[PATCH] jail NG schript patch for mounting devfs and procfs
automatically
Mike Makonnen
mtm at identd.net
Fri Aug 1 16:29:31 PDT 2003
On Tue, Jul 29, 2003 at 08:27:07PM +0200, Jens Rehsack wrote:
> On 29.07.2003 19:21, Mike Makonnen wrote:
>
> >On Tue, Jul 29, 2003 at 07:08:38PM +0200, Jens Rehsack wrote:
> >Yeah, I'll take care of this. I had asked scott to mail me his final
> >patch so I could commit it, but I never heard back from him. I'll
> >dig out the revisions from my mail archives and combine the
> >two.
>
> You can mail me the patch first, so that I can test it before you
> commit it, if you want.
Hi Jens,
Can you apply the attached patches and let me know how it goes?
Cheers.
--
Mike Makonnen | GPG-KEY: http://www.identd.net/~mtm/mtm.asc
mtm at identd.net | D228 1A6F C64E 120A A1C9 A3AA DAE1 E2AF DBCC 68B9
mtm at FreeBSD.Org| FreeBSD - Unleash the Daemon!
-------------- next part --------------
Index: etc/rc.subr
===================================================================
RCS file: /home/ncvs/src/etc/rc.subr,v
retrieving revision 1.13
diff -u -r1.13 rc.subr
--- etc/rc.subr 9 Jun 2003 17:31:06 -0000 1.13
+++ etc/rc.subr 1 Aug 2003 23:05:21 -0000
@@ -1033,3 +1033,160 @@
esac
fi
}
+
+# devfs_init_rulesets
+# Initialize default system supplied rulesets.
+#
+devfs_init_rulesets()
+{
+ local rsHide rsBasic rsLogin rsJail _me
+ rsHide=$devfs_ruleset_hide
+ rsBasic=$devfs_ruleset_basic
+ rsLogin=$devfs_ruleset_login
+ rsJail=$devfs_ruleset_jail
+ _me="devfs_init_rulesets"
+
+ # Go through this only once
+ if [ -n "$devfs_rulesets_init" ]; then
+ debug "$_me: devfs rulesets already initialized"
+ return
+ fi
+
+ # Hide: Hide all devices
+ #
+ /sbin/devfs rule -s $rsHide delset
+ /sbin/devfs rule -s $rsHide add hide
+
+ # Basic: Basic devices typically necessary
+ #
+ /sbin/devfs rule -s $rsBasic delset
+ /sbin/devfs rule -s $rsBasic add path null unhide
+ /sbin/devfs rule -s $rsBasic add path zero unhide
+ /sbin/devfs rule -s $rsBasic add path random unhide
+ /sbin/devfs rule -s $rsBasic add path urandom unhide
+
+ # Login: Devices typically needed to support loged-in users
+ #
+ /sbin/devfs rule -s $rsLogin delset
+ /sbin/devfs rule -s $rsLogin add path 'ptyp*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ptyq*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ptyr*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ptys*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ptyP*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ptyQ*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ptyR*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ptyS*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ttyp*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ttyq*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ttyr*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ttys*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ttyP*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ttyQ*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ttyR*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'ttyS*' unhide
+ /sbin/devfs rule -s $rsLogin add path 'fd/*' unhide
+ /sbin/devfs rule -s $rsLogin add path stdin unhide
+ /sbin/devfs rule -s $rsLogin add path stdout unhide
+ /sbin/devfs rule -s $rsLogin add path stderr unhide
+
+ # Jail: Devices typically usefull in a jail
+ #
+ /sbin/devfs rule -s $rsJail add path '*' include $rsHide
+ /sbin/devfs rule -s $rsJail add path '*' include $rsBasic
+ /sbin/devfs rule -s $rsJail add path '*' include $rsLogin
+
+ devfs_rulesets_init=1
+ debug "$_me: devfs rulesets initialized"
+}
+
+# devfs_set_ruleset ruleset [dir]
+# Sets the default ruleset of dir to ruleset.
+# Returns non-zero if it could not set it successfully.
+#
+devfs_set_ruleset()
+{
+ local devdir rs _me
+ rs=$1
+ [ -n "$2" ] && devdir="-m "$2"" || devdir=
+ _me="devfs_set_ruleset"
+
+ if [ -z "$rs" ]; then
+ warn "$_me: you must specify a ruleset number"
+ return 1
+ fi
+ debug "$_me: setting ruleset ($rs) on mount-point (${devdir#-m })"
+ if ! /sbin/devfs $devdir ruleset $rs ; then
+ warn "$_me: unable to set ruleset $rs to ${devdir#-m }"
+ return 1
+ fi
+ return 0
+}
+
+# devfs_apply_ruleset ruleset [dir]
+# Apply ruleset number $ruleset to the devfs mountpoint $dir.
+# Returns 0 on success or non-zero if it could not apply
+# the ruleset.
+#
+devfs_apply_ruleset()
+{
+ local devdir rs _me
+ rs=$1
+ [ -n "$2" ] && devdir="-m "$2"" || devdir=
+ _me="devfs_apply_ruleset"
+
+ if [ -z "$rs" ]; then
+ warn "$_me: you must specify a ruleset"
+ return 1
+ fi
+ debug "$_me: applying ruleset ($rs) to mount-point (${devdir#-m })"
+ if ! /sbin/devfs $devdir rule -s $rs applyset ; then
+ warn "$_me: unable to apply ruleset $rs to ${devdir#-m }"
+ return 1
+ fi
+ return 0
+}
+
+# devfs_domount dir [ruleset]
+# Mount devfs on dir. If ruleset is specified it is set
+# on the mount-point. Returns 0 on success.
+#
+devfs_domount()
+{
+ local devdir rs _me
+ devdir="$1"
+ [ -n "$2" ] && rs=$2 || rs=
+ _me="devfs_domount()"
+
+ if [ -z "$devdir" ]; then
+ warn "$_me: you must specify a mount-point"
+ return 1
+ fi
+ debug "$_me: mount-point is ($devdir), ruleset is ($rs)"
+ if ! mount -t devfs dev "$devdir" ; then
+ warn "$_me: Unable to mount devfs on $devdir"
+ return 1
+ fi
+ if [ -n "$rs" ]; then
+ devfs_init_rulesets
+ devfs_set_ruleset $rs $devdir
+ fi
+ return 0
+}
+
+# devfs_mount_jail dir
+# Mounts a devfs file system appropriate for jails
+# on the directory dir. Returns non-zero if an error
+# occured.
+#
+devfs_mount_jail()
+{
+ local jdev _me
+ jdev="$1"
+ _me="devfs_mount_jail"
+
+ if ! devfs_domount "$jdev" $devfs_ruleset_jail; then
+ warn "$_me: devfs was not mounted on $jdev"
+ return 1
+ fi
+ return 0
+}
-------------- next part --------------
Index: etc/defaults/rc.conf
===================================================================
RCS file: /home/ncvs/src/etc/defaults/rc.conf,v
retrieving revision 1.182
diff -u -r1.182 rc.conf
--- etc/defaults/rc.conf 28 Jul 2003 13:09:00 -0000 1.182
+++ etc/defaults/rc.conf 1 Aug 2003 23:28:22 -0000
@@ -426,12 +426,35 @@
harvest_ethernet="YES" # Entropy device harvests ethernet randomness
harvest_p_to_p="YES" # Entropy device harvests point-to-point randomness
dmesg_enable="YES" # Save dmesg(8) to /var/run/dmesg.boot
-jail_enable="NO" # Set to NO to disable starting of any jails
-jail_list="" # Space separated list of names of jails
-jail_set_hostname_allow="YES" # Allow root user in a jail to change its hostname
-jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
-jail_sysvipc_allow="NO" # Allow SystemV IPC use from within a jail
watchdogd_enable="NO" # Start the software watchdog daemon
+devfs_ruleset_hide="1" # The number of the default hide ruleset (rc.subr(8))
+devfs_ruleset_basic="2" # The number of the default basic ruleset (rc.subr(8))
+devfs_ruleset_login="3" # The number of the default login ruleset (rc.subr(8))
+devfs_ruleset_jail="123" # The number of the default jail ruleset (rc.subr(8))
+
+##############################################################
+### Jail Configuration #######################################
+##############################################################
+jail_enable="NO" # Set to NO to disable starting of any jails
+jail_list="" # Space separated list of names of jails
+jail_set_hostname_allow="YES" # Allow the root user in a jail to change its
+ # hostname
+jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
+jail_sysvipc_allow="NO" # Allow SystemV IPC use from within a jail
+jail_stop_jailer="NO" # Only stop jailer. Requires jail_*_exec be set
+ # to use sysutils/jailer port to start the jail.
+
+#
+# To use rc's built-in jail infrastructure create entries for
+# each jail, specified in jail_list, with the following variables.
+# NOTE: replace 'example' with the jail's name.
+#
+#jail_example_rootdir="/usr/jail/default" # Jail's root directory
+#jail_example_hostname="default.domain.com" # Jail's hostname
+#jail_example_ip="192.168.0.10" # Jail's IP number
+#jail_example_exec="/bin/sh /etc/rc" # command to execute in jail
+#jail_example_devfs_enable="NO" # mount devfs in the jail
+#jail_example_procfs_enable="NO" # mount procfs in jail
##############################################################
### Define source_rc_confs, the mechanism used by /etc/rc.* ##
Index: etc/rc.d/jail
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/jail,v
retrieving revision 1.4
diff -u -r1.4 jail
--- etc/rc.d/jail 5 May 2003 15:38:41 -0000 1.4
+++ etc/rc.d/jail 1 Aug 2003 23:11:36 -0000
@@ -6,7 +6,7 @@
# PROVIDE: jail
# REQUIRE: LOGIN
# BEFORE: securelevel
-# KEYWORD: FreeBSD
+# KEYWORD: FreeBSD shutdown
. /etc/rc.subr
@@ -50,18 +50,77 @@
for _jail in ${jail_list}
do
eval jail_rootdir=\"\$jail_${_jail}_rootdir\"
+ jail_devdir="${jail_rootdir}/dev"
+ jail_procdir="${jail_rootdir}/proc"
+
eval jail_hostname=\"\$jail_${_jail}_hostname\"
eval jail_ip=\"\$jail_${_jail}_ip\"
eval jail_exec=\"\$jail_${_jail}_exec\"
[ -z ${jail_exec} ] && jail_exec="/bin/sh /etc/rc"
-
+
+ eval jail_devfs=\"\$jail_${_jail}_devfs_enable\"
+ [ -z ${jail_devfs} ] && jail_devfs="NO"
+
+ eval jail_procfs=\"\$jail_${_jail}_procfs_enable\"
+ [ -z ${jail_procfs} ] && jail_procfs="NO"
+
+ if checkyesno jail_devfs; then
+ info "Mounting devfs on ${jail_devdir}"
+ devfs_mount_jail "${jail_devdir}"
+
+ # Transitional symlink for old binaries
+ if [ ! -L ${jail_devdir}/log ]; then
+ devfs_link ${jail_devdir} ../var/run/log log
+ fi
+
+ # Jail console output
+ devfs_link ${jail_devdir} ../var/log/console console
+ fi
+
+ if checkyesno jail_procfs; then
+ info "Mounting procfs onto ${jail_procdir}"
+ if [ -d ${jail_procdir} ] ; then
+ mount -t procfs proc ${jail_procdir}
+ fi
+ fi
+
jail ${jail_rootdir} ${jail_hostname} ${jail_ip} ${jail_exec}
done
}
jail_stop()
{
- kill -TERM $(ps aux | awk '$8 ~ /.*J/ {print $2};')
+ if checkyesno jail_stop_jailer; then
+ rc_pid=$(ps aux | grep "jailer" | awk '$8 ~ /.*J/ {print $2};')
+ else
+ rc_pid=$(ps aux | awk '$8 ~ /.*J/ {print $2};')
+ fi
+ if [ -n "${rc_pid}" ]; then
+ kill -TERM $rc_pid
+ wait_for_pids $rc_pid
+ fi
+ for _jail in ${jail_list}
+ do
+ eval jail_rootdir=\"\$jail_${_jail}_rootdir\"
+ jail_devdir="${jail_rootdir}/dev"
+ jail_procdir="${jail_rootdir}/proc"
+ eval jail_devfs=\"\$jail_${_jail}_devfs_enable\"
+ [ -z ${jail_devfs} ] && jail_devfs="NO"
+ eval jail_procfs=\"\$jail_${_jail}_procfs_enable\"
+ [ -z ${jail_procfs} ] && jail_procfs="NO"
+
+ if checkyesno jail_devfs; then
+ if [ -d ${jail_devdir} ] ; then
+ umount -f ${jail_devdir} >/dev/null 2>&1
+ fi
+ fi
+
+ if checkyesno jail_procfs; then
+ if [ -d ${jail_procdir} ] ; then
+ umount -f ${jail_procdir} >/dev/null 2>&1
+ fi
+ fi
+ done
}
More information about the freebsd-current
mailing list