From nobody Wed Jun 07 00:21:53 2023
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QbShK5cVWz4ZVMm;
	Wed,  7 Jun 2023 00:21:53 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4QbShK5BLKz3wRm;
	Wed,  7 Jun 2023 00:21:53 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1686097313;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=1vlG5cY3bfP0KpXo/vGJOToM7eZKNYya4VZyqyhD5Gc=;
	b=Qpa4/To5oXmlFl0spyK8sN/857QWL762jnQWwlw37OTDeaE0Uf6tehrQ7UQhSfqkPDKKPt
	kOzX7y/rcGm2yOOMGCwbINtTKOb+4eBlLm2kOhxcDbUbngXEyRFUkEJRtWn0ZRIcQS+3sZ
	NWxsYqGSbczDBShan74bfZJhG+uLoIpuhbWBpwN5umFvXbrowEUaVPLD207PyB+6ZydLYU
	Km1e7/QzwRw/r5sLmQt3rir2jIy2vmAkJv1tBVdB0R4nHyaT7UKfDJhxdYGcBguqO/HB1y
	zlaQI1FVOihVJ5OLrpEt9tqkOeAeG3elcoMFECHaGL4awGBT3iePMGpu/UXkbQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1686097313;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=1vlG5cY3bfP0KpXo/vGJOToM7eZKNYya4VZyqyhD5Gc=;
	b=EPBiGk7o1Csiv51K6qOSrSRgY8tIRIRkVPWJKJCtcE1n0e67etaAoibR6gZy8CfzExLxab
	HtozUquZXXWyYN6c62vyW6Q07MMx5YEbmm/yc5LNtSLwq8RH+fIsEhE5+G1jlUaVLPP5Vv
	vwozsdBUUXHzwlhaVol235ISNbDohrE7ihssCAN6DqPuNcJPC71sSljFjIsP0PTH6nyK86
	XKOfNMS/9CcPcZDYXJcUVPDoH9rao0s/D0xsJDS4kR4RryJ88kPSuabElmw54LeNXFGebW
	6z4Ww5qeayu8+N386hatlIvjIXyLCXUHroGlU34xOHKPkXOLCi9ZzZ3Y3YU4vA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1686097313; a=rsa-sha256; cv=none;
	b=DJF4IoCrIVumEd87jPjPYjrD1rVezHmFwjo4DTO07wjMGloyIkqcImNT8eg3w9O0WuJMRA
	ZSENWidrBQCNb+nAgR1MjgSfYcXlxyy9GG9Lc60mXOfn2lcicZ4izTSd6MiHTCC1AzFeip
	Vv84HaikYrwtxS5Aq+j5SB0O3/TQ/Tg+dPIKVCJfSZqNquEpR40dCfbcV7aA6TdDStc+aN
	4GlGG6iwJxmkf5Yu7At5lcKdO7lxCQ/1bU0v5C8+CVdjFy2/4k0zkrVOWSaMvqQEeecpAE
	eQIblB6bG738zx6TrsX2WryloFL0/CofJieEfWmcz6lcruwFAXXvS4Dv6foz9g==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QbShK4F50zrB9;
	Wed,  7 Jun 2023 00:21:53 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 3570Lrca089001;
	Wed, 7 Jun 2023 00:21:53 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 3570LrQB089000;
	Wed, 7 Jun 2023 00:21:53 GMT
	(envelope-from git)
Date: Wed, 7 Jun 2023 00:21:53 GMT
Message-Id: <202306070021.3570LrQB089000@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Jamie Gritton <jamie@FreeBSD.org>
Subject: git: e82a62943529 - main - jail: add ".include" directive to jail.conf
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jamie
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: e82a62943529d1a7c1fcec39aec13eba69c671d6
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by jamie:

URL: https://cgit.FreeBSD.org/src/commit/?id=e82a62943529d1a7c1fcec39aec13eba69c671d6

commit e82a62943529d1a7c1fcec39aec13eba69c671d6
Author:     Jamie Gritton <jamie@FreeBSD.org>
AuthorDate: 2023-06-07 00:19:12 +0000
Commit:     Jamie Gritton <jamie@FreeBSD.org>
CommitDate: 2023-06-07 00:19:12 +0000

    jail: add ".include" directive to jail.conf
    
    Jail config files can now include literal filenames and file globs.
    They can not (yet) include files based on variables/parameters.
---
 usr.sbin/jail/config.c    | 86 ++++++++++++++++++++++++++++++++++++-----------
 usr.sbin/jail/jail.conf.5 | 17 +++++++++-
 usr.sbin/jail/jailp.h     | 27 ++++++++++-----
 usr.sbin/jail/jailparse.y | 47 ++++++++++++++++++++------
 4 files changed, 137 insertions(+), 40 deletions(-)

diff --git a/usr.sbin/jail/config.c b/usr.sbin/jail/config.c
index 52e1cbf05c28..35f40c123042 100644
--- a/usr.sbin/jail/config.c
+++ b/usr.sbin/jail/config.c
@@ -38,6 +38,7 @@ __FBSDID("$FreeBSD$");
 #include <netinet/in.h>
 
 #include <err.h>
+#include <glob.h>
 #include <netdb.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -46,6 +47,8 @@ __FBSDID("$FreeBSD$");
 
 #include "jailp.h"
 
+#define MAX_INCLUDE_DEPTH 32
+
 struct ipspec {
 	const char	*name;
 	unsigned	flags;
@@ -58,8 +61,8 @@ extern int yyset_in(FILE *fp, void *scanner);
 
 struct cfjails cfjails = TAILQ_HEAD_INITIALIZER(cfjails);
 
+static void parse_config(const char *fname, int is_stdin);
 static void free_param(struct cfparams *pp, struct cfparam *p);
-static void free_param_strings(struct cfparam *p);
 
 static const struct ipspec intparams[] = {
     [IP_ALLOW_DYING] =		{"allow.dying",		PF_INTERNAL | PF_BOOL},
@@ -135,26 +138,10 @@ load_config(const char *cfname)
 	struct cfparam *p, *vp, *tp;
 	struct cfstring *s, *vs, *ns;
 	struct cfvar *v, *vv;
-	struct cflex cflex;
 	char *ep;
-	void *scanner;
 	int did_self, jseq, pgen;
 
-	cflex.cfname = cfname;
-	cflex.error = 0;
-	yylex_init_extra(&cflex, &scanner);
-	if (!strcmp(cfname, "-")) {
-		cflex.cfname = "STDIN";
-		yyset_in(stdin, scanner);
-	} else {
-		FILE *yfp = fopen(cfname, "r");
-		if (!yfp)
-			err(1, "%s", cfname);
-		yyset_in(yfp, scanner);
-	}
-	if (yyparse(scanner) || cflex.error)
-		exit(1);
-	yylex_destroy(scanner);
+	parse_config(cfname, !strcmp(cfname, "-"));
 
 	/* Separate the wildcard jails out from the actual jails. */
 	jseq = 0;
@@ -281,6 +268,67 @@ load_config(const char *cfname)
 	}
 }
 
+void
+include_config(void *scanner, const char *cfname)
+{
+	static unsigned int depth;
+	glob_t g = {0};
+	const char *slash;
+	char *fullpath = NULL;
+
+	/* Simple sanity check for include loops. */
+	if (++depth > MAX_INCLUDE_DEPTH)
+		errx(1, "maximum include depth exceeded");
+	/* Base relative pathnames on the current config file. */
+	if (yyget_in(scanner) != stdin && cfname[0] != '/') {
+		const char *outer_cfname = yyget_extra(scanner)->cfname;
+		if ((slash = strrchr(outer_cfname, '/')) != NULL) {
+			size_t dirlen = (slash - outer_cfname) + 1;
+
+			fullpath = emalloc(dirlen + strlen(cfname) + 1);
+			strncpy(fullpath, outer_cfname, dirlen);
+			strcpy(fullpath + dirlen, cfname);
+			cfname = fullpath;
+		}
+	}
+	/*
+	 * Check if the include statement had a filename glob.
+	 * Globbing doesn't need to catch any files, but a non-glob
+	 * file needs to exist (enforced by parse_config).
+	 */
+	if (glob(cfname, GLOB_NOCHECK, NULL, &g) != 0)
+		errx(1, "%s: filename glob failed", cfname);
+	if (g.gl_flags & GLOB_MAGCHAR) {
+		for (size_t gi = 0; gi < g.gl_matchc; gi++)
+			parse_config(g.gl_pathv[gi], 0);
+	} else
+		parse_config(cfname, 0);
+	if (fullpath)
+		free(fullpath);
+	--depth;
+}
+
+static void
+parse_config(const char *cfname, int is_stdin)
+{
+	struct cflex cflex = {.cfname = cfname, .error = 0};
+	void *scanner;
+
+	yylex_init_extra(&cflex, &scanner);
+	if (is_stdin) {
+		cflex.cfname = "STDIN";
+		yyset_in(stdin, scanner);
+	} else {
+		FILE *yfp = fopen(cfname, "r");
+		if (!yfp)
+			err(1, "%s", cfname);
+		yyset_in(yfp, scanner);
+	}
+	if (yyparse(scanner) || cflex.error)
+		exit(1);
+	yylex_destroy(scanner);
+}
+
 /*
  * Create a new jail record.
  */
@@ -843,7 +891,7 @@ free_param(struct cfparams *pp, struct cfparam *p)
 	free(p);
 }
 
-static void
+void
 free_param_strings(struct cfparam *p)
 {
 	struct cfstring *s;
diff --git a/usr.sbin/jail/jail.conf.5 b/usr.sbin/jail/jail.conf.5
index 67277e6d78ce..a6990c081a3b 100644
--- a/usr.sbin/jail/jail.conf.5
+++ b/usr.sbin/jail/jail.conf.5
@@ -24,7 +24,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 8, 2022
+.Dd Jun 3, 2023
 .Dt JAIL.CONF 5
 .Os
 .Sh NAME
@@ -163,6 +163,14 @@ would apply to jails with names like
 .Dq foo.bar
 and
 .Dq foo.bar.baz .
+.Ss Includes
+A line of the form
+.Bd -literal -offset ident
+.include "filename";
+.Ed
+.Pp
+will include another file in the configuration.  The filename must be
+a literal string, and cannot contain variable expansions.
 .Ss Comments
 The configuration file may contain comments in the common C, C++, and
 shell formats:
@@ -212,6 +220,13 @@ bar {
 	mount.nodevfs;
 	persist;	// Required because there are no processes
 }
+
+# Include configurations from standard locations.
+\[char46]include "/etc/jail.conf.d/*.conf";
+\[char46]include "/etc/jail.*.conf";
+\[char46]include "/usr/local/etc/jail[.]conf";
+\[char46]include "/usr/local/etc/jail.conf.d/*.conf";
+\[char46]include "/usr/local/etc/jail.*.conf";
 .Ed
 .Sh SEE ALSO
 .Xr jail_set 2 ,
diff --git a/usr.sbin/jail/jailp.h b/usr.sbin/jail/jailp.h
index 6ea4e3ec09a3..cd97063507c8 100644
--- a/usr.sbin/jail/jailp.h
+++ b/usr.sbin/jail/jailp.h
@@ -35,6 +35,7 @@
 #include <sys/time.h>
 
 #include <jail.h>
+#include <stdio.h>
 
 #define CONF_FILE	"/etc/jail.conf"
 
@@ -45,15 +46,16 @@
 #define DF_LIGHT	0x02	/* Implied dependency on jail existence only */
 #define DF_NOFAIL	0x04	/* Don't propagate failed jails */
 
-#define PF_VAR		0x01	/* This is a variable, not a true parameter */
-#define PF_APPEND	0x02	/* Append to existing parameter list */
-#define PF_BAD		0x04	/* Unable to resolve parameter value */
-#define PF_INTERNAL	0x08	/* Internal parameter, not passed to kernel */
-#define PF_BOOL		0x10	/* Boolean parameter */
-#define PF_INT		0x20	/* Integer parameter */
-#define PF_CONV		0x40	/* Parameter duplicated in converted form */
-#define PF_REV		0x80	/* Run commands in reverse order on stopping */
-#define	PF_IMMUTABLE	0x100	/* Immutable parameter */
+#define PF_VAR		0x0001	/* This is a variable, not a true parameter */
+#define PF_APPEND	0x0002	/* Append to existing parameter list */
+#define PF_BAD		0x0004	/* Unable to resolve parameter value */
+#define PF_INTERNAL	0x0008	/* Internal parameter, not passed to kernel */
+#define PF_BOOL		0x0010	/* Boolean parameter */
+#define PF_INT		0x0020	/* Integer parameter */
+#define PF_CONV		0x0040	/* Parameter duplicated in converted form */
+#define PF_REV		0x0080	/* Run commands in reverse order on stopping */
+#define	PF_IMMUTABLE	0x0100	/* Immutable parameter */
+#define	PF_NAMEVAL	0x0200	/* Parameter is in "name value" form */
 
 #define JF_START	0x0001	/* -c */
 #define JF_SET		0x0002	/* -m */
@@ -215,6 +217,7 @@ extern int finish_command(struct cfjail *j);
 extern struct cfjail *next_proc(int nonblock);
 
 extern void load_config(const char *cfname);
+extern void include_config(void *scanner, const char *cfname);
 extern struct cfjail *add_jail(void);
 extern void add_param(struct cfjail *j, const struct cfparam *p,
     enum intparam ipnum, const char *value);
@@ -226,6 +229,7 @@ extern int import_params(struct cfjail *j);
 extern int equalopts(const char *opt1, const char *opt2);
 extern int wild_jail_name(const char *wname);
 extern int wild_jail_match(const char *jname, const char *wname);
+extern void free_param_strings(struct cfparam *p);
 
 extern void dep_setup(int docf);
 extern int dep_check(struct cfjail *j);
@@ -237,6 +241,11 @@ extern int start_state(const char *target, int docf, unsigned state,
 extern void requeue(struct cfjail *j, struct cfjails *queue);
 extern void requeue_head(struct cfjail *j, struct cfjails *queue);
 
+extern struct cflex *yyget_extra(void *scanner);
+extern FILE *yyget_in(void *scanner);
+extern int yyget_lineno(void *scanner);
+extern char *yyget_text(void *scanner);
+
 extern struct cfjails cfjails;
 extern struct cfjails ready;
 extern struct cfjails depend;
diff --git a/usr.sbin/jail/jailparse.y b/usr.sbin/jail/jailparse.y
index ccc311a76223..e4f2310c7fb4 100644
--- a/usr.sbin/jail/jailparse.y
+++ b/usr.sbin/jail/jailparse.y
@@ -73,16 +73,18 @@ conf	:
 	| conf jail
 	| conf param ';'
 	{
-		struct cfjail *j = current_jail;
+		if (!special_param($2, scanner)) {
+			struct cfjail *j = current_jail;
 
-		if (j == NULL) {
-			if (global_jail == NULL) {
-				global_jail = add_jail();
-				global_jail->name = estrdup("*");
+			if (j == NULL) {
+				if (global_jail == NULL) {
+					global_jail = add_jail();
+					global_jail->name = estrdup("*");
+				}
+				j = global_jail;
 			}
-			j = global_jail;
+			TAILQ_INSERT_TAIL(&j->params, $2, tq);
 		}
-		TAILQ_INSERT_TAIL(&j->params, $2, tq);
 	}
 	| conf ';'
 	;
@@ -141,6 +143,7 @@ param	: name
 	{
 		$$ = $1;
 		TAILQ_CONCAT(&$$->val, $2, tq);
+		$$->flags |= PF_NAMEVAL;
 		free($2);
 	}
 	| error
@@ -230,10 +233,6 @@ string	: STR
 
 extern int YYLEX_DECL();
 
-extern struct cflex *yyget_extra(void *scanner);
-extern int yyget_lineno(void *scanner);
-extern char *yyget_text(void *scanner);
-
 static void
 YYERROR_DECL()
 {
@@ -248,3 +247,29 @@ YYERROR_DECL()
 		    yyget_extra(scanner)->cfname, yyget_lineno(scanner),
 		    yyget_text(scanner), s);
 }
+
+/* Handle special parameters (i.e. the include directive).
+ * Return true if the parameter was specially handled.
+ */
+static int
+special_param(struct cfparam *p, void *scanner)
+{
+	if ((p->flags & (PF_VAR | PF_APPEND | PF_NAMEVAL)) != PF_NAMEVAL
+	    || strcmp(p->name, ".include"))
+		return 0;
+	struct cfstring *s;
+	TAILQ_FOREACH(s, &p->val, tq) {
+		if (STAILQ_EMPTY(&s->vars))
+			include_config(scanner, s->s);
+		else {
+			warnx("%s line %d: "
+			    "variables not permitted in '.include' filename",
+			    yyget_extra(scanner)->cfname,
+			    yyget_lineno(scanner));
+			yyget_extra(scanner)->error = 1;
+		}
+	}
+	free_param_strings(p);
+	free(p);
+	return 1;
+}