From nobody Wed Jan 17 07:41:00 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TFHqc3GB2z57DXL; Wed, 17 Jan 2024 07:41:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TFHqc2j8vz4FnL; Wed, 17 Jan 2024 07:41:00 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1705477260; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=66iXIp0XsnfZerICy0Mm+KPzu0J/NKi/BNCA1gXmE5M=; b=MqpHxXIbZkkC+toHXCpbK3U4E4Vr/FGSVVy7MudpybtHFMROIkWTFDxFzUqNR1SEOnfwf7 M+5cWGEgj1vCBJmszEyMOlj/uvZ469a446w2XtfafIechsFeaZ9YHfyYZGJLc9GMq3qnmG ICCUMa+/xhWS3gzMHgan1pVyRRdGNsA2pkdA4XbXYtN3zYqEIpO6lKYJRS1kkAj1PR+tQi XMLrCLFzgydS2pnpaCQuSzQkB0I0KYPF5gSdno0H6lQM/GHBc/K+e65gfPLuDUAvUPgi/A ezdlIhHclI4l8lVHEH02636TYoRxQauvwCf8q379maqh7gxzjM2FFuJk7xM2uA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1705477260; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=66iXIp0XsnfZerICy0Mm+KPzu0J/NKi/BNCA1gXmE5M=; b=ZEZM6DHNEEgWjADwqLYqoTxWyzT2E1SkWIFYy6RtL/Zpx+dywSGRYNme/hXMqUf38NK2m+ gTnPGENiqE3vBvDScKWCTGsbo6eTe7sY0hUECgU5PRCxMcy3ppMV68BNMKnMvKXbJmOW94 9mGldWMe69xP4L7GIcr/9kwFHX1ep+lH6UKho6JcECRQmBMsCTM7mmJxVdehYddJAepLPw nKahOlZSTB9Kffn1ZkFgbSuo0WbUZ0f6u3SKAI08z6ws+MGCIWpOHoWHTTpA9ll4XiL81s TMsbgdQhhSBQHkdya8yDhMy61CXdsE/Tg1N/IOKHHKhZ2w1Tr93WPyZYHCaXdA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1705477260; a=rsa-sha256; cv=none; b=lvg0bUUZwBmQdIhhHGSIGG1dULiK/n2ZC9h0eDxPcjmdmjUPeYE0Fc4RdSCkn3yezgjamj gKyXWIJNm0Xb59VcEFlVsSvodKjoPcNBPJivYn19oOObzDhpeA8H+BMoM95/vbx9CGXGh8 x3EsLdYKMVVEzsfD/KlYPscihDGdAoQqu8mDOxlpL4v6mAYNZRaLSmg+ah3hwFbNEkitxJ qRxVvWpu6Hs++4ghWI2WP76+djv8UKnmiZ/fBTYG2IilQ4P5MiFSuEYoazckObr04mVEKQ T755EXAlfg3vD9ExajYdXeBM7xXNCehbGztOQjfzHoLWG2ENr8Qxddc6e4UdGQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TFHqc1TK0zFKp; Wed, 17 Jan 2024 07:41:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 40H7f0A4079939; Wed, 17 Jan 2024 07:41:00 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 40H7f0Oj079936; Wed, 17 Jan 2024 07:41:00 GMT (envelope-from git) Date: Wed, 17 Jan 2024 07:41:00 GMT Message-Id: <202401170741.40H7f0Oj079936@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Alexander Leidinger Subject: git: e0dfe185cbca - main - jail(8): add support for ZFS datasets List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: netchild X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: e0dfe185cbcae48b4c4493ed4c2626c46181eb80 Auto-Submitted: auto-generated The branch main has been updated by netchild: URL: https://cgit.FreeBSD.org/src/commit/?id=e0dfe185cbcae48b4c4493ed4c2626c46181eb80 commit e0dfe185cbcae48b4c4493ed4c2626c46181eb80 Author: Alexander Leidinger AuthorDate: 2024-01-17 07:40:40 +0000 Commit: Alexander Leidinger CommitDate: 2024-01-17 07:40:40 +0000 jail(8): add support for ZFS datasets Add zfs.dataset to jail(8) to add a list of ZFS datasets. Bump FreeBSD version for jail managers to switch to native dataset support. Datasets are attached to the jail after the jail creation and before the execution of any start command. Unlike current implementations in jail managers which attach datasets after the start command, this allows the zfs rc.d script to mount the datasets on start. Discussed with: jamie --- sys/sys/param.h | 2 +- usr.sbin/jail/command.c | 29 +++++++++++++++++++++++++++-- usr.sbin/jail/config.c | 1 + usr.sbin/jail/jail.8 | 12 +++++++++++- usr.sbin/jail/jail.c | 1 + usr.sbin/jail/jailp.h | 1 + 6 files changed, 42 insertions(+), 4 deletions(-) diff --git a/sys/sys/param.h b/sys/sys/param.h index f912d193bc4a..b5a5398497e0 100644 --- a/sys/sys/param.h +++ b/sys/sys/param.h @@ -73,7 +73,7 @@ * cannot include sys/param.h and should only be updated here. */ #undef __FreeBSD_version -#define __FreeBSD_version 1500010 +#define __FreeBSD_version 1500011 /* * __FreeBSD_kernel__ indicates that this system uses the kernel of FreeBSD, diff --git a/usr.sbin/jail/command.c b/usr.sbin/jail/command.c index 8ffcca8039ac..60893444e9de 100644 --- a/usr.sbin/jail/command.c +++ b/usr.sbin/jail/command.c @@ -291,9 +291,9 @@ run_command(struct cfjail *j) login_cap_t *lcap; const char **argv; char *acs, *cs, *comcs, *devpath; - const char *jidstr, *conslog, *path, *ruleset, *term, *username; + const char *jidstr, *conslog, *fmt, *path, *ruleset, *term, *username; enum intparam comparam; - size_t comlen; + size_t comlen, ret; pid_t pid; cpusetid_t setid; int argc, bg, clean, consfd, down, fib, i, injail, sjuser, timeout; @@ -590,6 +590,31 @@ run_command(struct cfjail *j) } break; + case IP_ZFS_DATASET: + argv = alloca(4 * sizeof(char *)); + jidstr = string_param(j->intparams[KP_JID]) ? + string_param(j->intparams[KP_JID]) : + string_param(j->intparams[KP_NAME]); + fmt = "if [ $(/sbin/zfs get -H -o value jailed %s) = on ]; then /sbin/zfs jail %s %s || echo error, attaching %s to jail %s failed; else echo error, you need to set jailed=on for dataset %s; fi"; + comlen = strlen(fmt) + + 2 * strlen(jidstr) + + 4 * comstring->len + - 6 * 2 /* 6 * "%s" */ + + 1; + comcs = alloca(comlen); + ret = snprintf(comcs, comlen, fmt, comstring->s, + jidstr, comstring->s, comstring->s, jidstr, + comstring->s); + if (ret >= comlen) { + jail_warnx(j, "internal error in ZFS dataset handling"); + exit(1); + } + argv[0] = _PATH_BSHELL; + argv[1] = "-c"; + argv[2] = comcs; + argv[3] = NULL; + break; + case IP_COMMAND: if (j->name != NULL) goto default_command; diff --git a/usr.sbin/jail/config.c b/usr.sbin/jail/config.c index 63adc9652145..3af0088626c9 100644 --- a/usr.sbin/jail/config.c +++ b/usr.sbin/jail/config.c @@ -93,6 +93,7 @@ static const struct ipspec intparams[] = { [IP_MOUNT_FSTAB] = {"mount.fstab", PF_INTERNAL}, [IP_STOP_TIMEOUT] = {"stop.timeout", PF_INTERNAL | PF_INT}, [IP_VNET_INTERFACE] = {"vnet.interface", PF_INTERNAL}, + [IP_ZFS_DATASET] = {"zfs.dataset", PF_INTERNAL}, #ifdef INET [IP__IP4_IFADDR] = {"ip4.addr", PF_INTERNAL | PF_CONV | PF_REV}, #endif diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 1f745caa5e7c..e49c3fe95e7f 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd November 29, 2023 +.Dd January 17, 2024 .Dt JAIL 8 .Os .Sh NAME @@ -918,6 +918,15 @@ may also be specified, in the form .It Va vnet.interface A network interface to give to a vnet-enabled jail after is it created. The interface will automatically be released when the jail is removed. +.It Va zfs.dataset +A list of ZFS datasets to be attached to the jail. +This requires +.Va allow.mount.zfs +to be set. +See +.Xr zfs-jail 8 +for information on how to configure a ZFS dataset to be operated from +within a jail. .It Va ip_hostname Resolve the .Va host.hostname @@ -1431,6 +1440,7 @@ environment of the first jail. .Xr sysctl 8 , .Xr syslogd 8 , .Xr umount 8 , +.Xr zfs-jail 8 , .Xr extattr 9 .Sh HISTORY The diff --git a/usr.sbin/jail/jail.c b/usr.sbin/jail/jail.c index f65c51fc6de6..9f8267dc1bde 100644 --- a/usr.sbin/jail/jail.c +++ b/usr.sbin/jail/jail.c @@ -98,6 +98,7 @@ static const enum intparam startcommands[] = { IP_EXEC_PRESTART, IP__OP, IP_EXEC_CREATED, + IP_ZFS_DATASET, IP_VNET_INTERFACE, IP_EXEC_START, IP_COMMAND, diff --git a/usr.sbin/jail/jailp.h b/usr.sbin/jail/jailp.h index c064da09d7a5..74ef2a8acab8 100644 --- a/usr.sbin/jail/jailp.h +++ b/usr.sbin/jail/jailp.h @@ -107,6 +107,7 @@ enum intparam { IP_MOUNT_FSTAB, /* A standard fstab(5) file */ IP_STOP_TIMEOUT, /* Time to wait after sending SIGTERM */ IP_VNET_INTERFACE, /* Assign interface(s) to vnet jail */ + IP_ZFS_DATASET, /* Jail ZFS datasets */ #ifdef INET IP__IP4_IFADDR, /* Copy of ip4.addr with interface/netmask */ #endif