From nobody Mon May 16 08:25:00 2022 X-Original-To: jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id D97E01AD406D for ; Mon, 16 May 2022 08:25:33 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from mailgate.Leidinger.net (bastille.leidinger.net [89.238.82.207]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mailgate.leidinger.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4L1sl13jtHz3hhw; Mon, 16 May 2022 08:25:33 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from outgoing.leidinger.net (p5b165562.dip0.t-ipconnect.de [91.22.85.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "outgoing.leidinger.net", Issuer "R3" (verified OK)) by mailgate.Leidinger.net (Postfix) with ESMTPSA id 1ED2B226B2; Mon, 16 May 2022 10:25:22 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1652689522; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=BVlxF4Gn/96WAC2RWmhaeI4Fk3MuzxY+sRB+73wpByY=; b=uQ+Pfb20Ptd8A79/EfoQyTe1A/vGQAckquQNxXnE6Yf7tZiGQSyZhaislafLV7jbYj0fga SqV+yDhaKMT9oeTU0Fd/Xv3LNZj+xlP3kFy0nCXGQqSseN7XsMlVxl18uwiLjI4I9nCgJD zcj+VCKl3xdwgATg4qi1fLvtJ0jIF8bT4QvIvLul/iUXbjEyYZ9Vu9CKiN4cNsqIP+QT7B HHdDFSKpNtI4q7thYr6KluKBaRGiTb1OhtAhtuRjNBBzEZayzheyA1NekxBg30mht219p0 tYAcU/26UADZVqsvFLs9Du8uIu+49yG1scGEVEqiDSEnUqx4JnfL/6KPK4CeVA== Received: from webmail.leidinger.net (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (Client did not present a certificate) by outgoing.leidinger.net (Postfix) with ESMTPS id 15DA04430; Mon, 16 May 2022 10:25:04 +0200 (CEST) Date: Mon, 16 May 2022 10:25:00 +0200 Message-ID: <20220516102500.Horde.Jmefw9B2HNSietK_UGUuNbn@webmail.leidinger.net> From: Alexander Leidinger To: FreeBSD User Cc: security@freebsd.org, jail@freebsd.org Subject: Re: Auto-jailing of services - 2nd implementation References: <20220403214842.Horde.vlwSVh0KOZ6sL7aDfgA9KKL@webmail.leidinger.net> <20220515124900.44aac19b@hermann> In-Reply-To: <20220515124900.44aac19b@hermann> Accept-Language: de,en Content-Type: multipart/signed; boundary="=_r46YExCcqoKewmYnE1X1ETS"; protocol="application/pgp-signature"; micalg=pgp-sha256 List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 X-Rspamd-Queue-Id: 4L1sl13jtHz3hhw X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N This message is in MIME format and has been PGP signed. --=_r46YExCcqoKewmYnE1X1ETS Content-Type: multipart/mixed; boundary="=_aaHXkfii9da2Qz_EfZwdseY" This message is in MIME format. --=_aaHXkfii9da2Qz_EfZwdseY Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting FreeBSD User (from Sun, 15 May 2022=20=20 12:49:06=20+0200): > On Sun, 03 Apr 2022 21:48:42 +0200 > Alexander Leidinger wrote: > >> Hi, >> >> attached is a new implementation of service jails (auto-jailing of >> services). This one now supports rc command prefixes (e.g. onestart) >> and I tested it in nested jails. The benefit of auto-jailing services >> is, that you can apply some restrictions to services (and what other >> processes it may see). If your service requires access to network but >> not sysvipc, and it doesn't run as root, it can be limited to network >> access with or without raw sockets, filesystem-permitted files, and >> doesn't see other processes on the system. >> >> For a few services I have added the required "svcj-config" in the >> start scripts (e.g. network access for syslog by setting >> syslogd_svj_options=3Dnet_basic). >> >> Possible svcj config options for service jails: >> + netv4) >> + _svcj_cmd_options=3D"ip4=3Dinherit >> allow.reserved_ports ${_svcj_cmd_options}" >> + ;; >> + netv6) >> + _svcj_cmd_options=3D"ip6=3Dinherit >> allow.reserved_ports ${_svcj_cmd_options}" >> + ;; >> + net_basic) >> + _svcj_cmd_options=3D"ip4=3Dinherit ip6=3Dinherit >> allow.reserved_ports ${_svcj_cmd_options}" >> + ;; >> + net_raw) >> + _svcj_cmd_options=3D"allow.raw_sockets >> ${_svcj_cmd_options}" >> + ;; >> + net_all) >> + _svcj_cmd_options=3D"allow.socket_af >> allow.raw_sockets allow.reserved_ports ip4=3Dinherit ip6=3Dinherit=20=20 >>=20${_svcj_cmd_options}" >> + ;; >> + sysvipc) >> + _svcj_cmd_options=3D"sysvmsg=3Dinherit >> sysvsem=3Dinherit sysvshm=3Dinherit ${_svcj_cmd_options}" >> + ;; >> + mlock) >> + _svcj_cmd_options=3D"allow.mlock >> ${_svcj_cmd_options}" >> + ;; >> + vmm) >> + _svcj_cmd_options=3D"allow.vmm >> ${_svcj_cmd_options}" >> >> By setting syslogd_svcj=3D"YES" in rc.conf your syslogd will be started >> in a jail which inherits the full filesystem and the ipv4 and ipv6 >> addresses of the parent. >> >> It would be nice if interested people could experiment a little bit >> with this, e.g. adding name_svcj_options=3D"X Y" from above and >> name_svcj=3D"YES" into rc.conf and see if it works. Note, doing that for >> sshd doesn't make sense in the generic case, it wouldn't see your >> jails. It may make sense for services. >> >> Any kind of feedback and tested name_svcj_options submissions welcome... >> >> Bye, >> Alexander. >> > > Hello Alexander Leidinger, > > is this really interesting feature already part of recent CURRENT rc=20= =20 >=20subsystem or do I No. > have to "patch" CURRENT with the rc script provided by some place=20=20 >=20first to obtain the > functionality you are talking here about? The patch was supposed to be attached to the mail you quoted. A more=20=20 recent=20patch (now with docu in the rc.conf man page) is attached to=20=20 this=20email (rc.subr + service command + man pages + a few services ->=20= =20 "grep=20diff svcjails.diff" for the list of OS services which can enable=20= =20 without=20research about the svcj_options). At least /etc/rc.subr and=20=20 /usr/sbin/service=20need to be patched (respectively a=20=20 buildworld+installworld). >=20Thanks in advance and kind regards > > O. Hartmann > > p.s. would it be possible toput as service with a dedicated network=20=20 >=20interfacing (say, > jailed vnet/vlan, forinstance an asterisk service running on a small=20= =20 >=20router appliance, as > we do in our projects?). This will use the networking of the host. This is really automatic=20=20 stuff,=20no additional network interface (all what the hosts sees is=20=20 also=20available in the service-jail), no dedicated directory/filesystem=20= =20 area=20(as if it runs unjailed). All is used from the host. The=20=20 additional=20security this provides is the limit of what the process is=20= =20 allowed=20to do in the kernel and the namespace isolation. So you could=20= =20 prevent=20sysvipc access. You could restrict it to ipv6 even if ipv4 is=20= =20 configured.=20You wouldn't see processes outside of the service jail=20=20 even=20if running as root. If you want more advanced things, you need to=20= =20 create=20a jail on your own. Parts of what service jails do, could be=20=20 done=20with capabilities (sometimes even with more restrictions), but=20=20 this=20needs support inside the application for capabilities, whereas=20=20 service=20jails do not need changes to the application itself. If you want to put asterisk into one of my service jails, you would=20=20 have=20to set the following in rc.conf: asterisk_enable=3D"YES" asterisk_svcj_options=3D"" asterisk_svcj=3D"YES" The asterisk_svcj_options part is supposed to be included in the rc=20=20 script=20of asterisk (if/once this is committed to FreeBSD), but can be=20= =20 specified=20in rc.conf to override it if needed (or to test things). For=20= =20 asterisk=20I would assume at least asterisk_svcj_options=3D"net_basic". There's also a svcj_all_enable variable, but as long as not all=20=20 services have a correct setting of their svcj_options, this will not=20=20 do=20what you mean. Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_aaHXkfii9da2Qz_EfZwdseY Content-Type: text/diff; charset=utf-8; name=svcjails.diff Content-Disposition: attachment; size=16780; filename=svcjails.diff Content-Transfer-Encoding: quoted-printable diff --git a/libexec/rc/rc.d/auditdistd b/libexec/rc/rc.d/auditdistd index 13cb5d5b69d..3218bd35755 100755 --- a/libexec/rc/rc.d/auditdistd +++ b/libexec/rc/rc.d/auditdistd @@ -19,4 +19,7 @@ required_files=3D"/etc/security/${name}.conf" extra_commands=3D"reload" =20 =20load_rc_config $name + +: ${auditdistd_svcj_options:=3D"net_basic"} + run_rc_command "$1" diff --git a/libexec/rc/rc.d/ftpd b/libexec/rc/rc.d/ftpd index dc623ea5943..a04c7ce5ee2 100755 --- a/libexec/rc/rc.d/ftpd +++ b/libexec/rc/rc.d/ftpd @@ -23,4 +23,7 @@ ftpd_prestart() } =20 =20load_rc_config $name + +: ${ftpd_svcj_options:=3D"net_all"} + run_rc_command "$1" diff --git a/libexec/rc/rc.d/inetd b/libexec/rc/rc.d/inetd index aa8ac20aeae..8cf7be5d91e 100755 --- a/libexec/rc/rc.d/inetd +++ b/libexec/rc/rc.d/inetd @@ -18,4 +18,7 @@ required_files=3D"/etc/${name}.conf" extra_commands=3D"reload" =20 =20load_rc_config $name + +: ${inetd_svcj_options:=3D"net_basic"} + run_rc_command "$1" diff --git a/libexec/rc/rc.d/kadmind b/libexec/rc/rc.d/kadmind index 773b2d0e499..1bdd420e415 100755 --- a/libexec/rc/rc.d/kadmind +++ b/libexec/rc/rc.d/kadmind @@ -26,4 +26,7 @@ kadmind_start_precmd() } =20 =20load_rc_config $name + +: ${kadmind_svcj_options:=3D"net_basic"} + run_rc_command "$1" diff --git a/libexec/rc/rc.d/kdc b/libexec/rc/rc.d/kdc index c2747ae08ca..11205d6e092 100755 --- a/libexec/rc/rc.d/kdc +++ b/libexec/rc/rc.d/kdc @@ -26,4 +26,7 @@ kdc_start_precmd() } =20 =20load_rc_config $name + +: ${kdc_svcj_options:=3D"net_basic"} + run_rc_command "$1" diff --git a/libexec/rc/rc.d/kpasswdd b/libexec/rc/rc.d/kpasswdd index a2875bf1515..af7b7a6b9aa 100755 --- a/libexec/rc/rc.d/kpasswdd +++ b/libexec/rc/rc.d/kpasswdd @@ -26,4 +26,7 @@ kpasswdd_start_precmd() } =20 =20load_rc_config $name + +: ${kapsswd_svcj_options:=3D"net_basic"} + run_rc_command "$1" diff --git a/libexec/rc/rc.d/local_unbound b/libexec/rc/rc.d/local_unbound index 19cb9a6c5c0..7436034495f 100755 --- a/libexec/rc/rc.d/local_unbound +++ b/libexec/rc/rc.d/local_unbound @@ -34,6 +34,7 @@ load_rc_config $name : ${local_unbound_anchor:=3D${local_unbound_workdir}/root.key} : ${local_unbound_forwarders:=3D} : ${local_unbound_tls:=3D} +: ${local_unbound_svcj_options:=3D"net_basic"} =20 =20do_as_unbound() { diff --git a/libexec/rc/rc.d/lpd b/libexec/rc/rc.d/lpd index fc8180cb221..725adda9072 100755 --- a/libexec/rc/rc.d/lpd +++ b/libexec/rc/rc.d/lpd @@ -25,4 +25,7 @@ chkprintcap() } =20 =20load_rc_config $name + +: ${lpd_svcj_options:=3D"net_basic"} + run_rc_command "$1" diff --git a/libexec/rc/rc.d/sshd b/libexec/rc/rc.d/sshd index 282f69f8e4c..9c3b5762579 100755 --- a/libexec/rc/rc.d/sshd +++ b/libexec/rc/rc.d/sshd @@ -81,4 +81,11 @@ sshd_precmd() } =20 =20load_rc_config $name + +# sshd in a jail would not see other jails. As such exclude it from +# svcj_all_enable=3D"YES" by setting sshd_svcj to NO. This allows to +# enable it in rc.conf. +: ${sshd_svcj:=3D"NO"} +: ${sshd_svcj_options:=3D"net_basic"} + run_rc_command "$1" diff --git a/libexec/rc/rc.d/syslogd b/libexec/rc/rc.d/syslogd index 2351c086212..95d2b156b88 100755 --- a/libexec/rc/rc.d/syslogd +++ b/libexec/rc/rc.d/syslogd @@ -71,4 +71,7 @@ set_socketlist() echo $_socketargs } load_rc_config $name + +: ${syslogd_svcj_options:=3D"net_basic"} + run_rc_command "$1" diff --git a/libexec/rc/rc.subr b/libexec/rc/rc.subr index dc4f49612c2..356fb0fea61 100644 --- a/libexec/rc/rc.subr +++ b/libexec/rc/rc.subr @@ -51,6 +51,9 @@ PROTECT=3D"/usr/bin/protect" ID=3D"/usr/bin/id" IDCMD=3D"if [ -x $ID ]; then $ID -un; fi" PS=3D"/bin/ps -ww" +SERVICE=3D/usr/sbin/service +JAIL_CMD=3D/usr/sbin/jail +_svcj_generic_params=3D"path=3D/ mount.nodevfs host=3Dinherit" JID=3D0 # rc_service provides the path to the service script that we are executing= . # This is not being set here in an execution context, necessarily, so it's @@ -368,6 +371,16 @@ _find_processes() $_procname|$_procnamebn|${_procnamebn}:|"(${_procnamebn})"|"[${_proc= namebn}]")' fi =20 +=09if checkyesno ${name}_svcj; then + JID=3D$(/usr/sbin/jls -j svcj-${name} jid) + + case ${JID} in + ''|*[!0-9]*) + # svj-jail doesn't exist, fallback to host-check + JID=3D0 + ;; + esac + fi _proccheck=3D"\ $PS 2>/dev/null -o pid=3D -o jid=3D -o command=3D $_psargs"' | while read _npid _jid '"$_fp_args"'; do @@ -959,6 +972,18 @@ run_rc_command() _pidcmd=3D _procname=3D${procname:-${command}} =20 +=09# If a specifc jail has a specific svcj request, honor it (YES/NO). + # If not (variable empty), evaluate the global svcj catch-call. + # A global YES can be overriden by a specific NO, and a global NO is over= riden + # by a specific YES. + eval _svcj=3D\$${name}_svcj + if [ -z "$_svcj" ]; then + _svcj=3D${svcj_all_enable} + if [ -z "$_svcj" ]; then + eval ${name}_svcj=3DNO + fi + fi + # setup pid check command if [ -n "$_procname" ]; then if [ -n "$pidfile" ]; then @@ -994,7 +1019,7 @@ run_rc_command() _fib=3D\$${name}_fib _env=3D\$${name}_env \ _prepend=3D\$${name}_prepend _login_class=3D\${${name}_login_class:-d= aemon} \ _limits=3D\$${name}_limits _oomprotect=3D\$${name}_oomprotect \ - _env_file=3D\$${name}_env_file + _env_file=3D\$${name}_env_file _svcj_options=3D\$${name}_svcj_options =20 =20 if [ -n "$_env_file" ] && [ -r "${_env_file}" ]; then # load env from f= ile set -a @@ -1008,6 +1033,42 @@ run_rc_command() fi fi =20 +=09if [ -n "$_svcj_options" ]; then # translate service jail options + _svcj_cmd_options=3D"" + + for _svcj_option in $_svcj_options; do + case "$_svcj_option" in + netv4) + _svcj_cmd_options=3D"ip4=3Dinherit allow.reserved_ports ${_svcj_cmd_o= ptions}" + ;; + netv6) + _svcj_cmd_options=3D"ip6=3Dinherit allow.reserved_ports ${_svcj_cmd_o= ptions}" + ;; + net_basic) + _svcj_cmd_options=3D"ip4=3Dinherit ip6=3Dinherit allow.reserved_ports= ${_svcj_cmd_options}" + ;; + net_raw) + _svcj_cmd_options=3D"allow.raw_sockets ${_svcj_cmd_options}" + ;; + net_all) + _svcj_cmd_options=3D"allow.socket_af allow.raw_sockets allow.reserved= _ports ip4=3Dinherit ip6=3Dinherit ${_svcj_cmd_options}" + ;; + sysvipc) + _svcj_cmd_options=3D"sysvmsg=3Dinherit sysvsem=3Dinherit sysvshm=3Din= herit ${_svcj_cmd_options}" + ;; + mlock) + _svcj_cmd_options=3D"allow.mlock ${_svcj_cmd_options}" + ;; + vmm) + _svcj_cmd_options=3D"allow.vmm ${_svcj_cmd_options}" + ;; + *) + echo ${name}: unknown service jail option: $_svcj_option + ;; + esac + done + fi + [ -z "$autoboot" ] && eval $_pidcmd # determine the pid if necessary =20 =20 for _elem in $_keywords; do @@ -1053,9 +1114,50 @@ run_rc_command() if [ -n "$_env" ]; then eval "export -- $_env" fi - _run_rc_precmd || return 1 - _run_rc_doit "$_cmd $rc_extra_args" || return 1 - _run_rc_postcmd + + if [ "${_rc_svcj}" !=3D jailing ]; then + _run_rc_precmd || return 1 + fi + if ! checkyesno ${name}_svcj; then + _run_rc_doit "$_cmd $rc_extra_args" || return 1 + else + case "$rc_arg" in + start) + if [ "${_rc_svcj}" !=3D jailing ]; then + _return=3D1 + $JAIL_CMD -c $_svcj_generic_params $_svcj_cmd_options \ + exec.start=3D"${SERVICE} -E _rc_svcj=3Djailing ${name} ${_rc_pre= fix}start $rc_extra_args" \ + exec.stop=3D"${SERVICE} -E _rc_svcj=3Djailing ${name} ${_rc_pref= ix}stop $rc_extra_args" \ + exec.consolelog=3D"/var/log/svcj_${name}_console.log" \ + name=3Dsvcj-${name} && _return=3D0 + else + _run_rc_doit "$_cmd $rc_extra_args" || _return=3D1 + fi + ;; + stop) + if [ "${_rc_svcj}" !=3D jailing ]; then + $SERVICE -E _rc_svcj=3Djailing -j svcj-${name} ${name} ${_rc_prefix}= stop $rc_extra_args || _return=3D1 + $JAIL_CMD -r svcj-${name} 2>/dev/null + else + _run_rc_doit "$_cmd $rc_extra_args" || _return=3D1 + fi + ;; + restart|status) ;; # no special case needed for svcj or handled somewh= ere else + *) +if checkyesno ${name}_svcj; then +echo XXX: check if \"$rc_arg\" needs to be executed in the jail or outside +fi +# if [ "${_rc_svcj}" !=3D jailing ]; then +# $SERVICE -j svcj-${name} ${name} ${_rc_prefix}${rc_arg} $rc_extra_a= rgs || _return=3D1 +# else + _run_rc_doit "$_cmd $rc_extra_args" || _return=3D1 +# fi + ;; + esac + fi + if [ "${_rc_svcj}" !=3D jailing ];=20then + _run_rc_postcmd + fi return $_return fi =20 @@=20-1113,9 +1215,21 @@ run_rc_command() return 1 fi =20 -=09 if ! _run_rc_precmd; then - warn "failed precmd routine for ${name}" - return 1 + if [ "${_rc_svcj}" !=3D jailing ]; then + if ! _run_rc_precmd; then + warn "failed precmd routine for ${name}" + return 1 + fi + fi + + if checkyesno ${name}_svcj; then + if [ "${_rc_svcj}" !=3D jailing ]; then + $JAIL_CMD -c $_svcj_generic_params $_svcj_cmd_options\ + exec.start=3D"${SERVICE} -E _rc_svcj=3Djailing ${name} ${_rc_pref= ix}start $rc_extra_args" \ + exec.stop=3D"${SERVICE} -E _rc_svcj=3Djailing ${name} ${_rc_prefi= x}stop $rc_extra_args" \ + exec.consolelog=3D"/var/log/svcj_${name}_console.log" \ + name=3Dsvcj-${name} || return 1 + fi fi =20 =20 # setup the full command to run @@ -1152,16 +1266,28 @@ $command $rc_flags $command_args" # Prepend default limits _doit=3D"$_cd limits -C $_login_class $_limits $_doit" =20 + +=09 local _really_run_it=3Dtrue + if checkyesno ${name}_svcj; then + if [ "${_rc_svcj}" !=3D jailing ]; then + _really_run_it=3Dfalse + fi + fi + + if [ "$_really_run_it" =3D true ]; then # run the full command # - if ! _run_rc_doit "$_doit"; then - warn "failed to start ${name}" - return 1 + if ! _run_rc_doit "$_doit"; then + warn "failed to start ${name}" + return 1 + fi fi =20 +=09 if [ "${_rc_svcj}" !=3D jailing ]; then # finally, run postcmd # - _run_rc_postcmd + _run_rc_postcmd + fi ;; =20 =20 stop) @@ -1183,6 +1309,11 @@ $command $rc_flags $command_args" # and run postcmd. wait_for_pids $rc_pid =20 +=09 if checkyesno ${name}_svcj; then + # remove service jail + $JAIL_CMD -r svcj-${name} 2>/dev/null + fi + _run_rc_postcmd ;; =20 @@=20-1211,6 +1342,7 @@ $command $rc_flags $command_args" =20 =20 _run_rc_precmd || return 1 =20 + =20 # run those in a subshell to keep global variables ( run_rc_command ${_rc_prefix}stop $rc_extra_args ) ( run_rc_command ${_rc_prefix}start $rc_extra_args ) diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index 01b09b1a59b..320e0c40765 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -239,6 +239,19 @@ such as PostgreSQL will not inherit the OOM killer pro= tection. .It Ao Ar name Ac Ns Va _user .Pq Vt str Run the service under this user account. +.It Ao Ar name Ac Ns Va _svcj +.Pq Vt bool +If set to +.Dq Li YES , +auto-jail the service with inherited filesystem and other +jail properties depending on +.Ao Ar name Ac Ns Va _svcj_options . +.It Ao Ar name Ac Ns Va _svcj_options +.Pq Vt str +A list of jail properties for the service. +See +.Sx SERVICE JAILS +for a list of valid properties. .It Va apm_enable .Pq Vt bool If set to @@ -372,6 +385,12 @@ is set to these are the flags to pass to the .Xr powerd 8 daemon. +.It Va svcj_all_enable +Enable auto-jailing of all services which are not explicitely +excluded. +See +.Sx SERVICE JAILS +for more info. .It Va tmpmfs Controls the creation of a .Pa /tmp @@ -4666,6 +4685,94 @@ Define the total number of seconds to wait for the z= fskeys script to unlock an encrypted dataset. The default is 10. .El +.Sh SERVICE JAILS +The service jails part of the rc system automatically puts a service +into a jail. +This jail inherits the filesystem and various other parts of the +parent (if you allow child-jails in your jails, service jails +can be used in jails) depending on the content of the +.Ao Ar name Ac Ns Va _svcj_options +variable. +Typically this variable is set inside rc scripts, but it can be +overriden in the rc config. +Valid options for +.Ao Ar name Ac Ns Va _svcj_options +are: +.Bl -tag -width indent-two +.It netv4 +Inherit the IPv4 address and allows to open reserved ports. +This can not be combined with +.Pa netv6 . +.It netv6 +Inherit the IPv6 address and allows to open reserved ports. +This can not be combined with +.Pa netv4 . +.It net_basic +Inherits the IPv4 and IPv6 addresses and allows to open +reserved ports. +.It net_raw +Allow to open raw sockets. This option can be combined with +.Pa netv4 , +.Pa netv6 , +.Pa net_basic . +.It net_all +Inherits the IPv4 and IPv6 addresses, allows to open reserved +ports, allows to open raw sockets, and allows to open sockets +of protocol stacks that have not had jail functionality added +to them. +.It sysvipc +Allows access to SysV semaphores, SysV shared memory and +SysV messages. +.It mlock +Allows to lock memory pages into the physical memory. +.It vmm +Allows access to +.Xr vmm 4 . +This option is only available when +.Xr vmm 4 +is enabled in the kernel. +.El + +All non-network options can be combined with all other options. + +If the +.Ao Ar name Ac Ns Va _svcj +variable is set to +.Dq Li YES , +this particular service is started in a +service jail named +.Va svcj- Ns Ar name Ac . + +The +.Va svcj_all_enable +variable allows to enable service jails for all services of the +system at once. +Services which have +.Ao Ar name Ac Ns Va _svcj +set to +.Dq Li NO +are excluded. +Some services may set +.Ao Ar name Ac Ns Va _svcj +to +.Dq Li NO +in the script to either prevent service jails for this +service at all, or may set it to +.Dq Li NO +if it is not set in the +rc config, to exclude it from +.Va svcj_all_enable +but allow to explicitely enable it. +The sshd service for example would not see other jails, if +it would run as a service jail. +This may or may not be what is needed, and as such it is +excluded from +.Va svcj_all_enable +but can be enabled via setting +.Va sshd_svcj +to +.Dq Li YES . +.El .Sh FILES .Bl -tag -width ".Pa /etc/defaults/rc.conf" -compact .It Pa /etc/defaults/rc.conf diff --git a/usr.sbin/service/service.8 b/usr.sbin/service/service.8 index 9902ae3c857..c2be0e0af03 100644 --- a/usr.sbin/service/service.8 +++ b/usr.sbin/service/service.8 @@ -48,6 +48,7 @@ .Nm .Op Fl j Ar jail .Op Fl v +.Op Fl E Ar var=3Dvalue .Ar script .Ar command .Sh DESCRIPTION @@ -67,6 +68,13 @@ the scripts using various criteria. .Pp The options are as follows: .Bl -tag -width F1 +.It Fl E Ar var=3Dvalue +Set the environment variable +.Ar var +to the specified +.Ar value +before starting the script. +This option can be used multiple times. .It Fl e List services that are enabled. The list of scripts to check is compiled using @@ -117,6 +125,9 @@ to which is how they are set in .Pa /etc/rc at boot time. +If the +.Fl E +option is used, the corresponding variable is set accordingly. .Sh EXIT STATUS .Ex -std .Sh EXAMPLES @@ -126,6 +137,7 @@ command: .Bd -literal -offset -ident service named status service -j dns named status +service -E LC_ALL=3DC.UTF-8 named start service -rv .Ed .Pp diff --git a/usr.sbin/service/service.sh b/usr.sbin/service/service.sh index 76cce580c5b..2f86d117fd1 100755 --- a/usr.sbin/service/service.sh +++ b/usr.sbin/service/service.sh @@ -37,10 +37,11 @@ usage () { echo "${0##*/} [-j ] -e" echo "${0##*/} [-j ] -R" echo "${0##*/} [-j ] [-v] -l | -r" - echo "${0##*/} [-j ] [-v] start|stop|etc." + echo "${0##*/} [-j ] [-v] [-E var=3Dvalue] = start|stop|etc." echo "${0##*/} -h" echo '' echo "-j Perform actions within the named jail" + echo "-E n=3Dval Set variable n to val before executing the rc.d script" echo '-e Show services that are enabled' echo "-R Stop and start enabled $local_startup services" echo "-l List all scripts in /etc/rc.d and $local_startup" @@ -49,9 +50,10 @@ usage () { echo '' } =20 -while=20getopts 'j:ehlrRv' COMMAND_LINE_ARGUMENT ; do +while getopts 'j:E:ehlrRv' COMMAND_LINE_ARGUMENT ; do case "${COMMAND_LINE_ARGUMENT}" in j) JAIL=3D"${OPTARG}" ;; + E) VARS=3D"${VARS} ${OPTARG}" ;; e) ENABLED=3Deopt ;; h) usage ; exit 0 ;; l) LIST=3Dlopt ;; @@ -72,6 +74,9 @@ if [ -n "${JAIL}" ]; then [ -n "${RCORDER}" ] && args=3D"${args} -r" [ -n "${RESTART}" ] && args=3D"${args} -R" [ -n "${VERBOSE}" ] && args=3D"${args} -v" + for var in ${VARS}; do + args=3D"${args} -E ${var}" + done =20 =20 # Call jexec(8) with the rebuild args and any=20positional args that # were left in $@ @@ -171,7 +176,7 @@ cd / for dir in /etc/rc.d $local_startup; do if [ -x "$dir/$script" ]; then [ -n "$VERBOSE" ] && echo "$script is located in $dir" - exec env -i -L -/daemon HOME=3D/ PATH=3D/sbin:/bin:/usr/sbin:/usr/bin "$= dir/$script" "$@" + exec env -i -L -/daemon HOME=3D/ PATH=3D/sbin:/bin:/usr/sbin:/usr/bin ${= VARS} "$dir/$script" "$@" fi done =20 --=_aaHXkfii9da2Qz_EfZwdseY-- --=_r46YExCcqoKewmYnE1X1ETS Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIzBAABCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmKCClsACgkQEg2wmwP4 2IY38Q/9GWrCAw2Sju5yu1BWZCpBUdX5TncddsY1WngYIq9Pv7C3Nx7D6ZbYGQmP 9V3dbtKfodJWSzOW7xYpEPnuaZofIWesQu+vqqneIVdu5usl9CcwelmYYSXqA6cy JDTnhBnbwlJuPlYFGwR5Tiwqva9psVZ7juwkMmztPVP6dpz+wUPUR6UdaGHippd6 fhprPL1+T9/i1ckir1AAcpsaHpypEJVX9uXTHbYWWmWWm9QPkqeAwmQR30yp6rs3 6MYhlGFXudH4l3p7InT5gyBpWArF7AetpKktFh+DKui/Iwqedn1R3raTGdT/2X+7 yt5bzXgA3VMlPgz+TiZfK4PAZz5DpRu4ZOoXmSAJKw7JrWpVWMrgdQX+av3z68He vDlG4pHVKTJ5C5ruiR7fR/6hg9P4V7Zm/f3YIYsdwn/puObPhcEcJLJh7j6u2vx0 4AHDZxsUVkWcXHuaowoo+MYfun86drHVuTJTCAB8osN/68QEJL+Y6eb99/AL1K7V h+vnn18BZENLaUd0zLUuEG1mbeEnZVttU3oDVBJZdWFHA+ASJg4iLy9xJeQJAvNu 1hWC/PaV6IdzMIrYtfJtQijB78AlfkRRi9dMlIaEXRDHKzSR8YWHHInjH1LQCVRZ lL8crilftqR70+q+WxkKlF+SrgJrw8rm04w1rjkP7h+7S58Lk6E= =L6fd -----END PGP SIGNATURE----- --=_r46YExCcqoKewmYnE1X1ETS--