svn commit: r190363 - in stable/7/etc: . rc.d

Doug Barton dougb at FreeBSD.org
Mon Mar 23 19:54:16 PDT 2009 

Author: dougb
Date: Tue Mar 24 02:54:15 2009
New Revision: 190363
URL: http://svn.freebsd.org/changeset/base/190363

Log:
  MFC r181114, make sure services and protocols are in the chroot /etc
  MFC r188293, improve handling of chroot inside of a jail

Modified:
  stable/7/etc/   (props changed)
  stable/7/etc/rc.d/named

Modified: stable/7/etc/rc.d/named
==============================================================================
--- stable/7/etc/rc.d/named	Tue Mar 24 02:48:54 2009	(r190362)
+++ stable/7/etc/rc.d/named	Tue Mar 24 02:54:15 2009	(r190363)
@@ -32,6 +32,8 @@ stop_postcmd="named_poststop"
 #
 chroot_autoupdate()
 {
+	local file
+
 	# Create (or update) the chroot directory structure
 	#
 	if [ -r /etc/mtree/BIND.chroot.dist ]; then
@@ -59,17 +61,32 @@ chroot_autoupdate()
 
 	# Mount a devfs in the chroot directory if needed
 	#
-	umount ${named_chrootdir}/dev 2>/dev/null
-	devfs_domount ${named_chrootdir}/dev devfsrules_hide_all
-	devfs -m ${named_chrootdir}/dev rule apply path null unhide
-	devfs -m ${named_chrootdir}/dev rule apply path random unhide
-
-	# Copy local timezone information if it is not up to date.
-	#
-	if [ -r /etc/localtime ]; then
-		cmp -s /etc/localtime "${named_chrootdir}/etc/localtime" ||
-		    cp -p /etc/localtime "${named_chrootdir}/etc/localtime"
+	if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then
+		umount ${named_chrootdir}/dev 2>/dev/null
+		devfs_domount ${named_chrootdir}/dev devfsrules_hide_all
+		devfs -m ${named_chrootdir}/dev rule apply path null unhide
+		devfs -m ${named_chrootdir}/dev rule apply path random unhide
+	else
+		if [ -c ${named_chrootdir}/dev/null -a \
+		    -c ${named_chrootdir}/dev/random ]; then
+			info "named chroot: using pre-mounted devfs."
+		else
+			err 1 "named chroot: devfs cannot be mounted from" \
+			    "within a jail. Thus a chrooted named cannot" \
+			    "be run from within a jail." \
+			    "To run named without chrooting it, set" \
+			    "named_chrootdir=\"\" in /etc/rc.conf."
+		fi
 	fi
+
+	# Copy and/or update key files to the chroot /etc 
+	#
+	for file in localtime protocols services; do
+		if [ -r /etc/$file ]; then
+			cmp -s /etc/$file "${named_chrootdir}/etc/$file" ||
+			    cp -p /etc/$file "${named_chrootdir}/etc/$file"
+		fi
+	done
 }
 
 # Make symlinks to the correct pid file
@@ -109,7 +126,12 @@ named_stop()
 named_poststop()
 {
 	if [ -n "${named_chrootdir}" -a -c ${named_chrootdir}/dev/null ]; then
-		umount ${named_chrootdir}/dev 2>/dev/null || true
+		if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then
+			umount ${named_chrootdir}/dev 2>/dev/null || true
+		else
+			warn "named chroot:" \
+			    "cannot unmount devfs from inside jail!"
+		fi
 	fi
 }

More information about the svn-src-stable mailing list