From owner-svn-src-head@FreeBSD.ORG Wed Jun 10 15:26:36 2009 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B9931065674; Wed, 10 Jun 2009 15:26:36 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id D344C8FC19; Wed, 10 Jun 2009 15:26:35 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n5AFQZco017809; Wed, 10 Jun 2009 15:26:35 GMT (envelope-from jamie@svn.freebsd.org) Received: (from jamie@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n5AFQZS4017808; Wed, 10 Jun 2009 15:26:35 GMT (envelope-from jamie@svn.freebsd.org) Message-Id: <200906101526.n5AFQZS4017808@svn.freebsd.org> From: Jamie Gritton Date: Wed, 10 Jun 2009 15:26:35 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r193929 - head/usr.sbin/jail X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jun 2009 15:26:36 -0000 Author: jamie Date: Wed Jun 10 15:26:35 2009 New Revision: 193929 URL: http://svn.freebsd.org/changeset/base/193929 Log: In the old-style jail command line, explicitly set parameters from the security.jail.* sysctls since jail_set(2) doesn't do it implicitly. Approved by: bz (mentor) Modified: head/usr.sbin/jail/jail.c Modified: head/usr.sbin/jail/jail.c ============================================================================== --- head/usr.sbin/jail/jail.c Wed Jun 10 14:52:34 2009 (r193928) +++ head/usr.sbin/jail/jail.c Wed Jun 10 15:26:35 2009 (r193929) @@ -76,6 +76,21 @@ static void quoted_print(FILE *fp, char static void set_param(const char *name, char *value); static void usage(void); +static const char *perm_sysctl[][3] = { + { "security.jail.set_hostname_allowed", + "allow.noset_hostname", "allow.set_hostname" }, + { "security.jail.sysvipc_allowed", + "allow.nosysvipc", "allow.sysvipc" }, + { "security.jail.allow_raw_sockets", + "allow.noraw_sockets", "allow.raw_sockets" }, + { "security.jail.chflags_allowed", + "allow.nochflags", "allow.chflags" }, + { "security.jail.mount_allowed", + "allow.nomount", "allow.mount" }, + { "security.jail.socket_unixiproute_only", + "allow.socket_af", "allow.nosocket_af" }, +}; + extern char **environ; #define GET_USER_INFO do { \ @@ -101,10 +116,12 @@ main(int argc, char **argv) struct iovec rparams[2]; struct passwd *pwd = NULL; gid_t groups[NGROUPS]; - int ch, cmdarg, i, jail_set_flags, jid, ngroups; + size_t sysvallen; + int ch, cmdarg, i, jail_set_flags, jid, ngroups, sysval; int hflag, iflag, Jflag, lflag, rflag, uflag, Uflag; + unsigned pi; char *ep, *jailname, *securelevel, *username, *JidFile; - char errmsg[ERRMSG_SIZE]; + char errmsg[ERRMSG_SIZE], enforce_statfs[4]; static char *cleanenv; const char *shell, *p = NULL; FILE *fp; @@ -236,6 +253,26 @@ main(int argc, char **argv) add_ip_addr(&ip4_addr, argv[2]); #endif cmdarg = 3; + /* Emulate the defaults from security.jail.* sysctls */ + sysvallen = sizeof(sysval); + if (sysctlbyname("security.jail.jailed", &sysval, &sysvallen, + NULL, 0) == 0 && sysval == 0) { + for (pi = 0; pi < sizeof(perm_sysctl) / + sizeof(perm_sysctl[0]); pi++) { + sysvallen = sizeof(sysval); + if (sysctlbyname(perm_sysctl[pi][0], + &sysval, &sysvallen, NULL, 0) == 0) + set_param(perm_sysctl[pi] + [sysval ? 2 : 1], NULL); + } + sysvallen = sizeof(sysval); + if (sysctlbyname("security.jail.enforce_statfs", + &sysval, &sysvallen, NULL, 0) == 0) { + snprintf(enforce_statfs, + sizeof(enforce_statfs), "%d", sysval); + set_param("enforce_statfs", enforce_statfs); + } + } } if (ip4_addr != NULL) set_param("ip4.addr", ip4_addr);