FreeBSD Mail Archives

Date:      Fri, 1 Aug 2003 19:29:19 -0400
From:      Mike Makonnen <mtm@identd.net>
To:        Jens Rehsack <rehsack@liwing.de>
Cc:        FreeBSD-Current List <current@FreeBSD.org>
Subject:   Re: [PATCH] jail NG schript patch for mounting devfs and procfs automatically
Message-ID:  <20030801232918.GA37095@kokeb.ambesa.net>
In-Reply-To: <3F26BC7B.8070507@liwing.de>
References:  <Pine.NEB.3.96L.1030729124628.75304H-100000@fledge.watson.org> <3F26AA16.5030007@liwing.de> <20030729172122.GA5005@kokeb.ambesa.net> <3F26BC7B.8070507@liwing.de>


--sm4nu43k4a2Rpi4c
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Tue, Jul 29, 2003 at 08:27:07PM +0200, Jens Rehsack wrote:
> On 29.07.2003 19:21, Mike Makonnen wrote:
> 
> >On Tue, Jul 29, 2003 at 07:08:38PM +0200, Jens Rehsack wrote:
> >Yeah, I'll take care of this. I had asked scott to mail me his final
> >patch so I could commit it, but I never heard back from him. I'll
> >dig out the revisions from my mail archives and combine the
> >two.
> 
> You can mail me the patch first, so that I can test it before you
> commit it, if you want.

Hi Jens,

Can you apply the attached patches and let me know how it goes?

Cheers.
-- 
Mike Makonnen  | GPG-KEY: http://www.identd.net/~mtm/mtm.asc
mtm@identd.net | D228 1A6F C64E 120A A1C9  A3AA DAE1 E2AF DBCC 68B9
mtm@FreeBSD.Org| FreeBSD - Unleash the Daemon!

--sm4nu43k4a2Rpi4c
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="devfs.diff"

Index: etc/rc.subr
===================================================================
RCS file: /home/ncvs/src/etc/rc.subr,v
retrieving revision 1.13
diff -u -r1.13 rc.subr
--- etc/rc.subr	9 Jun 2003 17:31:06 -0000	1.13
+++ etc/rc.subr	1 Aug 2003 23:05:21 -0000
@@ -1033,3 +1033,160 @@
 		esac
 	fi
 }
+
+# devfs_init_rulesets
+#	Initialize default system supplied rulesets.
+#
+devfs_init_rulesets()
+{
+	local rsHide rsBasic rsLogin rsJail _me
+	rsHide=$devfs_ruleset_hide
+	rsBasic=$devfs_ruleset_basic
+	rsLogin=$devfs_ruleset_login
+	rsJail=$devfs_ruleset_jail
+	_me="devfs_init_rulesets"
+
+	# Go through this only once
+	if [ -n "$devfs_rulesets_init" ]; then
+		debug "$_me: devfs rulesets already initialized"
+		return
+	fi
+
+	# Hide: Hide all devices
+	#
+	/sbin/devfs rule -s $rsHide delset
+	/sbin/devfs rule -s $rsHide add hide
+
+	# Basic: Basic devices typically necessary
+	#
+	/sbin/devfs rule -s $rsBasic delset
+	/sbin/devfs rule -s $rsBasic add path null unhide
+	/sbin/devfs rule -s $rsBasic add path zero unhide
+	/sbin/devfs rule -s $rsBasic add path random unhide
+	/sbin/devfs rule -s $rsBasic add path urandom unhide
+
+	# Login: Devices typically needed to support loged-in users
+	#
+	/sbin/devfs rule -s $rsLogin delset
+	/sbin/devfs rule -s $rsLogin add path 'ptyp*' unhide
+	/sbin/devfs rule -s $rsLogin add path 'ptyq*' unhide
+	/sbin/devfs rule -s $rsLogin add path 'ptyr*' unhide
+	/sbin/devfs rule -s $rsLogin add path 'ptys*' unhide
+	/sbin/devfs rule -s $rsLogin add path 'ptyP*' unhide
+	/sbin/devfs rule -s $rsLogin add path 'ptyQ*' unhide
+	/sbin/devfs rule -s $rsLogin add path 'ptyR*' unhide
+	/sbin/devfs rule -s $rsLogin add path 'ptyS*' unhide
+	/sbin/devfs rule -s $rsLogin add path 'ttyp*' unhide
+	/sbin/devfs rule -s $rsLogin add path 'ttyq*' unhide
+	/sbin/devfs rule -s $rsLogin add path 'ttyr*' unhide
+	/sbin/devfs rule -s $rsLogin add path 'ttys*' unhide
+	/sbin/devfs rule -s $rsLogin add path 'ttyP*' unhide
+	/sbin/devfs rule -s $rsLogin add path 'ttyQ*' unhide
+	/sbin/devfs rule -s $rsLogin add path 'ttyR*' unhide
+	/sbin/devfs rule -s $rsLogin add path 'ttyS*' unhide
+	/sbin/devfs rule -s $rsLogin add path 'fd/*' unhide
+	/sbin/devfs rule -s $rsLogin add path stdin unhide
+	/sbin/devfs rule -s $rsLogin add path stdout unhide
+	/sbin/devfs rule -s $rsLogin add path stderr unhide
+
+	# Jail: Devices typically usefull in a jail
+	#
+	/sbin/devfs rule -s $rsJail add path '*' include $rsHide
+	/sbin/devfs rule -s $rsJail add path '*' include $rsBasic
+	/sbin/devfs rule -s $rsJail add path '*' include $rsLogin
+
+	devfs_rulesets_init=1
+	debug "$_me: devfs rulesets initialized"
+}
+
+# devfs_set_ruleset ruleset [dir]
+#	Sets the default ruleset of dir to ruleset.
+#	Returns non-zero if it could not set it successfully.
+#
+devfs_set_ruleset()
+{
+	local devdir rs _me
+	rs=$1
+	[ -n "$2" ] && devdir="-m "$2"" || devdir=
+	_me="devfs_set_ruleset"
+
+	if [ -z "$rs" ]; then
+		warn "$_me: you must specify a ruleset number"
+		return 1
+	fi
+	debug "$_me: setting ruleset ($rs) on mount-point (${devdir#-m })"
+	if ! /sbin/devfs $devdir ruleset $rs ; then
+		warn "$_me: unable to set ruleset $rs to ${devdir#-m }"
+		return 1
+	fi
+	return 0
+}
+
+# devfs_apply_ruleset ruleset [dir]
+#	Apply ruleset number $ruleset to the devfs mountpoint $dir.
+#	Returns 0 on success or non-zero if it could not apply
+#	the ruleset.
+#
+devfs_apply_ruleset()
+{
+	local devdir rs _me
+	rs=$1
+	[ -n "$2" ] && devdir="-m "$2"" || devdir=
+	_me="devfs_apply_ruleset"
+
+	if [ -z "$rs" ]; then
+		warn "$_me: you must specify a ruleset"
+		return 1
+	fi
+	debug "$_me: applying ruleset ($rs) to mount-point (${devdir#-m })"
+	if ! /sbin/devfs $devdir rule -s $rs applyset ; then
+		warn "$_me: unable to apply ruleset $rs to ${devdir#-m }"
+		return 1
+	fi
+	return 0
+}
+
+# devfs_domount dir [ruleset]
+#	Mount devfs on dir. If ruleset is specified it is set
+#	on the mount-point. Returns 0 on success.
+#
+devfs_domount()
+{
+	local devdir rs _me
+	devdir="$1"
+	[ -n "$2" ] && rs=$2 || rs=
+	_me="devfs_domount()"
+
+	if [ -z "$devdir" ]; then
+		warn "$_me: you must specify a mount-point"
+		return 1
+	fi
+	debug "$_me: mount-point is ($devdir), ruleset is ($rs)"
+	if ! mount -t devfs dev "$devdir" ; then
+		warn "$_me: Unable to mount devfs on $devdir"
+		return 1
+	fi
+	if [ -n "$rs" ]; then
+		devfs_init_rulesets
+		devfs_set_ruleset $rs $devdir
+	fi
+	return 0
+}
+
+# devfs_mount_jail dir
+#	Mounts a devfs file system appropriate for jails
+#	on the directory dir. Returns non-zero if an error
+#	occured.
+#
+devfs_mount_jail()
+{
+	local jdev _me
+	jdev="$1"
+	_me="devfs_mount_jail"
+
+	if ! devfs_domount "$jdev" $devfs_ruleset_jail; then
+		warn "$_me: devfs was not mounted on $jdev"
+		return 1
+	fi
+	return 0
+}

--sm4nu43k4a2Rpi4c
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="jail.diff"

Index: etc/defaults/rc.conf
===================================================================
RCS file: /home/ncvs/src/etc/defaults/rc.conf,v
retrieving revision 1.182
diff -u -r1.182 rc.conf
--- etc/defaults/rc.conf	28 Jul 2003 13:09:00 -0000	1.182
+++ etc/defaults/rc.conf	1 Aug 2003 23:28:22 -0000
@@ -426,12 +426,35 @@
 harvest_ethernet="YES"	# Entropy device harvests ethernet randomness
 harvest_p_to_p="YES"	# Entropy device harvests point-to-point randomness
 dmesg_enable="YES"	# Save dmesg(8) to /var/run/dmesg.boot
-jail_enable="NO"	# Set to NO to disable starting of any jails
-jail_list=""		# Space separated list of names of jails
-jail_set_hostname_allow="YES" # Allow root user in a jail to change its hostname
-jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
-jail_sysvipc_allow="NO"       # Allow SystemV IPC use from within a jail
 watchdogd_enable="NO"	# Start the software watchdog daemon
+devfs_ruleset_hide="1"	# The number of the default hide ruleset (rc.subr(8))
+devfs_ruleset_basic="2"	# The number of the default basic ruleset (rc.subr(8))
+devfs_ruleset_login="3"	# The number of the default login ruleset (rc.subr(8))
+devfs_ruleset_jail="123" # The number of the default jail ruleset (rc.subr(8))
+
+##############################################################
+### Jail Configuration #######################################
+##############################################################
+jail_enable="NO"		# Set to NO to disable starting of any jails
+jail_list=""			# Space separated list of names of jails
+jail_set_hostname_allow="YES"	# Allow the root user in a jail to change its
+				# hostname
+jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
+jail_sysvipc_allow="NO"		# Allow SystemV IPC use from within a jail
+jail_stop_jailer="NO"		# Only stop jailer. Requires jail_*_exec be set
+				# to use sysutils/jailer port to start the jail.
+
+#
+# To use rc's built-in jail infrastructure create entries for
+# each jail, specified in jail_list, with the following variables.
+# NOTE: replace 'example' with the jail's name.
+#
+#jail_example_rootdir="/usr/jail/default"	# Jail's root directory         
+#jail_example_hostname="default.domain.com"	# Jail's hostname
+#jail_example_ip="192.168.0.10"			# Jail's IP number
+#jail_example_exec="/bin/sh /etc/rc"		# command to execute in jail
+#jail_example_devfs_enable="NO"			# mount devfs in the jail
+#jail_example_procfs_enable="NO"		# mount procfs in jail
 
 ##############################################################
 ### Define source_rc_confs, the mechanism used by /etc/rc.* ##
Index: etc/rc.d/jail
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/jail,v
retrieving revision 1.4
diff -u -r1.4 jail
--- etc/rc.d/jail	5 May 2003 15:38:41 -0000	1.4
+++ etc/rc.d/jail	1 Aug 2003 23:11:36 -0000
@@ -6,7 +6,7 @@
 # PROVIDE: jail
 # REQUIRE: LOGIN
 # BEFORE: securelevel
-# KEYWORD: FreeBSD
+# KEYWORD: FreeBSD shutdown
 
 . /etc/rc.subr
 
@@ -50,18 +50,77 @@
 	for _jail in ${jail_list} 
 	do
 		eval jail_rootdir=\"\$jail_${_jail}_rootdir\"
+		jail_devdir="${jail_rootdir}/dev"
+		jail_procdir="${jail_rootdir}/proc"
+
 		eval jail_hostname=\"\$jail_${_jail}_hostname\"
 		eval jail_ip=\"\$jail_${_jail}_ip\"
 		eval jail_exec=\"\$jail_${_jail}_exec\"
 		[ -z ${jail_exec} ] && jail_exec="/bin/sh /etc/rc"
-		
+
+		eval jail_devfs=\"\$jail_${_jail}_devfs_enable\"
+		[ -z ${jail_devfs} ] && jail_devfs="NO"
+
+		eval jail_procfs=\"\$jail_${_jail}_procfs_enable\"
+		[ -z ${jail_procfs} ] && jail_procfs="NO"
+
+		if checkyesno jail_devfs; then
+			info "Mounting devfs on ${jail_devdir}"
+			devfs_mount_jail "${jail_devdir}"
+
+			# Transitional symlink for old binaries
+			if [ ! -L ${jail_devdir}/log ]; then
+				devfs_link ${jail_devdir} ../var/run/log log
+			fi
+
+			# Jail console output
+			devfs_link ${jail_devdir} ../var/log/console console
+		fi
+
+		if checkyesno jail_procfs; then
+			info "Mounting procfs onto ${jail_procdir}"
+			if [ -d ${jail_procdir} ] ; then
+				mount -t procfs proc ${jail_procdir}
+			fi
+		fi
+
 		jail ${jail_rootdir} ${jail_hostname} ${jail_ip} ${jail_exec}
 	done
 }
 
 jail_stop()
 {
-	kill -TERM $(ps aux | awk '$8 ~ /.*J/ {print  $2};')
+	if checkyesno jail_stop_jailer; then
+		rc_pid=$(ps aux | grep "jailer" | awk '$8 ~ /.*J/ {print  $2};')
+	else
+		rc_pid=$(ps aux | awk '$8 ~ /.*J/ {print  $2};')
+	fi
+	if [ -n "${rc_pid}" ]; then
+		kill -TERM $rc_pid
+		wait_for_pids $rc_pid
+	fi
+	for _jail in ${jail_list}
+	do
+		eval jail_rootdir=\"\$jail_${_jail}_rootdir\"
+		jail_devdir="${jail_rootdir}/dev"
+		jail_procdir="${jail_rootdir}/proc"
+		eval jail_devfs=\"\$jail_${_jail}_devfs_enable\"
+		[ -z ${jail_devfs} ] && jail_devfs="NO"
+		eval jail_procfs=\"\$jail_${_jail}_procfs_enable\"
+		[ -z ${jail_procfs} ] && jail_procfs="NO"
+
+		if checkyesno jail_devfs; then
+			if [ -d ${jail_devdir} ] ; then
+				umount -f ${jail_devdir} >/dev/null 2>&1
+			fi
+		fi
+
+		if checkyesno jail_procfs; then
+			if [ -d ${jail_procdir} ] ; then
+				umount -f ${jail_procdir} >/dev/null 2>&1
+			fi
+		fi
+	done
 }
 
 

--sm4nu43k4a2Rpi4c--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030801232918.GA37095>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation