Date: Tue, 24 Mar 2009 02:54:15 +0000 (UTC) From: Doug Barton <dougb@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org Subject: svn commit: r190363 - in stable/7/etc: . rc.d Message-ID: <200903240254.n2O2sFNp030455@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dougb Date: Tue Mar 24 02:54:15 2009 New Revision: 190363 URL: http://svn.freebsd.org/changeset/base/190363 Log: MFC r181114, make sure services and protocols are in the chroot /etc MFC r188293, improve handling of chroot inside of a jail Modified: stable/7/etc/ (props changed) stable/7/etc/rc.d/named Modified: stable/7/etc/rc.d/named ============================================================================== --- stable/7/etc/rc.d/named Tue Mar 24 02:48:54 2009 (r190362) +++ stable/7/etc/rc.d/named Tue Mar 24 02:54:15 2009 (r190363) @@ -32,6 +32,8 @@ stop_postcmd="named_poststop" # chroot_autoupdate() { + local file + # Create (or update) the chroot directory structure # if [ -r /etc/mtree/BIND.chroot.dist ]; then @@ -59,17 +61,32 @@ chroot_autoupdate() # Mount a devfs in the chroot directory if needed # - umount ${named_chrootdir}/dev 2>/dev/null - devfs_domount ${named_chrootdir}/dev devfsrules_hide_all - devfs -m ${named_chrootdir}/dev rule apply path null unhide - devfs -m ${named_chrootdir}/dev rule apply path random unhide - - # Copy local timezone information if it is not up to date. - # - if [ -r /etc/localtime ]; then - cmp -s /etc/localtime "${named_chrootdir}/etc/localtime" || - cp -p /etc/localtime "${named_chrootdir}/etc/localtime" + if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then + umount ${named_chrootdir}/dev 2>/dev/null + devfs_domount ${named_chrootdir}/dev devfsrules_hide_all + devfs -m ${named_chrootdir}/dev rule apply path null unhide + devfs -m ${named_chrootdir}/dev rule apply path random unhide + else + if [ -c ${named_chrootdir}/dev/null -a \ + -c ${named_chrootdir}/dev/random ]; then + info "named chroot: using pre-mounted devfs." + else + err 1 "named chroot: devfs cannot be mounted from" \ + "within a jail. Thus a chrooted named cannot" \ + "be run from within a jail." \ + "To run named without chrooting it, set" \ + "named_chrootdir=\"\" in /etc/rc.conf." + fi fi + + # Copy and/or update key files to the chroot /etc + # + for file in localtime protocols services; do + if [ -r /etc/$file ]; then + cmp -s /etc/$file "${named_chrootdir}/etc/$file" || + cp -p /etc/$file "${named_chrootdir}/etc/$file" + fi + done } # Make symlinks to the correct pid file @@ -109,7 +126,12 @@ named_stop() named_poststop() { if [ -n "${named_chrootdir}" -a -c ${named_chrootdir}/dev/null ]; then - umount ${named_chrootdir}/dev 2>/dev/null || true + if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then + umount ${named_chrootdir}/dev 2>/dev/null || true + else + warn "named chroot:" \ + "cannot unmount devfs from inside jail!" + fi fi }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200903240254.n2O2sFNp030455>