From nobody Fri Jun 14 18:15:51 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W16sM3bFLz5PHGn; Fri, 14 Jun 2024 18:15:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4W16sM2VLHz4CjS; Fri, 14 Jun 2024 18:15:51 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1718388951; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XTcO1o798WqwqdUYvcq7Pf59LbE42yRF0yYSaQrtKD8=; b=aNN5T9U2HiB7gQ66va4rrOX/uOFW7vx8jJcQoPdP6uqD+hI6QVTvJ5sYXsGPAvgM7OOUbk eTAscuh8TAcOpIo6HU6gAzQPbdNe4+a8w7Dz5aoTO+/SIYd18Pe/9MpQClaS1TO17M6dEP oZgq6arkZd0MTAIj4ofBEQeZZczlvH6vGzexLVmd4a7iy6x17hg6ZFjRx+5xOauBzXAEwS dvBE37yXdQOTwXwFQukCOJBuH15ZtH+pFt6RGoVIUYtXXE/jKGTex1jZYXQBJ+K7drGSar cnkDsSkwz18DBFr3zi+ZtcIyitgwvDsFBYCfVh0QfnYPFj2B6/aPZbtrltoqAQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1718388951; a=rsa-sha256; cv=none; b=rwNBBAyXsvgyO/69ZCWojYVXinmMVihDd+9974//uI+o+KNZ0PjCFN4pAznr82U1jm4g9/ YW3JxTWkXk1ZQ+1ojq6AP9QDnvllsuUvLqlI71qUU+JwrNuHfnvP2vKA2FETFf/U2ltW/s DSb8R9xfGWs6JLMAQCDUwF21Kz3WHiyEv96c/SBE/p/BDZLFKqPa7/86xwbB5gZJDscbo2 IJTousgrH/tQxHs6EAZ+uvJeJTXoJrCQ+RPAPq1xrYX0zgK0ykm2zE9QJqOidqfx+a06+y 2Gd2k1MCzltLjffyw/p+d4rsyA9PwXEVK3ofH8esdJHgwvFrPrgCdDh9cIbksg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1718388951; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XTcO1o798WqwqdUYvcq7Pf59LbE42yRF0yYSaQrtKD8=; b=HeBExu7rimAbplqYfivVnlf4lbEcPPDFbVEJ88QaP1qpoGZj19hUFB9hLJUCYZ7B8MI4IJ 2W/EhlDudM26ejb8UMzAUg/ez5OBaGlwAXVGP6BH+74w2udy2197i4h3erZub8y0udGKAM rIw85p9rHpbcTTXGS6+hq/zsSVt0dsPnH0xlI6+qGrPABAg7OGcyw2mcHHXSuThySXO8n+ /GKGqq/BAYItHUScKu4V4J9UDPkIDkgmr6LpMGZUfP2AY04rCrikju4a42p767lnoqQ8PB 1wdCSUeC1lrcGNMwO5cQ/M2NimM12DRQCSI80vRovaB9qVr7hsH+ySOBBzR88g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4W16sM2607zX16; Fri, 14 Jun 2024 18:15:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 45EIFpQP070458; Fri, 14 Jun 2024 18:15:51 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 45EIFpT0070455; Fri, 14 Jun 2024 18:15:51 GMT (envelope-from git) Date: Fri, 14 Jun 2024 18:15:51 GMT Message-Id: <202406141815.45EIFpT0070455@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Alexander Leidinger Subject: git: 2d08f6b577e9 - main - rc.subr: add some sanity checks for service jails List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: netchild X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 2d08f6b577e9d58848cd7734dc979e60fe6f0165 Auto-Submitted: auto-generated The branch main has been updated by netchild: URL: https://cgit.FreeBSD.org/src/commit/?id=2d08f6b577e9d58848cd7734dc979e60fe6f0165 commit 2d08f6b577e9d58848cd7734dc979e60fe6f0165 Author: Alexander Leidinger AuthorDate: 2024-06-14 18:10:07 +0000 Commit: Alexander Leidinger CommitDate: 2024-06-14 18:15:46 +0000 rc.subr: add some sanity checks for service jails Add some sanity checks when service jails are used in jails: - children.max > 0 - children.max - children.cur > 0 The nesting is too deep at those places to have a sane formatting, so no line wrapping at the usual column. If someone has a better idea how to format this: feel free to go ahead. --- libexec/rc/rc.subr | 39 ++++++++++++++++++++++++++++++++++----- 1 file changed, 34 insertions(+), 5 deletions(-) diff --git a/libexec/rc/rc.subr b/libexec/rc/rc.subr index f9d8bf9a3cc3..e540d8f7d207 100644 --- a/libexec/rc/rc.subr +++ b/libexec/rc/rc.subr @@ -1332,11 +1332,28 @@ run_rc_command() start) if [ "${_rc_svcj}" != jailing ]; then _return=1 - $JAIL_CMD -c $_svcj_generic_params $_svcj_cmd_options \ - exec.start="${SERVICE} -E _rc_svcj=jailing ${name} ${_rc_prefix}start $rc_extra_args" \ - exec.stop="${SERVICE} -E _rc_svcj=jailing ${name} ${_rc_prefix}stop $rc_extra_args" \ - exec.consolelog="/var/log/svcj_${name}_console.log" \ - name=svcj-${name} && _return=0 + _do_jailing=1 + + if check_jail jailed; then + if [ $(${SYSCTL_N} security.jail.children.max) -eq 0 ]; then + echo ERROR: jail parameter children.max is set to 0, can not create a new service jail. + _do_jailing=0 + else + _free_jails=$(($(${SYSCTL_N} security.jail.children.max) - $(${SYSCTL_N} security.jail.children.cur))) + if [ ${_free_jails} -eq 0 ]; then + echo ERROR: max number of jail children reached, can not create a new service jail. + _do_jailing=0 + + fi + fi + fi + if [ ${_do_jailing} -eq 1 ]; then + $JAIL_CMD -c $_svcj_generic_params $_svcj_cmd_options \ + exec.start="${SERVICE} -E _rc_svcj=jailing ${name} ${_rc_prefix}start $rc_extra_args" \ + exec.stop="${SERVICE} -E _rc_svcj=jailing ${name} ${_rc_prefix}stop $rc_extra_args" \ + exec.consolelog="/var/log/svcj_${name}_console.log" \ + name=svcj-${name} && _return=0 + fi else _run_rc_doit "$_cpusetcmd $_cmd $rc_extra_args" || _return=1 fi @@ -1432,6 +1449,18 @@ run_rc_command() if checkyesno ${name}_svcj; then if [ "${_rc_svcj}" != jailing ]; then + if check_jail jailed; then + if [ $(${SYSCTL_N} security.jail.children.max) -eq 0 ]; then + echo ERROR: jail parameter children.max is set to 0, can not create a new service jail. + return 1 + else + _free_jails=$(($(${SYSCTL_N} security.jail.children.max) - $(${SYSCTL_N} security.jail.children.cur))) + if [ ${_free_jails} -eq 0 ]; then + echo ERROR: max number of jail children reached, can not create a new service jail. + return 1 + fi + fi + fi $JAIL_CMD -c $_svcj_generic_params $_svcj_cmd_options\ exec.start="${SERVICE} -E _rc_svcj=jailing ${name} ${_rc_prefix}start $rc_extra_args" \ exec.stop="${SERVICE} -E _rc_svcj=jailing ${name} ${_rc_prefix}stop $rc_extra_args" \