From owner-freebsd-current@FreeBSD.ORG Fri Aug 1 16:29:31 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A3D0337B401; Fri, 1 Aug 2003 16:29:31 -0700 (PDT) Received: from pool-151-200-10-97.res.east.verizon.net (pool-138-88-5-64.res.east.verizon.net [138.88.5.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id 089EF43FA3; Fri, 1 Aug 2003 16:29:30 -0700 (PDT) (envelope-from mtm@identd.net) Received: from kokeb.ambesa.net (m4b7ossbmkakbw73@localhost [127.0.0.1]) id h71NTMJO037177; Fri, 1 Aug 2003 19:29:22 -0400 (EDT) (envelope-from mtm@identd.net) Received: (from mtm@localhost) by kokeb.ambesa.net (8.12.9/8.12.9/Submit) id h71NTJ59037176; Fri, 1 Aug 2003 19:29:19 -0400 (EDT) (envelope-from mtm@identd.net) X-Authentication-Warning: kokeb.ambesa.net: mtm set sender to mtm@identd.net using -f Date: Fri, 1 Aug 2003 19:29:19 -0400 From: Mike Makonnen To: Jens Rehsack Message-ID: <20030801232918.GA37095@kokeb.ambesa.net> References: <3F26AA16.5030007@liwing.de> <20030729172122.GA5005@kokeb.ambesa.net> <3F26BC7B.8070507@liwing.de> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="sm4nu43k4a2Rpi4c" Content-Disposition: inline In-Reply-To: <3F26BC7B.8070507@liwing.de> User-Agent: Mutt/1.4.1i X-Operating-System: FreeBSD/5.1-CURRENT (i386) cc: Clement Laforet cc: Robert Watson cc: FreeBSD-Current List Subject: Re: [PATCH] jail NG schript patch for mounting devfs and procfs automatically X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2003 23:29:31 -0000 --sm4nu43k4a2Rpi4c Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Jul 29, 2003 at 08:27:07PM +0200, Jens Rehsack wrote: > On 29.07.2003 19:21, Mike Makonnen wrote: > > >On Tue, Jul 29, 2003 at 07:08:38PM +0200, Jens Rehsack wrote: > >Yeah, I'll take care of this. I had asked scott to mail me his final > >patch so I could commit it, but I never heard back from him. I'll > >dig out the revisions from my mail archives and combine the > >two. > > You can mail me the patch first, so that I can test it before you > commit it, if you want. Hi Jens, Can you apply the attached patches and let me know how it goes? Cheers. -- Mike Makonnen | GPG-KEY: http://www.identd.net/~mtm/mtm.asc mtm@identd.net | D228 1A6F C64E 120A A1C9 A3AA DAE1 E2AF DBCC 68B9 mtm@FreeBSD.Org| FreeBSD - Unleash the Daemon! --sm4nu43k4a2Rpi4c Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="devfs.diff" Index: etc/rc.subr =================================================================== RCS file: /home/ncvs/src/etc/rc.subr,v retrieving revision 1.13 diff -u -r1.13 rc.subr --- etc/rc.subr 9 Jun 2003 17:31:06 -0000 1.13 +++ etc/rc.subr 1 Aug 2003 23:05:21 -0000 @@ -1033,3 +1033,160 @@ esac fi } + +# devfs_init_rulesets +# Initialize default system supplied rulesets. +# +devfs_init_rulesets() +{ + local rsHide rsBasic rsLogin rsJail _me + rsHide=$devfs_ruleset_hide + rsBasic=$devfs_ruleset_basic + rsLogin=$devfs_ruleset_login + rsJail=$devfs_ruleset_jail + _me="devfs_init_rulesets" + + # Go through this only once + if [ -n "$devfs_rulesets_init" ]; then + debug "$_me: devfs rulesets already initialized" + return + fi + + # Hide: Hide all devices + # + /sbin/devfs rule -s $rsHide delset + /sbin/devfs rule -s $rsHide add hide + + # Basic: Basic devices typically necessary + # + /sbin/devfs rule -s $rsBasic delset + /sbin/devfs rule -s $rsBasic add path null unhide + /sbin/devfs rule -s $rsBasic add path zero unhide + /sbin/devfs rule -s $rsBasic add path random unhide + /sbin/devfs rule -s $rsBasic add path urandom unhide + + # Login: Devices typically needed to support loged-in users + # + /sbin/devfs rule -s $rsLogin delset + /sbin/devfs rule -s $rsLogin add path 'ptyp*' unhide + /sbin/devfs rule -s $rsLogin add path 'ptyq*' unhide + /sbin/devfs rule -s $rsLogin add path 'ptyr*' unhide + /sbin/devfs rule -s $rsLogin add path 'ptys*' unhide + /sbin/devfs rule -s $rsLogin add path 'ptyP*' unhide + /sbin/devfs rule -s $rsLogin add path 'ptyQ*' unhide + /sbin/devfs rule -s $rsLogin add path 'ptyR*' unhide + /sbin/devfs rule -s $rsLogin add path 'ptyS*' unhide + /sbin/devfs rule -s $rsLogin add path 'ttyp*' unhide + /sbin/devfs rule -s $rsLogin add path 'ttyq*' unhide + /sbin/devfs rule -s $rsLogin add path 'ttyr*' unhide + /sbin/devfs rule -s $rsLogin add path 'ttys*' unhide + /sbin/devfs rule -s $rsLogin add path 'ttyP*' unhide + /sbin/devfs rule -s $rsLogin add path 'ttyQ*' unhide + /sbin/devfs rule -s $rsLogin add path 'ttyR*' unhide + /sbin/devfs rule -s $rsLogin add path 'ttyS*' unhide + /sbin/devfs rule -s $rsLogin add path 'fd/*' unhide + /sbin/devfs rule -s $rsLogin add path stdin unhide + /sbin/devfs rule -s $rsLogin add path stdout unhide + /sbin/devfs rule -s $rsLogin add path stderr unhide + + # Jail: Devices typically usefull in a jail + # + /sbin/devfs rule -s $rsJail add path '*' include $rsHide + /sbin/devfs rule -s $rsJail add path '*' include $rsBasic + /sbin/devfs rule -s $rsJail add path '*' include $rsLogin + + devfs_rulesets_init=1 + debug "$_me: devfs rulesets initialized" +} + +# devfs_set_ruleset ruleset [dir] +# Sets the default ruleset of dir to ruleset. +# Returns non-zero if it could not set it successfully. +# +devfs_set_ruleset() +{ + local devdir rs _me + rs=$1 + [ -n "$2" ] && devdir="-m "$2"" || devdir= + _me="devfs_set_ruleset" + + if [ -z "$rs" ]; then + warn "$_me: you must specify a ruleset number" + return 1 + fi + debug "$_me: setting ruleset ($rs) on mount-point (${devdir#-m })" + if ! /sbin/devfs $devdir ruleset $rs ; then + warn "$_me: unable to set ruleset $rs to ${devdir#-m }" + return 1 + fi + return 0 +} + +# devfs_apply_ruleset ruleset [dir] +# Apply ruleset number $ruleset to the devfs mountpoint $dir. +# Returns 0 on success or non-zero if it could not apply +# the ruleset. +# +devfs_apply_ruleset() +{ + local devdir rs _me + rs=$1 + [ -n "$2" ] && devdir="-m "$2"" || devdir= + _me="devfs_apply_ruleset" + + if [ -z "$rs" ]; then + warn "$_me: you must specify a ruleset" + return 1 + fi + debug "$_me: applying ruleset ($rs) to mount-point (${devdir#-m })" + if ! /sbin/devfs $devdir rule -s $rs applyset ; then + warn "$_me: unable to apply ruleset $rs to ${devdir#-m }" + return 1 + fi + return 0 +} + +# devfs_domount dir [ruleset] +# Mount devfs on dir. If ruleset is specified it is set +# on the mount-point. Returns 0 on success. +# +devfs_domount() +{ + local devdir rs _me + devdir="$1" + [ -n "$2" ] && rs=$2 || rs= + _me="devfs_domount()" + + if [ -z "$devdir" ]; then + warn "$_me: you must specify a mount-point" + return 1 + fi + debug "$_me: mount-point is ($devdir), ruleset is ($rs)" + if ! mount -t devfs dev "$devdir" ; then + warn "$_me: Unable to mount devfs on $devdir" + return 1 + fi + if [ -n "$rs" ]; then + devfs_init_rulesets + devfs_set_ruleset $rs $devdir + fi + return 0 +} + +# devfs_mount_jail dir +# Mounts a devfs file system appropriate for jails +# on the directory dir. Returns non-zero if an error +# occured. +# +devfs_mount_jail() +{ + local jdev _me + jdev="$1" + _me="devfs_mount_jail" + + if ! devfs_domount "$jdev" $devfs_ruleset_jail; then + warn "$_me: devfs was not mounted on $jdev" + return 1 + fi + return 0 +} --sm4nu43k4a2Rpi4c Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="jail.diff" Index: etc/defaults/rc.conf =================================================================== RCS file: /home/ncvs/src/etc/defaults/rc.conf,v retrieving revision 1.182 diff -u -r1.182 rc.conf --- etc/defaults/rc.conf 28 Jul 2003 13:09:00 -0000 1.182 +++ etc/defaults/rc.conf 1 Aug 2003 23:28:22 -0000 @@ -426,12 +426,35 @@ harvest_ethernet="YES" # Entropy device harvests ethernet randomness harvest_p_to_p="YES" # Entropy device harvests point-to-point randomness dmesg_enable="YES" # Save dmesg(8) to /var/run/dmesg.boot -jail_enable="NO" # Set to NO to disable starting of any jails -jail_list="" # Space separated list of names of jails -jail_set_hostname_allow="YES" # Allow root user in a jail to change its hostname -jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail -jail_sysvipc_allow="NO" # Allow SystemV IPC use from within a jail watchdogd_enable="NO" # Start the software watchdog daemon +devfs_ruleset_hide="1" # The number of the default hide ruleset (rc.subr(8)) +devfs_ruleset_basic="2" # The number of the default basic ruleset (rc.subr(8)) +devfs_ruleset_login="3" # The number of the default login ruleset (rc.subr(8)) +devfs_ruleset_jail="123" # The number of the default jail ruleset (rc.subr(8)) + +############################################################## +### Jail Configuration ####################################### +############################################################## +jail_enable="NO" # Set to NO to disable starting of any jails +jail_list="" # Space separated list of names of jails +jail_set_hostname_allow="YES" # Allow the root user in a jail to change its + # hostname +jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail +jail_sysvipc_allow="NO" # Allow SystemV IPC use from within a jail +jail_stop_jailer="NO" # Only stop jailer. Requires jail_*_exec be set + # to use sysutils/jailer port to start the jail. + +# +# To use rc's built-in jail infrastructure create entries for +# each jail, specified in jail_list, with the following variables. +# NOTE: replace 'example' with the jail's name. +# +#jail_example_rootdir="/usr/jail/default" # Jail's root directory +#jail_example_hostname="default.domain.com" # Jail's hostname +#jail_example_ip="192.168.0.10" # Jail's IP number +#jail_example_exec="/bin/sh /etc/rc" # command to execute in jail +#jail_example_devfs_enable="NO" # mount devfs in the jail +#jail_example_procfs_enable="NO" # mount procfs in jail ############################################################## ### Define source_rc_confs, the mechanism used by /etc/rc.* ## Index: etc/rc.d/jail =================================================================== RCS file: /home/ncvs/src/etc/rc.d/jail,v retrieving revision 1.4 diff -u -r1.4 jail --- etc/rc.d/jail 5 May 2003 15:38:41 -0000 1.4 +++ etc/rc.d/jail 1 Aug 2003 23:11:36 -0000 @@ -6,7 +6,7 @@ # PROVIDE: jail # REQUIRE: LOGIN # BEFORE: securelevel -# KEYWORD: FreeBSD +# KEYWORD: FreeBSD shutdown . /etc/rc.subr @@ -50,18 +50,77 @@ for _jail in ${jail_list} do eval jail_rootdir=\"\$jail_${_jail}_rootdir\" + jail_devdir="${jail_rootdir}/dev" + jail_procdir="${jail_rootdir}/proc" + eval jail_hostname=\"\$jail_${_jail}_hostname\" eval jail_ip=\"\$jail_${_jail}_ip\" eval jail_exec=\"\$jail_${_jail}_exec\" [ -z ${jail_exec} ] && jail_exec="/bin/sh /etc/rc" - + + eval jail_devfs=\"\$jail_${_jail}_devfs_enable\" + [ -z ${jail_devfs} ] && jail_devfs="NO" + + eval jail_procfs=\"\$jail_${_jail}_procfs_enable\" + [ -z ${jail_procfs} ] && jail_procfs="NO" + + if checkyesno jail_devfs; then + info "Mounting devfs on ${jail_devdir}" + devfs_mount_jail "${jail_devdir}" + + # Transitional symlink for old binaries + if [ ! -L ${jail_devdir}/log ]; then + devfs_link ${jail_devdir} ../var/run/log log + fi + + # Jail console output + devfs_link ${jail_devdir} ../var/log/console console + fi + + if checkyesno jail_procfs; then + info "Mounting procfs onto ${jail_procdir}" + if [ -d ${jail_procdir} ] ; then + mount -t procfs proc ${jail_procdir} + fi + fi + jail ${jail_rootdir} ${jail_hostname} ${jail_ip} ${jail_exec} done } jail_stop() { - kill -TERM $(ps aux | awk '$8 ~ /.*J/ {print $2};') + if checkyesno jail_stop_jailer; then + rc_pid=$(ps aux | grep "jailer" | awk '$8 ~ /.*J/ {print $2};') + else + rc_pid=$(ps aux | awk '$8 ~ /.*J/ {print $2};') + fi + if [ -n "${rc_pid}" ]; then + kill -TERM $rc_pid + wait_for_pids $rc_pid + fi + for _jail in ${jail_list} + do + eval jail_rootdir=\"\$jail_${_jail}_rootdir\" + jail_devdir="${jail_rootdir}/dev" + jail_procdir="${jail_rootdir}/proc" + eval jail_devfs=\"\$jail_${_jail}_devfs_enable\" + [ -z ${jail_devfs} ] && jail_devfs="NO" + eval jail_procfs=\"\$jail_${_jail}_procfs_enable\" + [ -z ${jail_procfs} ] && jail_procfs="NO" + + if checkyesno jail_devfs; then + if [ -d ${jail_devdir} ] ; then + umount -f ${jail_devdir} >/dev/null 2>&1 + fi + fi + + if checkyesno jail_procfs; then + if [ -d ${jail_procdir} ] ; then + umount -f ${jail_procdir} >/dev/null 2>&1 + fi + fi + done } --sm4nu43k4a2Rpi4c--