RE: Enhancements to the new rc.d/jail script

From: Scot W. Hetzel <hetzels_at_westbend.net>
Date: Mon, 21 Apr 2003 20:20:34 -0500 (CDT)
From: "Mike Makonnen" <mtm_at_identd.net>
> "Scot W. Hetzel" <hetzels_at_westbend.net> wrote:
> > Currently rc.d/devfs starts after rc.d/jail, we need devfs rulesets
> > defined before the jail is started (devfs added to rc.d/jail REQUIRE).
> 
> This should be doable. But, please get the devfs maintainer to signoff on it
> first (dd_at_freebsd.org).
> 
Are these changes to devfs ok with you (dd)?

> > Added a standard jail ruleset to rc.d/devfs.
> 
> I agree with Doug, this should be behind an rc.conf knob.

> 
> I don't know if examples belong in defaults/rc.conf. The rc.conf(5) man page
> already explains what additional knobs need to be set. However, if they do
> belong here, then they should be commented out.
> 

Attached is the updated patch.  The Standard Jail devfs ruleset now needs to
be enabled with devfs_jail_ruleset_enable.

I commented out the jail_example* variables. An alternative to having these
jail_example variables in defaults/rc.conf is to replace them with the following
comment:

# create an entry for each jail named in jail_list, see man rc.conf(5)

I also updated rc.conf(5) man page.

Scot

Index: etc/defaults/rc.conf
===================================================================
RCS file: /home/ncvs/src/etc/defaults/rc.conf,v
retrieving revision 1.172
diff -u -r1.172 rc.conf
--- etc/defaults/rc.conf	16 Apr 2003 16:29:51 -0000	1.172
+++ etc/defaults/rc.conf	21 Apr 2003 23:48:01 -0000
_at__at_ -426,11 +426,32 _at__at_
 harvest_ethernet="YES"	# Entropy device harvests ethernet randomness
 harvest_p_to_p="YES"	# Entropy device harvests point-to-point randomness
 dmesg_enable="YES"	# Save dmesg(8) to /var/run/dmesg.boot
+
+##############################################################
+### Jail Configuration #######################################
+##############################################################
+devfs_jail_ruleset_enable="NO"	# Enable Standard Jail devfs ruleset in rc.d/devfs
+devfs_jail_ruleset_num="666"	# Standard Jail ruleset number
+				# (change if it conflicts with your devfs rulesets)
+
 jail_enable="NO"	# Set to NO to disable starting of any jails
 jail_list=""		# Space separated list of names of jails
 jail_set_hostname_allow="YES" # Allow root user in a jail to change its hostname
 jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
-jail_sysvipc_allow="NO"       # Allow SystemV IPC use from within a jail
+jail_sysvipc_allow="NO"	# Allow SystemV IPC use from within a jail
+jail_default_ruleset="666" # Default jail devfs ruleset to apply
+
+# create an entry for each jail named in jail_list, with these variables
+#
+#jail_example_rootdir="/usr/jail/default"	# Jails root directory         
+#jail_example_hostname="default.domain.com"	# Jails hostname
+#jail_example_ip="192.168.0.10"			# Jails IP number
+#jail_example_exec="/bin/sh /etc/rc"		# command to execute in jail
+#jail_example_devfs="NO"			# mount devfs in jail
+#jail_example_devfs_ruleset="666"		# devfs ruleset to apply to jail 
+#jail_example_procfs="NO"			# mount procfs in jail
+#
+# NOTE: replace 'example' with the jail's name from jail_list
 
 ##############################################################
 ### Define source_rc_confs, the mechanism used by /etc/rc.* ##
Index: etc/rc.d/devfs
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/devfs,v
retrieving revision 1.2
diff -u -r1.2 devfs
--- etc/rc.d/devfs	15 Dec 2002 21:56:53 -0000	1.2
+++ etc/rc.d/devfs	21 Apr 2003 23:48:42 -0000
_at__at_ -13,6 +13,24 _at__at_
 
 load_rc_config $name
 
+# Standard Jail ruleset
+if checkyesno devfs_jail_ruleset_enable ; then
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} delset
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 100 hide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 200 path ptyp* unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 300 path ttyp* unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 400 path null unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 500 path zero unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 600 path random unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 610 path urandom unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 700 path fd unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 800 path fd/* unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 810 path mdctl unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 900 path stdin unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 910 path stdout unhide
+	/sbin/devfs rule -s ${devfs_jail_ruleset_num} add 920 path stderr unhide
+fi
+
 # Setup DEVFS, ie permissions, links etc.
 #
 if [ -r /etc/rc.devfs ]; then
Index: etc/rc.d/jail
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/jail,v
retrieving revision 1.3
diff -u -r1.3 jail
--- etc/rc.d/jail	19 Apr 2003 07:50:32 -0000	1.3
+++ etc/rc.d/jail	21 Apr 2003 23:50:22 -0000
_at__at_ -4,8 +4,8 _at__at_
 #
 
 # PROVIDE: jail
-# REQUIRE: LOGIN
-# KEYWORD: FreeBSD
+# REQUIRE: LOGIN devfs
+# KEYWORD: FreeBSD shutdown
 
 . /etc/rc.subr
 
_at__at_ -14,6 +14,15 _at__at_
 start_cmd="jail_start"
 stop_cmd="jail_stop"
 
+create_dev_links()
+{
+        local devdir=$1
+        local source=$2
+        local target=$3
+
+	(cd ${devdir} && ln -sf ${source} ${target})
+}
+
 jail_start()
 {
 	echo -n 'Configuring jails:'
_at__at_ -49,11 +58,54 _at__at_
 	for _jail in ${jail_list} 
 	do
 		eval jail_rootdir=\"\$jail_${_jail}_rootdir\"
+		jail_devdir="${jail_rootdir}/dev"
+		jail_procdir="${jail_rootdir}/proc"
+
 		eval jail_hostname=\"\$jail_${_jail}_hostname\"
 		eval jail_ip=\"\$jail_${_jail}_ip\"
 		eval jail_exec=\"\$jail_${_jail}_exec\"
 		[ -z ${jail_exec} ] && jail_exec="/bin/sh /etc/rc"
-		
+
+		eval jail_devfs=\"\$jail_${_jail}_devfs\"
+		[ -z ${jail_devfs} ] && jail_devfs="NO"
+
+		eval jail_ruleset=\"\$jail_${_jail}_devfs_ruleset\"
+		[ -z ${jail_ruleset} ] && jail_ruleset="${jail_default_ruleset}"
+
+		eval jail_procfs=\"\$jail_${_jail}_procfs\"
+		[ -z ${jail_procfs} ] && jail_procfs="NO"
+
+		if checkyesno jail_devfs; then
+			if [ -d ${jail_devdir} ] ; then
+				mount -t devfs dev ${jail_devdir}
+
+				if [ -n "${jail_ruleset}" ]; then
+					# Apply devfs ruleset
+					devfs -m ${jail_devdir} ruleset ${jail_ruleset}
+
+					# for libkvm (ab)users
+					create_dev_links ${jail_devdir} null mem
+					create_dev_links ${jail_devdir} null kmem
+
+					# create_dev_links ${jail_devdir} null console
+				fi
+
+				# Transitional symlink for old binaries
+				if [ ! -L ${jail_devdir}/log ]; then
+					create_dev_links ${jail_devdir} ../var/run/log log
+				fi
+
+				# Jail console output
+				create_dev_links ${jail_devdir} ../var/log/console console
+			fi
+		fi
+
+		if checkyesno jail_procfs; then
+			if [ -d ${jail_procdir} ] ; then
+				mount -t procfs proc ${jail_procdir}
+			fi
+		fi
+
 		jail ${jail_rootdir} ${jail_hostname} ${jail_ip} ${jail_exec}
 	done
 }
_at__at_ -61,6 +113,28 _at__at_
 jail_stop()
 {
 	kill -TERM $(ps aux | awk '$8 ~ /.*J/ {print  $2};')
+	for _jail in ${jail_list}
+	do
+		eval jail_rootdir=\"\$jail_${_jail}_rootdir\"
+		jail_devdir="${jail_rootdir}/dev"
+		jail_procdir="${jail_rootdir}/proc"
+		eval jail_devfs=\"\$jail_${_jail}_devfs\"
+		[ -z ${jail_devfs} ] && jail_devfs="NO"
+		eval jail_procfs=\"\$jail_${_jail}_procfs\"
+		[ -z ${jail_procfs} ] && jail_procfs="NO"
+
+		if checkyesno jail_devfs; then
+			if [ -d ${jail_devdir} ] ; then
+				umount -f ${jail_devdir} >/dev/null 2>&1
+			fi
+		fi
+
+		if checkyesno jail_procfs; then
+			if [ -d ${jail_procdir} ] ; then
+				umount -f ${jail_procdir} >/dev/null 2>&1
+			fi
+		fi
+	done
 }
 
 
Index: share/man/man5/rc.conf.5
===================================================================
RCS file: /home/ncvs/src/share/man/man5/rc.conf.5,v
retrieving revision 1.182
diff -u -r1.182 rc.conf.5
--- share/man/man5/rc.conf.5	16 Apr 2003 16:29:51 -0000	1.182
+++ share/man/man5/rc.conf.5	21 Apr 2003 23:44:24 -0000
_at__at_ -2398,11 +2398,25 _at__at_
 jail_vjail_ip="192.168.1.100"
 jail_vjail_rootdir="/var/jails/vjail/root"
 jail_vjail_exec="/bin/sh /etc/rc"
+jail_vjail_devfs="YES"
+jail_vjail_devfs_ruleset="666"
+jail_vjail_procfs="NO"
 .Ed
 .Pp
-The last one is optional. It defaults to
+The last four are optional. jail_<jailname>_exec defaults to
 .Pa /etc/rc
 if it is not set.
+jail_<jailname>_devfs and jail_<jailname>_procfs default to NO.
+This results in the devfs/procfs to not be mounted on the jail.
+jail_<jailname>_devfs_ruleset defaults to using devfs ruleset 666.
+.It Va jail_default_ruleset
+.Pq Vt int
+The default ruleset to apply to a jail that has devfs enabled, but
+no jail_<jailname>_devfs_ruleset defined. By default it is set to
+666.  A Standard Jail rule set is provided in rc.d/devfs to enable
+it set devfs_jail_ruleset_enable to YES.  If this ruleset conflicts
+with your rulesets change devfs_jail_ruleset_num from 666 to another
+value.
 .It Va jail_set_hostname_allow
 .Pq Vt bool
 If set to NO,
Received on Mon Apr 21 2003 - 16:20:38 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:04 UTC