devdir} >/dev/null 2>&1
fi
fi
if checkyesno jail_fdescfs; then
umount -f ${jail_fdescdir} >/dev/null 2>&1
fi
if checkyesno jail_procfs; then
if [ -d ${jail_procdir} ] ; then
umount -f ${jail_procdir} >/dev/null 2>&1
fi
fi
done
}
load_rc_config $name
run_rc_command "$1"
|