From nobody Wed May 22 13:41:55 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Vkssv6cQQz5Ll5J; Wed, 22 May 2024 13:41:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Vkssv5sKGz47fS; Wed, 22 May 2024 13:41:55 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1716385315; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=M+GPHMbkMd3vBWehwdMR6e/1HrISrHyOqD8zsNvnq1k=; b=B8pA/H5VGdkHU6N54GySTunO0BEXCwDN+22BX+MvZeyMPwWMbliP4vjvpXBstLBqjK4UTh UyojLU03HU2nuxD+JjMD4/YN0GHeMt3556JSQd73np+pRqQJ0ck2G5SvZpHQaliBfLcg8F 429EsP5RQghaARFsgRvV03nyusn4YgM0KBrjm8xMc51FcmYAkz4DXmo7Z2+qzUMjlxDlAY SChV58jYiYe8pwCsK5lazi7U5X0SYKerA84u2WMPE0CPgzjqhMro15B4Wp7DOsh8V0WENQ YEj0247YEoQAUGnH5HeLbHUi5MUYnd9ar+rtzw3tykZU1YP+zxAJ4JDTd/X5IQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1716385315; a=rsa-sha256; cv=none; b=Z1wULB74jYW4DyASFPoSef041avlijp/xYNgUOBRZqsPnrJIERI36wh5/ljqIO6r18cv+y x0VZP67ep2oXjDbDqFGa6/nSPVczx6zem/+N3Q8aEi9Nb/XLgDCqdCKu5Y4UVQ65kYlkOq fkdE1sINJVff6SHgZMko6RwVesIFmXSOtoys6MebNoHI+XpvI8qaw2jJR5iVBXL8vY7XhV iHHQBcZSpgFOVeJOHjg7jTDpxfy9F4nMA6nWb6OW5vYbmdR/688sXbA+R9c1lffTjIdEed heUvCTGmc09afM7GQ71wNI3MGJyh8miqJFcRypriuX+cRj33tfHNXXhTqo2gGg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1716385315; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=M+GPHMbkMd3vBWehwdMR6e/1HrISrHyOqD8zsNvnq1k=; b=C6/MVXNwUIGQ9kAnzBF7kAYcTOKm53dxHBptLKZX7ol3MYNiMV+ADxaiq3PE15+Y9W6ewR JMmTO0uADlaG1CwREtyjkByGdlg4cXiOPp0FcfMRVLDLgHMpz934UG2nEyayjpkc4eMag6 iDiH717wL3vHqxhcv8UlV14EoZTAxTxH9gvXgHgywFwfuARqiGcxp9xU21h2gVIYfg7JPg apJQm6Ao8sfLaA6XTxes3GgLJ7HnMLzjPWAAoESgP9dLSfuJT1sq2InWteOGGk3e/9ZLsM V62z4OP6ZM5xc5a5Ttz4cJYMpxajywjQ0WPYEUPtPmh1QLgP0snRy5Z3t4Poig== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Vkssv5SMxz17D6; Wed, 22 May 2024 13:41:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 44MDfth6030809; Wed, 22 May 2024 13:41:55 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 44MDftxc030806; Wed, 22 May 2024 13:41:55 GMT (envelope-from git) Date: Wed, 22 May 2024 13:41:55 GMT Message-Id: <202405221341.44MDftxc030806@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Alexander Leidinger Subject: git: f99f0ee14e3a - main - rc.d: add a service jails config to all base system services List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: netchild X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: f99f0ee14e3af81c23150a6a340259ca8a33d01a Auto-Submitted: auto-generated The branch main has been updated by netchild: URL: https://cgit.FreeBSD.org/src/commit/?id=f99f0ee14e3af81c23150a6a340259ca8a33d01a commit f99f0ee14e3af81c23150a6a340259ca8a33d01a Author: Alexander Leidinger AuthorDate: 2024-05-22 13:31:47 +0000 Commit: Alexander Leidinger CommitDate: 2024-05-22 13:41:49 +0000 rc.d: add a service jails config to all base system services This gives more permissions to services (e.g. network access to services which require this) when they are started as an automatic service jail. The sshd patch is important for the sshd-related functionality as described in the man-page in the service jails part. The location of the added env vars is supposed to allow overriding them in rc.conf, and to hard-disable the use of svcj for some parts where it doesn't make sense or will not work. Only a subset of all of the services are fully tested (I'm running this since more than a year with various services started as service jails). The untested parts should be most of the time ok, in some edge-cases more permissions are needed inside the service jail. Differential Revision: https://reviews.freebsd.org/D40371 --- libexec/rc/rc.d/accounting | 4 ++++ libexec/rc/rc.d/adjkerntz | 4 ++++ libexec/rc/rc.d/apm | 4 ++++ libexec/rc/rc.d/apmd | 4 ++++ libexec/rc/rc.d/auditd | 4 ++++ libexec/rc/rc.d/auditdistd | 2 ++ libexec/rc/rc.d/automount | 4 ++++ libexec/rc/rc.d/automountd | 4 ++++ libexec/rc/rc.d/autounmountd | 4 ++++ libexec/rc/rc.d/bgfsck | 4 ++++ libexec/rc/rc.d/blacklistd | 3 +++ libexec/rc/rc.d/bluetooth | 3 +++ libexec/rc/rc.d/bootparams | 2 ++ libexec/rc/rc.d/bridge | 4 ++++ libexec/rc/rc.d/bsnmpd | 2 ++ libexec/rc/rc.d/bthidd | 3 +++ libexec/rc/rc.d/ccd | 4 ++++ libexec/rc/rc.d/cfumass | 4 ++++ libexec/rc/rc.d/cleanvar | 4 ++++ libexec/rc/rc.d/cleartmp | 4 ++++ libexec/rc/rc.d/cron | 5 +++++ libexec/rc/rc.d/ctld | 4 ++++ libexec/rc/rc.d/ddb | 3 +++ libexec/rc/rc.d/defaultroute | 4 ++++ libexec/rc/rc.d/devd | 4 ++++ libexec/rc/rc.d/devfs | 4 ++++ libexec/rc/rc.d/devmatch | 4 ++++ libexec/rc/rc.d/dhclient | 3 +++ libexec/rc/rc.d/dmesg | 4 ++++ libexec/rc/rc.d/dnctl | 3 +++ libexec/rc/rc.d/dumpon | 4 ++++ libexec/rc/rc.d/fsck | 4 ++++ libexec/rc/rc.d/ftp-proxy | 2 ++ libexec/rc/rc.d/ftpd | 10 ++++------ libexec/rc/rc.d/geli | 4 ++++ libexec/rc/rc.d/geli2 | 4 ++++ libexec/rc/rc.d/ggated | 3 +++ libexec/rc/rc.d/gptboot | 4 ++++ libexec/rc/rc.d/growfs | 4 ++++ libexec/rc/rc.d/growfs_fstab | 4 ++++ libexec/rc/rc.d/gssd | 2 ++ libexec/rc/rc.d/hastd | 4 ++++ libexec/rc/rc.d/hcsecd | 3 +++ libexec/rc/rc.d/hostapd | 4 ++++ libexec/rc/rc.d/hostid | 4 ++++ libexec/rc/rc.d/hostid_save | 4 ++++ libexec/rc/rc.d/hostname | 4 ++++ libexec/rc/rc.d/inetd | 2 ++ libexec/rc/rc.d/iovctl | 4 ++++ libexec/rc/rc.d/ip6addrctl | 4 ++++ libexec/rc/rc.d/ipfilter | 3 +++ libexec/rc/rc.d/ipfs | 4 ++++ libexec/rc/rc.d/ipfw | 3 +++ libexec/rc/rc.d/ipfw_netflow | 3 +++ libexec/rc/rc.d/ipmon | 3 +++ libexec/rc/rc.d/ipnat | 3 +++ libexec/rc/rc.d/ippool | 4 ++++ libexec/rc/rc.d/ipropd_master | 12 ++++++++---- libexec/rc/rc.d/ipropd_slave | 14 +++++++++----- libexec/rc/rc.d/ipsec | 4 ++++ libexec/rc/rc.d/iscsictl | 4 ++++ libexec/rc/rc.d/iscsid | 4 ++++ libexec/rc/rc.d/jail | 4 ++++ libexec/rc/rc.d/kadmind | 10 +++------- libexec/rc/rc.d/kdc | 1 + libexec/rc/rc.d/keyserv | 2 ++ libexec/rc/rc.d/kfd | 8 ++------ libexec/rc/rc.d/kld | 4 ++++ libexec/rc/rc.d/kldxref | 4 ++++ libexec/rc/rc.d/kpasswdd | 10 +++------- libexec/rc/rc.d/ldconfig | 4 ++++ libexec/rc/rc.d/linux | 4 ++++ libexec/rc/rc.d/local | 4 ++++ libexec/rc/rc.d/local_unbound | 1 + libexec/rc/rc.d/localpkg | 6 ++++++ libexec/rc/rc.d/lockd | 7 +++++-- libexec/rc/rc.d/lpd | 2 ++ libexec/rc/rc.d/mdconfig | 3 +++ libexec/rc/rc.d/mdconfig2 | 3 +++ libexec/rc/rc.d/mixer | 4 ++++ libexec/rc/rc.d/motd | 4 ++++ libexec/rc/rc.d/mountcritlocal | 4 ++++ libexec/rc/rc.d/mountcritremote | 4 ++++ libexec/rc/rc.d/mountd | 6 ++++++ libexec/rc/rc.d/mountlate | 4 ++++ libexec/rc/rc.d/moused | 5 +++++ libexec/rc/rc.d/msgs | 4 ++++ libexec/rc/rc.d/natd | 4 ++++ libexec/rc/rc.d/netif | 4 ++++ libexec/rc/rc.d/netoptions | 4 ++++ libexec/rc/rc.d/netwait | 4 ++++ libexec/rc/rc.d/newsyslog | 4 ++++ libexec/rc/rc.d/nfscbd | 2 ++ libexec/rc/rc.d/nfsclient | 4 ++++ libexec/rc/rc.d/nfsd | 4 ++++ libexec/rc/rc.d/nfsuserd | 4 ++++ libexec/rc/rc.d/nisdomain | 4 ++++ libexec/rc/rc.d/nscd | 3 +++ libexec/rc/rc.d/ntpd | 3 +++ libexec/rc/rc.d/ntpdate | 4 ++++ libexec/rc/rc.d/opensm | 2 ++ libexec/rc/rc.d/os-release | 4 ++++ libexec/rc/rc.d/pf | 3 +++ libexec/rc/rc.d/pflog | 6 ++++++ libexec/rc/rc.d/pfsync | 4 ++++ libexec/rc/rc.d/power_profile | 3 +++ libexec/rc/rc.d/powerd | 4 ++++ libexec/rc/rc.d/ppp | 4 ++++ libexec/rc/rc.d/pppoed | 4 ++++ libexec/rc/rc.d/pwcheck | 4 ++++ libexec/rc/rc.d/quota | 3 +++ libexec/rc/rc.d/random | 4 ++++ libexec/rc/rc.d/rarpd | 2 ++ libexec/rc/rc.d/rctl | 4 ++++ libexec/rc/rc.d/resolv | 4 ++++ libexec/rc/rc.d/rfcomm_pppd_server | 4 ++++ libexec/rc/rc.d/root | 4 ++++ libexec/rc/rc.d/route6d | 2 ++ libexec/rc/rc.d/routed | 2 ++ libexec/rc/rc.d/routing | 4 ++++ libexec/rc/rc.d/rpcbind | 2 ++ libexec/rc/rc.d/rtadvd | 5 +++++ libexec/rc/rc.d/rtsold | 2 ++ libexec/rc/rc.d/rwho | 2 ++ libexec/rc/rc.d/savecore | 4 ++++ libexec/rc/rc.d/sdpd | 3 +++ libexec/rc/rc.d/securelevel | 4 ++++ libexec/rc/rc.d/sendmail | 2 ++ libexec/rc/rc.d/sshd | 6 ++++++ libexec/rc/rc.d/statd | 7 +++++-- libexec/rc/rc.d/static_arp | 4 ++++ libexec/rc/rc.d/static_ndp | 4 ++++ libexec/rc/rc.d/stf | 4 ++++ libexec/rc/rc.d/swap | 4 ++++ libexec/rc/rc.d/swaplate | 4 ++++ libexec/rc/rc.d/syscons | 4 ++++ libexec/rc/rc.d/sysctl | 4 ++++ libexec/rc/rc.d/sysctl_lastload | 4 ++++ libexec/rc/rc.d/syslogd | 2 ++ libexec/rc/rc.d/sysvipc | 4 ++++ libexec/rc/rc.d/tlsclntd | 2 ++ libexec/rc/rc.d/tlsservd | 2 ++ libexec/rc/rc.d/tmp | 3 +++ libexec/rc/rc.d/ubthidhci | 4 ++++ libexec/rc/rc.d/ugidfw | 4 ++++ libexec/rc/rc.d/utx | 4 ++++ libexec/rc/rc.d/var | 3 +++ libexec/rc/rc.d/var_run | 3 +++ libexec/rc/rc.d/virecover | 4 ++++ libexec/rc/rc.d/watchdogd | 4 ++++ libexec/rc/rc.d/wpa_supplicant | 3 +++ libexec/rc/rc.d/ypbind | 2 ++ libexec/rc/rc.d/ypldap | 2 ++ libexec/rc/rc.d/yppasswdd | 2 ++ libexec/rc/rc.d/ypserv | 2 ++ libexec/rc/rc.d/ypset | 3 +++ libexec/rc/rc.d/ypupdated | 2 ++ libexec/rc/rc.d/ypxfrd | 2 ++ libexec/rc/rc.d/zfs | 4 ++++ libexec/rc/rc.d/zfsbe | 4 ++++ libexec/rc/rc.d/zfsd | 4 ++++ libexec/rc/rc.d/zfskeys | 4 ++++ libexec/rc/rc.d/zpool | 4 ++++ libexec/rc/rc.d/zpoolreguid | 4 ++++ libexec/rc/rc.d/zpoolupgrade | 4 ++++ libexec/rc/rc.d/zvol | 4 ++++ 166 files changed, 598 insertions(+), 39 deletions(-) diff --git a/libexec/rc/rc.d/accounting b/libexec/rc/rc.d/accounting index 5c08f18cd2ca..1e0ece84fb15 100755 --- a/libexec/rc/rc.d/accounting +++ b/libexec/rc/rc.d/accounting @@ -76,4 +76,8 @@ accounting_rotate_log() } load_rc_config $name + +# doesn't make sense to run in a svcj: jail can't manipulate accounting +accounting_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/adjkerntz b/libexec/rc/rc.d/adjkerntz index 81ee596369a5..339f8add7201 100755 --- a/libexec/rc/rc.d/adjkerntz +++ b/libexec/rc/rc.d/adjkerntz @@ -14,4 +14,8 @@ start_cmd="adjkerntz -i" stop_cmd=":" load_rc_config $name + +# doesn't make sense to run in a svcj: jail can't modify kerntz +adjkerntz_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/apm b/libexec/rc/rc.d/apm index b2bde4d32d1c..3187f41c3a50 100755 --- a/libexec/rc/rc.d/apm +++ b/libexec/rc/rc.d/apm @@ -43,4 +43,8 @@ apm_status() } load_rc_config $name + +# doesn't make sense to run in a svcj: nojail keyword +apm_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/apmd b/libexec/rc/rc.d/apmd index 8c6293549dc0..aeb5042342d6 100755 --- a/libexec/rc/rc.d/apmd +++ b/libexec/rc/rc.d/apmd @@ -34,4 +34,8 @@ apmd_prestart() } load_rc_config $name + +# doesn't make sense to run in a svcj: nojail keyword +apmd_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/auditd b/libexec/rc/rc.d/auditd index 90017d88ab85..caea2587a2e9 100755 --- a/libexec/rc/rc.d/auditd +++ b/libexec/rc/rc.d/auditd @@ -32,4 +32,8 @@ auditd_stop() } load_rc_config $name + +# doesn't make sense to run in a svcj: nojail keyword +auditd_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/auditdistd b/libexec/rc/rc.d/auditdistd index e7ae7d64d39d..0814c2a4d2c7 100755 --- a/libexec/rc/rc.d/auditdistd +++ b/libexec/rc/rc.d/auditdistd @@ -17,5 +17,7 @@ command="/usr/sbin/${name}" required_files="/etc/security/${name}.conf" extra_commands="reload" +: ${auditdistd_svcj_options:="net_basic"} + load_rc_config $name run_rc_command "$1" diff --git a/libexec/rc/rc.d/automount b/libexec/rc/rc.d/automount index b01928651ec4..19f367837189 100755 --- a/libexec/rc/rc.d/automount +++ b/libexec/rc/rc.d/automount @@ -28,4 +28,8 @@ automount_stop() } load_rc_config $name + +# mounting shall not be performed in a svcj +automount_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/automountd b/libexec/rc/rc.d/automountd index 4bc6f7d01862..b809e9dfc8ad 100755 --- a/libexec/rc/rc.d/automountd +++ b/libexec/rc/rc.d/automountd @@ -17,4 +17,8 @@ command="/usr/sbin/${name}" required_modules="autofs" load_rc_config $name + +# mounting shall not be performed in a svcj +automountd_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/autounmountd b/libexec/rc/rc.d/autounmountd index c939c6d8d011..1d8b3bfa354f 100755 --- a/libexec/rc/rc.d/autounmountd +++ b/libexec/rc/rc.d/autounmountd @@ -16,4 +16,8 @@ pidfile="/var/run/${name}.pid" command="/usr/sbin/${name}" load_rc_config $name + +# doesn't make sense to run in a svcj: nojail keyword +autounmountd_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/bgfsck b/libexec/rc/rc.d/bgfsck index 24753f9f561f..dd5c330c3d11 100755 --- a/libexec/rc/rc.d/bgfsck +++ b/libexec/rc/rc.d/bgfsck @@ -46,4 +46,8 @@ bgfsck_start() } load_rc_config $name + +# doesn't make sense to run in a svcj +bgfsck_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/blacklistd b/libexec/rc/rc.d/blacklistd index b58c7c8a76b6..ecbb71e41fca 100755 --- a/libexec/rc/rc.d/blacklistd +++ b/libexec/rc/rc.d/blacklistd @@ -40,5 +40,8 @@ rcvar="blacklistd_enable" command="/usr/sbin/${name}" required_files="/etc/blacklistd.conf" +# no svcj options needed +: ${blacklistd_svcj_options:=""} + load_rc_config $name run_rc_command "$1" diff --git a/libexec/rc/rc.d/bluetooth b/libexec/rc/rc.d/bluetooth index 679d669a6191..22bd5078034d 100755 --- a/libexec/rc/rc.d/bluetooth +++ b/libexec/rc/rc.d/bluetooth @@ -317,5 +317,8 @@ bluetooth_stop() load_rc_config $name hccontrol="${bluetooth_hccontrol:-/usr/sbin/hccontrol}" +# doesn't make sense to run in a svcj: nojail keyword +bluetooth_svcj="NO" + run_rc_command $* diff --git a/libexec/rc/rc.d/bootparams b/libexec/rc/rc.d/bootparams index ce0b8a45e672..1d435d4ee480 100755 --- a/libexec/rc/rc.d/bootparams +++ b/libexec/rc/rc.d/bootparams @@ -15,5 +15,7 @@ rcvar="bootparamd_enable" required_files="/etc/bootparams" command="/usr/sbin/${name}" +: ${bootparamd_svcj_options:="net_basic"} + load_rc_config $name run_rc_command "$1" diff --git a/libexec/rc/rc.d/bridge b/libexec/rc/rc.d/bridge index a42d82adacc5..98d9212593e5 100755 --- a/libexec/rc/rc.d/bridge +++ b/libexec/rc/rc.d/bridge @@ -90,4 +90,8 @@ bridge_stop() iflist=$2 load_rc_config $name + +# doesn't make sense to run in a svcj: config setting +bridge_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/bsnmpd b/libexec/rc/rc.d/bsnmpd index 60c7242f0c1f..60f4f5e86617 100755 --- a/libexec/rc/rc.d/bsnmpd +++ b/libexec/rc/rc.d/bsnmpd @@ -13,6 +13,8 @@ desc="Simple and extensible SNMP daemon" rcvar="bsnmpd_enable" command="/usr/sbin/${name}" +: ${bsnmpd_svcj_options:="net_basic"} + load_rc_config $name pidfile="${bsnmpd_pidfile:-/var/run/snmpd.pid}" command_args="-p ${pidfile}" diff --git a/libexec/rc/rc.d/bthidd b/libexec/rc/rc.d/bthidd index ec7da8181ca3..4b230406c4d5 100755 --- a/libexec/rc/rc.d/bthidd +++ b/libexec/rc/rc.d/bthidd @@ -50,4 +50,7 @@ if evdev_enabled; then fi required_files="${config}" +# doesn't make sense to run in a svcj: nojail keyword +bthidd_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/ccd b/libexec/rc/rc.d/ccd index f7dde1c23f4e..5f2427e4beb0 100755 --- a/libexec/rc/rc.d/ccd +++ b/libexec/rc/rc.d/ccd @@ -21,4 +21,8 @@ ccd_start() } load_rc_config $name + +# doesn't make sense to run in a svcj: nojail keyword +ccd_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/cfumass b/libexec/rc/rc.d/cfumass index 79c9b0ae63d4..7d1117d7c388 100755 --- a/libexec/rc/rc.d/cfumass +++ b/libexec/rc/rc.d/cfumass @@ -145,4 +145,8 @@ cfumass_stop() } load_rc_config $name + +# doesn't make sense to run in a svcj: nojail keyword +cfumass_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/cleanvar b/libexec/rc/rc.d/cleanvar index 08e647dde5ae..dce5baa6875b 100755 --- a/libexec/rc/rc.d/cleanvar +++ b/libexec/rc/rc.d/cleanvar @@ -43,4 +43,8 @@ cleanvar_start() } load_rc_config $name + +# doesn't make sense to run in a svcj +cleanvar_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/cleartmp b/libexec/rc/rc.d/cleartmp index 8101474b33cf..c4dfb5367dcb 100755 --- a/libexec/rc/rc.d/cleartmp +++ b/libexec/rc/rc.d/cleartmp @@ -57,4 +57,8 @@ cleartmp_start() } load_rc_config $name + +# doesn't make sense to run in a svcj +cleartmp_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/cron b/libexec/rc/rc.d/cron index a37d3ceee02e..584db590d835 100755 --- a/libexec/rc/rc.d/cron +++ b/libexec/rc/rc.d/cron @@ -16,6 +16,11 @@ command="/usr/sbin/${name}" pidfile="/var/run/${name}.pid" load_rc_config $name + +# doesn't make sense to run in a svcj: in the generic case it may need +# access to more than a jails allows +cron_svcj="NO" + if checkyesno cron_dst then cron_flags="$cron_flags -s" diff --git a/libexec/rc/rc.d/ctld b/libexec/rc/rc.d/ctld index f09c032575d9..c91d7a9be921 100755 --- a/libexec/rc/rc.d/ctld +++ b/libexec/rc/rc.d/ctld @@ -19,4 +19,8 @@ required_modules="ctl" extra_commands="reload" load_rc_config $name + +# doesn't make sense to run in a svcj: nojail keyword +ctld_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/ddb b/libexec/rc/rc.d/ddb index 40235bebf90e..08a7d345c326 100755 --- a/libexec/rc/rc.d/ddb +++ b/libexec/rc/rc.d/ddb @@ -35,4 +35,7 @@ load_rc_config $name required_files="${ddb_config}" command_args="${ddb_config}" +# doesn't make sense to run in a svcj: privileged operation +ddb_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/defaultroute b/libexec/rc/rc.d/defaultroute index d8d6b2e97dcd..b96f91d36118 100755 --- a/libexec/rc/rc.d/defaultroute +++ b/libexec/rc/rc.d/defaultroute @@ -70,4 +70,8 @@ defaultroute_start() } load_rc_config $name + +# doesn't make sense to run in a svcj: config setting +defaultroute_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/devd b/libexec/rc/rc.d/devd index 43fb9d5928dd..47326662339c 100755 --- a/libexec/rc/rc.d/devd +++ b/libexec/rc/rc.d/devd @@ -38,4 +38,8 @@ devd_prestart() } load_rc_config $name + +# doesn't make sense to run in a svcj: executing potential privileged operations +devd_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/devfs b/libexec/rc/rc.d/devfs index b7835bd561ce..9987d35f6ad3 100755 --- a/libexec/rc/rc.d/devfs +++ b/libexec/rc/rc.d/devfs @@ -68,4 +68,8 @@ read_devfs_conf() } load_rc_config $name + +# doesn't make sense to run in a svcj: may need more permissions +devfs_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/devmatch b/libexec/rc/rc.d/devmatch index 67bb14761614..21846355fcfe 100755 --- a/libexec/rc/rc.d/devmatch +++ b/libexec/rc/rc.d/devmatch @@ -78,4 +78,8 @@ devmatch_start() } load_rc_config $name + +# doesn't make sense to run in a svcj: privileged operations +devmatch_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/dhclient b/libexec/rc/rc.d/dhclient index e2f204076eb6..78442da29193 100755 --- a/libexec/rc/rc.d/dhclient +++ b/libexec/rc/rc.d/dhclient @@ -59,6 +59,9 @@ dhclient_prestart() load_rc_config $name load_rc_config network +# dhclient_prestart is not compatible with svcj +dhclient_svcj="NO" + if [ -z $ifn ] ; then # only complain if a command was specified but no interface if [ -n "$1" ] ; then diff --git a/libexec/rc/rc.d/dmesg b/libexec/rc/rc.d/dmesg index ed36ec17b419..51e35d5d4e80 100755 --- a/libexec/rc/rc.d/dmesg +++ b/libexec/rc/rc.d/dmesg @@ -23,4 +23,8 @@ do_dmesg() } load_rc_config $name + +# doesn't make sense to run in a svcj +dmesg_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/dnctl b/libexec/rc/rc.d/dnctl index 7e65b899bd01..9067d278088e 100644 --- a/libexec/rc/rc.d/dnctl +++ b/libexec/rc/rc.d/dnctl @@ -16,6 +16,9 @@ start_cmd="${name}_start" required_files="$dnctl_rules" required_modules="dummynet" +# doesn't make sense to run in a svcj: config setting +dnctl_svcj="NO" + dnctl_start() { startmsg -n "Enabling ${name}" diff --git a/libexec/rc/rc.d/dumpon b/libexec/rc/rc.d/dumpon index a6748711b796..0dfcdb266b20 100755 --- a/libexec/rc/rc.d/dumpon +++ b/libexec/rc/rc.d/dumpon @@ -97,4 +97,8 @@ dumpon_stop() } load_rc_config $name + +# doesn't make sense to run in a svcj: config setting +dumpon_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/fsck b/libexec/rc/rc.d/fsck index 359733d8484c..e755f055dbe6 100755 --- a/libexec/rc/rc.d/fsck +++ b/libexec/rc/rc.d/fsck @@ -91,4 +91,8 @@ fsck_start() } load_rc_config $name + +# doesn't make sense to run in a svcj +fsck_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/ftp-proxy b/libexec/rc/rc.d/ftp-proxy index 250088d6bb35..c77dd36cd60b 100755 --- a/libexec/rc/rc.d/ftp-proxy +++ b/libexec/rc/rc.d/ftp-proxy @@ -13,6 +13,8 @@ desc="Internet File Transfer Protocol proxy daemon" rcvar="ftpproxy_enable" command="/usr/sbin/ftp-proxy" +: ${ftpproxy_svcj_options:="net_basic"} + load_rc_config $name # diff --git a/libexec/rc/rc.d/ftpd b/libexec/rc/rc.d/ftpd index 9bb9a722a2af..e25a561a520a 100755 --- a/libexec/rc/rc.d/ftpd +++ b/libexec/rc/rc.d/ftpd @@ -13,13 +13,11 @@ desc="Internet File Transfer Protocol daemon" rcvar="ftpd_enable" command="/usr/libexec/${name}" pidfile="/var/run/${name}.pid" -start_precmd=ftpd_prestart -ftpd_prestart() -{ - rc_flags="-D ${rc_flags}" - return 0 -} +: ${ftpd_svcj_options:="net_basic"} load_rc_config $name + +flags="-D ${flags} ${rc_flags}" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/geli b/libexec/rc/rc.d/geli index 16d24efd1e39..5fc5ded54ec3 100755 --- a/libexec/rc/rc.d/geli +++ b/libexec/rc/rc.d/geli @@ -121,4 +121,8 @@ geli_stop() } load_rc_config $name + +# doesn't make sense to run in a svcj: config setting +geli_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/geli2 b/libexec/rc/rc.d/geli2 index 16248d32ece8..cedd48a312ee 100755 --- a/libexec/rc/rc.d/geli2 +++ b/libexec/rc/rc.d/geli2 @@ -55,4 +55,8 @@ geli2_start() } load_rc_config $name + +# doesn't make sense to run in a svcj: config setting +geli2_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/ggated b/libexec/rc/rc.d/ggated index 22bc8beb7ca0..846019acb055 100755 --- a/libexec/rc/rc.d/ggated +++ b/libexec/rc/rc.d/ggated @@ -14,6 +14,9 @@ pidfile="/var/run/${name}.pid" load_rc_config $name required_files="${ggated_config}" +# XXX?: doesn't make sense to run in a svcj: low-level access +ggated_svcj="NO" + command_args="${ggated_config}" run_rc_command "$1" diff --git a/libexec/rc/rc.d/gptboot b/libexec/rc/rc.d/gptboot index 3f04143e79ec..188f1bb77557 100755 --- a/libexec/rc/rc.d/gptboot +++ b/libexec/rc/rc.d/gptboot @@ -73,4 +73,8 @@ gptboot_report() } load_rc_config $name + +# doesn't make sense to run in a svcj: config setting +gptboot_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/growfs b/libexec/rc/rc.d/growfs index d16951b4bc3e..86bf199a8611 100755 --- a/libexec/rc/rc.d/growfs +++ b/libexec/rc/rc.d/growfs @@ -306,4 +306,8 @@ growfs_start() } load_rc_config $name + +# doesn't make sense to run in a svcj: config setting +growfs_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/growfs_fstab b/libexec/rc/rc.d/growfs_fstab index a9d18c1eaed3..8b7cea3a63e5 100755 --- a/libexec/rc/rc.d/growfs_fstab +++ b/libexec/rc/rc.d/growfs_fstab @@ -58,4 +58,8 @@ growfs_fstab_start() } load_rc_config $name + +# doesn't make sense to run in a svcj: config setting +growfs_fstab_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/gssd b/libexec/rc/rc.d/gssd index fa0edcead140..7ab3c181eeb1 100755 --- a/libexec/rc/rc.d/gssd +++ b/libexec/rc/rc.d/gssd @@ -13,5 +13,7 @@ name=gssd desc="Generic Security Services Daemon" rcvar=gssd_enable +: ${gssd_svcj_options:="net_basic nfsd"} + load_rc_config $name run_rc_command "$1" diff --git a/libexec/rc/rc.d/hastd b/libexec/rc/rc.d/hastd index 8c1d9e8bc16a..37df43d26c7d 100755 --- a/libexec/rc/rc.d/hastd +++ b/libexec/rc/rc.d/hastd @@ -26,4 +26,8 @@ hastd_stop_precmd() } load_rc_config $name + +# doesn't make sense to run in a svcj: nojail keyword +hastd_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/hcsecd b/libexec/rc/rc.d/hcsecd index 542305040357..8827e53777f3 100755 --- a/libexec/rc/rc.d/hcsecd +++ b/libexec/rc/rc.d/hcsecd @@ -21,4 +21,7 @@ config="${hcsecd_config:-/etc/bluetooth/${name}.conf}" command_args="-f ${config}" required_files="${config}" +# doesn't make sense to run in a svcj: nojail keyword +hcsecd_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/hostapd b/libexec/rc/rc.d/hostapd index fe3dac1dea06..251df91a280b 100755 --- a/libexec/rc/rc.d/hostapd +++ b/libexec/rc/rc.d/hostapd @@ -38,4 +38,8 @@ required_modules="wlan_xauth wlan_wep wlan_tkip wlan_ccmp" extra_commands="reload" load_rc_config ${name} + +# doesn't make sense to run in a svcj: nojail keyword +hostapd_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/hostid b/libexec/rc/rc.d/hostid index 0210ca433501..18d0fbabf6e4 100755 --- a/libexec/rc/rc.d/hostid +++ b/libexec/rc/rc.d/hostid @@ -156,4 +156,8 @@ hostid_start() } load_rc_config $name + +# doesn't make sense to run in a svcj: config setting +hostid_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/hostid_save b/libexec/rc/rc.d/hostid_save index af7f4138a5dd..b9727d24bc57 100755 --- a/libexec/rc/rc.d/hostid_save +++ b/libexec/rc/rc.d/hostid_save @@ -44,4 +44,8 @@ hostid_save() } load_rc_config $name + +# doesn't make sense to run in a svcj: config setting +hostid_save_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/hostname b/libexec/rc/rc.d/hostname index f6ac95c9c888..8b26c4f60633 100755 --- a/libexec/rc/rc.d/hostname +++ b/libexec/rc/rc.d/hostname @@ -77,4 +77,8 @@ hostname_start() } load_rc_config $name + +# doesn't make sense to run in a svcj: config setting +hostname_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/inetd b/libexec/rc/rc.d/inetd index 9820f8dc319a..81cc18d95be2 100755 --- a/libexec/rc/rc.d/inetd +++ b/libexec/rc/rc.d/inetd @@ -16,5 +16,7 @@ pidfile="/var/run/${name}.pid" required_files="/etc/${name}.conf" extra_commands="reload" +: ${inetd_svcj_options:="net_basic"} + load_rc_config $name run_rc_command "$1" diff --git a/libexec/rc/rc.d/iovctl b/libexec/rc/rc.d/iovctl index 01e16221cc4a..b2404f5665b1 100755 --- a/libexec/rc/rc.d/iovctl +++ b/libexec/rc/rc.d/iovctl @@ -35,4 +35,8 @@ iovctl_stop() } load_rc_config $name + +# doesn't make sense to run in a svcj: config setting +iovctl_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/ip6addrctl b/libexec/rc/rc.d/ip6addrctl index 50d9408d0731..eac1d2729e78 100755 --- a/libexec/rc/rc.d/ip6addrctl +++ b/libexec/rc/rc.d/ip6addrctl @@ -120,4 +120,8 @@ ip6addrctl_stop() } load_rc_config $name + +# doesn't make sense to run in a svcj: config setting +ipv6addrctl_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/ipfilter b/libexec/rc/rc.d/ipfilter index e951bc9b7878..d0cb09ab527c 100755 --- a/libexec/rc/rc.d/ipfilter +++ b/libexec/rc/rc.d/ipfilter @@ -15,6 +15,9 @@ rcvar="ipfilter_enable" load_rc_config $name stop_precmd="test -f ${ipfilter_rules}" +# doesn't make sense to run in a svcj: config setting +ipfilter_svcj="NO" + start_precmd="$stop_precmd" start_cmd="ipfilter_start" stop_cmd="ipfilter_stop" diff --git a/libexec/rc/rc.d/ipfs b/libexec/rc/rc.d/ipfs index c51527bde43c..2ec4ad3b1d00 100755 --- a/libexec/rc/rc.d/ipfs +++ b/libexec/rc/rc.d/ipfs @@ -49,4 +49,8 @@ ipfs_stop() } load_rc_config $name + +# doesn't make sense to run in a svcj: config setting +ipfs_svcj="NO" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/ipfw b/libexec/rc/rc.d/ipfw index 2f6b20a41b1a..6d6f7577828f 100755 --- a/libexec/rc/rc.d/ipfw +++ b/libexec/rc/rc.d/ipfw @@ -163,4 +163,7 @@ ipfw_status() load_rc_config $name firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}" +# doesn't make sense to run in a svcj: config setting +ipfw_svcj="NO" + run_rc_command $* diff --git a/libexec/rc/rc.d/ipfw_netflow b/libexec/rc/rc.d/ipfw_netflow index 219f0a4facf6..129488ce60d0 100755 --- a/libexec/rc/rc.d/ipfw_netflow +++ b/libexec/rc/rc.d/ipfw_netflow @@ -73,4 +73,7 @@ ipfw_netflow_stop() load_rc_config $name +# doesn't make sense to run in a svcj: config setting +ipfw_netflow_svcj="NO" + run_rc_command $* diff --git a/libexec/rc/rc.d/ipmon b/libexec/rc/rc.d/ipmon index a6449f241b87..3ef0c895ad16 100755 --- a/libexec/rc/rc.d/ipmon +++ b/libexec/rc/rc.d/ipmon @@ -15,6 +15,9 @@ rcvar="ipmon_enable" command="/sbin/${name}" start_precmd="ipmon_precmd" +# no svcj options needed +: ${ipmon_svcj_options:=""} + ipmon_precmd() { # Continue only if ipfilter or ipnat is enabled and the diff --git a/libexec/rc/rc.d/ipnat b/libexec/rc/rc.d/ipnat index 88cf368876d7..56fe443686b1 100755 --- a/libexec/rc/rc.d/ipnat +++ b/libexec/rc/rc.d/ipnat @@ -18,6 +18,9 @@ extra_commands="reload" required_files="${ipnat_rules}" required_modules="ipl:ipfilter" +# doesn't make sense to run in a svcj: config setting +ipnat_svcj="NO" + ipnat_start() { echo "Installing NAT rules." diff --git a/libexec/rc/rc.d/ippool b/libexec/rc/rc.d/ippool index 42cef3faf7eb..0db8bbe98f61 100755 --- a/libexec/rc/rc.d/ippool +++ b/libexec/rc/rc.d/ippool @@ -13,6 +13,10 @@ name="ippool" desc="user interface to the IPFilter pools" rcvar="ippool_enable" load_rc_config $name + +# doesn't make sense to run in a svcj: config setting +ippool_svcj="NO" + start_precmd="ippool_start_precmd" stop_cmd="${ippool_program} -F" reload_cmd="ippool_reload" diff --git a/libexec/rc/rc.d/ipropd_master b/libexec/rc/rc.d/ipropd_master index 9f8e1ee14490..a3ca498afe6c 100755 --- a/libexec/rc/rc.d/ipropd_master +++ b/libexec/rc/rc.d/ipropd_master @@ -14,6 +14,8 @@ required_files="$ipropd_master_keytab" start_precmd=${name}_start_precmd start_postcmd=${name}_start_postcmd +: ${ipropd_master_svcj_options:="net_basic"} + ipropd_master_start_precmd() { @@ -24,10 +26,6 @@ ipropd_master_start_precmd() for _slave in $ipropd_master_slaves; do echo $_slave done > /var/heimdal/slaves || return 1 - command_args="$command_args \ - --keytab=\"$ipropd_master_keytab\" \ - --detach \ - " } ipropd_master_start_postcmd() { @@ -36,4 +34,10 @@ ipropd_master_start_postcmd() } load_rc_config $name + +command_args="$command_args \ + --keytab=\"$ipropd_master_keytab\" \ + --detach \ +" + run_rc_command "$1" diff --git a/libexec/rc/rc.d/ipropd_slave b/libexec/rc/rc.d/ipropd_slave index 9d4b06f0e8f3..1735cff3de86 100755 *** 1539 LINES SKIPPED ***