Enhancements to the new rc.d/jail script

Scot W. Hetzel hetzels at westbend.net
Sat Apr 19 17:55:22 PDT 2003 

Attached are patches for the new rc.d/jail script.  I moved the jail
variables out of the "Miscellaneous administrative options" section
and placed them into their own section ("Jail Configuration") in
/etc/defaults/rc.conf.  I also added definitions for the
jail_*_[rootdir,hostname,ip,exec] variables found in /etc/rc.d/jail.

I also made a change to rc.d/jail.  I added the ability to mount the
devfs and procfs on the jail, and to apply a devfs ruleset to the
jails dev directory (see the jail_*_[devfs,devfs_ruleset,procfs]
variables).

Currently rc.d/devfs starts after rc.d/jail, we need devfs rulesets
defined before the jail is started (devfs added to rc.d/jail REQUIRE).

Added a standard jail ruleset to rc.d/devfs.

Scot

Index: defaults/rc.conf
===================================================================
RCS file: /home/ncvs/src/etc/defaults/rc.conf,v
retrieving revision 1.172
diff -u -r1.172 rc.conf
--- defaults/rc.conf	16 Apr 2003 16:29:51 -0000	1.172
+++ defaults/rc.conf	20 Apr 2003 00:07:06 -0000
@@ -426,11 +426,28 @@
 harvest_ethernet="YES"	# Entropy device harvests ethernet randomness
 harvest_p_to_p="YES"	# Entropy device harvests point-to-point randomness
 dmesg_enable="YES"	# Save dmesg(8) to /var/run/dmesg.boot
+
+##############################################################
+### Jail Configuration #######################################
+##############################################################
+
 jail_enable="NO"	# Set to NO to disable starting of any jails
 jail_list=""		# Space separated list of names of jails
 jail_set_hostname_allow="YES" # Allow root user in a jail to change its hostname
 jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
-jail_sysvipc_allow="NO"       # Allow SystemV IPC use from within a jail
+jail_sysvipc_allow="NO"	# Allow SystemV IPC use from within a jail
+jail_default_rulset="10" # Default jail devfs ruleset to apply
+
+# create an entry for each jail named in jail_list,  with these variables
+# NOTE: replace 'example' with the jail's name from jail_list
+#
+jail_example_rootdir="/usr/jail/default"	# Jails root directory         
+jail_example_hostname="default.domain.com"	# Jails hostname
+jail_example_ip="192.168.0.10"			# Jails IP number
+jail_example_exec="/bin/sh /etc/rc"		# command to execute in jail
+jail_example_devfs="NO"				# mount devfs in jail
+jail_example_devfs_rulset="10"			# devfs ruleset to apply to jail 
+jail_example_procfs="NO"			# mount procfs in jail
 
 ##############################################################
 ### Define source_rc_confs, the mechanism used by /etc/rc.* ##
Index: rc.d/devfs
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/devfs,v
retrieving revision 1.2
diff -u -r1.2 devfs
--- rc.d/devfs	15 Dec 2002 21:56:53 -0000	1.2
+++ rc.d/devfs	20 Apr 2003 00:10:02 -0000
@@ -13,6 +13,22 @@
 
 load_rc_config $name
 
+# Standard Jail ruleset
+/sbin/devfs rule -s 10 delset
+/sbin/devfs rule -s 10 add 100 hide
+/sbin/devfs rule -s 10 add 200 path ptyp* unhide
+/sbin/devfs rule -s 10 add 300 path ttyp* unhide
+/sbin/devfs rule -s 10 add 400 path null unhide
+/sbin/devfs rule -s 10 add 500 path zero unhide
+/sbin/devfs rule -s 10 add 600 path random unhide
+/sbin/devfs rule -s 10 add 610 path urandom unhide
+/sbin/devfs rule -s 10 add 700 path fd unhide
+/sbin/devfs rule -s 10 add 800 path fd/* unhide
+/sbin/devfs rule -s 10 add 810 path mdctl unhide
+/sbin/devfs rule -s 10 add 900 path stdin unhide
+/sbin/devfs rule -s 10 add 910 path stdout unhide
+/sbin/devfs rule -s 10 add 920 path stderr unhide
+
 # Setup DEVFS, ie permissions, links etc.
 #
 if [ -r /etc/rc.devfs ]; then
Index: rc.d/jail
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/jail,v
retrieving revision 1.3
diff -u -r1.3 jail
--- rc.d/jail	19 Apr 2003 07:50:32 -0000	1.3
+++ rc.d/jail	20 Apr 2003 00:26:51 -0000
@@ -4,8 +4,8 @@
 #
 
 # PROVIDE: jail
-# REQUIRE: LOGIN
-# KEYWORD: FreeBSD
+# REQUIRE: LOGIN devfs
+# KEYWORD: FreeBSD shutdown
 
 . /etc/rc.subr
 
@@ -14,6 +14,15 @@
 start_cmd="jail_start"
 stop_cmd="jail_stop"
 
+create_dev_links()
+{
+        local devdir=$1
+        local source=$2
+        local target=$3
+
+	(cd ${devdir} && ln -sf ${source} ${target})
+}
+
 jail_start()
 {
 	echo -n 'Configuring jails:'
@@ -49,11 +58,54 @@
 	for _jail in ${jail_list} 
 	do
 		eval jail_rootdir=\"\$jail_${_jail}_rootdir\"
+		jail_devdir="${jail_rootdir}/dev"
+		jail_procdir="${jail_rootdir}/proc"
+
 		eval jail_hostname=\"\$jail_${_jail}_hostname\"
 		eval jail_ip=\"\$jail_${_jail}_ip\"
 		eval jail_exec=\"\$jail_${_jail}_exec\"
 		[ -z ${jail_exec} ] && jail_exec="/bin/sh /etc/rc"
-		
+
+		eval jail_devfs=\"\$jail_${_jail}_devfs\"
+		[ -z ${jail_devfs} ] && jail_devfs="NO"
+
+		eval jail_rulset=\"\$jail_${_jail}_devfs_ruleset\"
+		[ -z ${jail_rulset} ] && jail_rulset="${jail_default_rulset}"
+
+		eval jail_procfs=\"\$jail_${_jail}_procfs\"
+		[ -z ${jail_procfs} ] && jail_procfs="NO"
+
+		if checkyesno jail_devfs; then
+			if [ -d ${jail_devdir} ] ; then
+				mount -t devfs dev ${jail_devdir}
+
+				if [ -n "${jail_rulset}" ]; then
+					# Apply devfs rulset
+					devfs -m ${jail_devdir} ruleset ${jail_rulset}
+
+					# for libkvm (ab)users
+					create_dev_links ${jail_devdir} null mem
+					create_dev_links ${jail_devdir} null kmem
+
+					# create_dev_links ${jail_devdir} null console
+				fi
+
+				# Transitional symlink for old binaries
+				if [ ! -L ${jail_devdir}/log ]; then
+					create_dev_links ${jail_devdir} ../var/run/log log
+				fi
+
+				# Jail console output
+				create_dev_links ${jail_devdir} ../var/log/console console
+			fi
+		fi
+
+		if checkyesno jail_procfs; then
+			if [ -d ${jail_procdir} ] ; then
+				mount -t procfs proc ${jail_procdir}
+			fi
+		fi
+
 		jail ${jail_rootdir} ${jail_hostname} ${jail_ip} ${jail_exec}
 	done
 }
@@ -61,6 +113,28 @@
 jail_stop()
 {
 	kill -TERM $(ps aux | awk '$8 ~ /.*J/ {print  $2};')
+	for _jail in ${jail_list}
+	do
+		eval jail_rootdir=\"\$jail_${_jail}_rootdir\"
+		jail_devdir="${jail_rootdir}/dev"
+		jail_procdir="${jail_rootdir}/proc"
+		eval jail_devfs=\"\$jail_${_jail}_devfs\"
+		[ -z ${jail_devfs} ] && jail_devfs="NO"
+		eval jail_procfs=\"\$jail_${_jail}_procfs\"
+		[ -z ${jail_procfs} ] && jail_procfs="NO"
+
+		if checkyesno jail_devfs; then
+			if [ -d ${jail_devdir} ] ; then
+				umount -f ${jail_devdir} >/dev/null 2>&1
+			fi
+		fi
+
+		if checkyesno jail_procfs; then
+			if [ -d ${jail_procdir} ] ; then
+				umount -f ${jail_procdir} >/dev/null 2>&1
+			fi
+		fi
+	done
 }

More information about the freebsd-current mailing list