svn commit: r256387 - in stable/10: etc/rc.d share/man/man5 usr.sbin/jail
Hiroki Sato
hrs at FreeBSD.org
Sat Oct 12 17:46:15 UTC 2013
Author: hrs
Date: Sat Oct 12 17:46:13 2013
New Revision: 256387
URL: http://svnweb.freebsd.org/changeset/base/256387
Log:
MFC 256385:
- Add mount.fdescfs parameter to jail(8). This is similar to
mount.devfs but mounts fdescfs. The mount happens just after
mount.devfs.
- rc.d/jail now displays whole error message from jail(8) when a jail
fails to start.
Approved by: re (gjb)
Modified:
stable/10/etc/rc.d/jail
stable/10/share/man/man5/rc.conf.5
stable/10/usr.sbin/jail/command.c
stable/10/usr.sbin/jail/config.c
stable/10/usr.sbin/jail/jail.8
stable/10/usr.sbin/jail/jail.c
stable/10/usr.sbin/jail/jailp.h
Directory Properties:
stable/10/etc/rc.d/ (props changed)
stable/10/share/man/man5/ (props changed)
stable/10/usr.sbin/jail/ (props changed)
Modified: stable/10/etc/rc.d/jail
==============================================================================
--- stable/10/etc/rc.d/jail Sat Oct 12 17:31:21 2013 (r256386)
+++ stable/10/etc/rc.d/jail Sat Oct 12 17:46:13 2013 (r256387)
@@ -226,8 +226,7 @@ parse_options()
eval : \${jail_${_j}_fdescfs_enable:=${jail_fdescfs_enable:-NO}}
if checkyesno jail_${_j}_fdescfs_enable; then
- echo " mount += " \
- "\"fdescfs ${_rootdir%/}/dev/fd fdescfs rw 0 0\";"
+ echo " mount.fdescfs;"
fi
eval : \${jail_${_j}_procfs_enable:=${jail_procfs_enable:-NO}}
if checkyesno jail_${_j}_procfs_enable; then
@@ -438,7 +437,7 @@ jail_start()
echo -n " ${_hostname:-${_jail}}"
else
echo " cannot start jail \"${_hostname:-${jail}}\": "
- tail +2 $_tmp
+ cat $_tmp
fi
rm -f $_tmp
done
Modified: stable/10/share/man/man5/rc.conf.5
==============================================================================
--- stable/10/share/man/man5/rc.conf.5 Sat Oct 12 17:31:21 2013 (r256386)
+++ stable/10/share/man/man5/rc.conf.5 Sat Oct 12 17:46:13 2013 (r256387)
@@ -24,7 +24,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd October 10, 2013
+.Dd October 12, 2013
.Dt RC.CONF 5
.Os
.Sh NAME
@@ -3992,9 +3992,7 @@ set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _fstab
.It Li mount
set from
-.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable
-or
-.Va jail_ Ns Ao Ar jname Ac Ns Va _procfs_enable.
+.Va jail_ Ns Ao Ar jname Ac Ns Va _procfs_enable .
.It Li exec.fib
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _fib
@@ -4042,6 +4040,9 @@ set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_ruleset .
This must be an integer,
not a string.
+.It Li mount.fdescfs
+set from
+.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable
.It Li allow.set_hostname
set from
.Va jail_ Ns Ao Ar jname Ac Ns Va _set_hostname_allow
Modified: stable/10/usr.sbin/jail/command.c
==============================================================================
--- stable/10/usr.sbin/jail/command.c Sat Oct 12 17:31:21 2013 (r256386)
+++ stable/10/usr.sbin/jail/command.c Sat Oct 12 17:46:13 2013 (r256387)
@@ -106,7 +106,12 @@ next_command(struct cfjail *j)
case IP_MOUNT_DEVFS:
if (!bool_param(j->intparams[IP_MOUNT_DEVFS]))
continue;
- /* FALLTHROUGH */
+ j->comstring = &dummystring;
+ break;
+ case IP_MOUNT_FDESCFS:
+ if (!bool_param(j->intparams[IP_MOUNT_FDESCFS]))
+ continue;
+ j->comstring = &dummystring;
case IP__OP:
case IP_STOP_TIMEOUT:
j->comstring = &dummystring;
@@ -452,6 +457,32 @@ run_command(struct cfjail *j)
}
break;
+ case IP_MOUNT_FDESCFS:
+ argv = alloca(7 * sizeof(char *));
+ path = string_param(j->intparams[KP_PATH]);
+ if (path == NULL) {
+ jail_warnx(j, "mount.fdescfs: no path");
+ return -1;
+ }
+ devpath = alloca(strlen(path) + 8);
+ sprintf(devpath, "%s/dev/fd", path);
+ if (check_path(j, "mount.fdescfs", devpath, 0,
+ down ? "fdescfs" : NULL) < 0)
+ return -1;
+ if (down) {
+ *(const char **)&argv[0] = "/sbin/umount";
+ argv[1] = devpath;
+ argv[2] = NULL;
+ } else {
+ *(const char **)&argv[0] = _PATH_MOUNT;
+ *(const char **)&argv[1] = "-t";
+ *(const char **)&argv[2] = "fdescfs";
+ *(const char **)&argv[3] = ".";
+ argv[4] = devpath;
+ argv[5] = NULL;
+ }
+ break;
+
case IP_COMMAND:
if (j->name != NULL)
goto default_command;
Modified: stable/10/usr.sbin/jail/config.c
==============================================================================
--- stable/10/usr.sbin/jail/config.c Sat Oct 12 17:31:21 2013 (r256386)
+++ stable/10/usr.sbin/jail/config.c Sat Oct 12 17:46:13 2013 (r256387)
@@ -83,6 +83,7 @@ static const struct ipspec intparams[] =
#endif
[IP_MOUNT] = {"mount", PF_INTERNAL | PF_REV},
[IP_MOUNT_DEVFS] = {"mount.devfs", PF_INTERNAL | PF_BOOL},
+ [IP_MOUNT_FDESCFS] = {"mount.fdescfs", PF_INTERNAL | PF_BOOL},
[IP_MOUNT_FSTAB] = {"mount.fstab", PF_INTERNAL},
[IP_STOP_TIMEOUT] = {"stop.timeout", PF_INTERNAL | PF_INT},
[IP_VNET_INTERFACE] = {"vnet.interface", PF_INTERNAL},
Modified: stable/10/usr.sbin/jail/jail.8
==============================================================================
--- stable/10/usr.sbin/jail/jail.8 Sat Oct 12 17:31:21 2013 (r256386)
+++ stable/10/usr.sbin/jail/jail.8 Sat Oct 12 17:46:13 2013 (r256387)
@@ -25,7 +25,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd August 23, 2013
+.Dd October 12, 2013
.Dt JAIL 8
.Os
.Sh NAME
@@ -682,7 +682,7 @@ to.
An alias for each address will be added to the interface before the
prison is created, and will be removed from the interface after the
prison is removed.
-.It Op Va ip4.addr
+.It Va ip4.addr
In addition to the IP addresses that are passed to the kernel, and
interface and/or a netmask may also be specified, in the form
.Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar netmask .
@@ -691,7 +691,7 @@ will be added to that interface, as it i
.Va interface
parameter. If a netmask in either dotted-quad or CIDR form is given
after IP address, it will be used when adding the IP alias.
-.It Op Va ip6.addr
+.It Va ip6.addr
In addition to the IP addresses that are passed to the kernel,
and interface and/or a prefix may also be specified, in the form
.Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar prefix .
@@ -722,11 +722,19 @@ An
format file containing filesystems to mount before creating a jail.
.It Va mount.devfs
Mount a
-.Xr devfs
-filesystem on the chrooted /dev directory, and apply the ruleset in the
+.Xr devfs 5
+filesystem on the chrooted
+.Pa /dev
+directory, and apply the ruleset in the
.Va devfs_ruleset
parameter (or a default of ruleset 4: devfsrules_jail)
to restrict the devices visible inside the prison.
+.It Va mount.fdescfs
+Mount a
+.Xr fdescfs 5
+filesystem on the chrooted
+.Pa /dev/fd
+directory.
.It Va allow.dying
Allow making changes to a
.Va dying
@@ -1165,6 +1173,8 @@ environment of the first jail.
.Xr ps 1 ,
.Xr quota 1 ,
.Xr jail_set 2 ,
+.Xr devfs 5 ,
+.Xr fdescfs 5 ,
.Xr jail.conf 5 ,
.Xr procfs 5 ,
.Xr rc.conf 5 ,
Modified: stable/10/usr.sbin/jail/jail.c
==============================================================================
--- stable/10/usr.sbin/jail/jail.c Sat Oct 12 17:31:21 2013 (r256386)
+++ stable/10/usr.sbin/jail/jail.c Sat Oct 12 17:46:13 2013 (r256387)
@@ -92,6 +92,7 @@ static const enum intparam startcommands
IP_MOUNT,
IP__MOUNT_FROM_FSTAB,
IP_MOUNT_DEVFS,
+ IP_MOUNT_FDESCFS,
IP_EXEC_PRESTART,
IP__OP,
IP_VNET_INTERFACE,
@@ -108,6 +109,7 @@ static const enum intparam stopcommands[
IP_STOP_TIMEOUT,
IP__OP,
IP_EXEC_POSTSTOP,
+ IP_MOUNT_FDESCFS,
IP_MOUNT_DEVFS,
IP__MOUNT_FROM_FSTAB,
IP_MOUNT,
Modified: stable/10/usr.sbin/jail/jailp.h
==============================================================================
--- stable/10/usr.sbin/jail/jailp.h Sat Oct 12 17:31:21 2013 (r256386)
+++ stable/10/usr.sbin/jail/jailp.h Sat Oct 12 17:46:13 2013 (r256387)
@@ -95,6 +95,7 @@ enum intparam {
#endif
IP_MOUNT, /* Mount points in fstab(5) form */
IP_MOUNT_DEVFS, /* Mount /dev under prison root */
+ IP_MOUNT_FDESCFS, /* Mount /dev/fd under prison root */
IP_MOUNT_FSTAB, /* A standard fstab(5) file */
IP_STOP_TIMEOUT, /* Time to wait after sending SIGTERM */
IP_VNET_INTERFACE, /* Assign interface(s) to vnet jail */
More information about the svn-src-stable
mailing list