svn commit: r256385 - in head: etc/rc.d share/man/man5 usr.sbin/jail

Sat Oct 12 17:28:01 UTC 2013

Author: hrs
Date: Sat Oct 12 17:27:59 2013
New Revision: 256385
URL: http://svnweb.freebsd.org/changeset/base/256385

Log:
  - Add mount.fdescfs parameter to jail(8). This is similar to
    mount.devfs but mounts fdescfs.  The mount happens just after
    mount.devfs.
  
  - rc.d/jail now displays whole error message from jail(8) when a jail
    fails to start.
  
  Approved by:	re (gjb)

Modified:
  head/etc/rc.d/jail
  head/share/man/man5/rc.conf.5
  head/usr.sbin/jail/command.c
  head/usr.sbin/jail/config.c
  head/usr.sbin/jail/jail.8
  head/usr.sbin/jail/jail.c
  head/usr.sbin/jail/jailp.h

Modified: head/etc/rc.d/jail
==============================================================================

--- head/etc/rc.d/jail	Sat Oct 12 16:11:57 2013	(r256384)
+++ head/etc/rc.d/jail	Sat Oct 12 17:27:59 2013	(r256385)
@@ -226,8 +226,7 @@ parse_options()
 
 		eval : \${jail_${_j}_fdescfs_enable:=${jail_fdescfs_enable:-NO}}
 		if checkyesno jail_${_j}_fdescfs_enable; then
-			echo "	mount += " \
-			    "\"fdescfs ${_rootdir%/}/dev/fd fdescfs rw 0 0\";"
+			echo "	mount.fdescfs;"
 		fi
 		eval : \${jail_${_j}_procfs_enable:=${jail_procfs_enable:-NO}}
 		if checkyesno jail_${_j}_procfs_enable; then
@@ -438,7 +437,7 @@ jail_start()
 			echo -n " ${_hostname:-${_jail}}"
 		else
 			echo " cannot start jail \"${_hostname:-${jail}}\": "
-			tail +2 $_tmp
+			cat $_tmp
 		fi
 		rm -f $_tmp
 	done

Modified: head/share/man/man5/rc.conf.5
==============================================================================
--- head/share/man/man5/rc.conf.5	Sat Oct 12 16:11:57 2013	(r256384)
+++ head/share/man/man5/rc.conf.5	Sat Oct 12 17:27:59 2013	(r256385)
@@ -24,7 +24,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd October 10, 2013
+.Dd October 12, 2013
 .Dt RC.CONF 5
 .Os
 .Sh NAME
@@ -3992,9 +3992,7 @@ set from
 .Va jail_ Ns Ao Ar jname Ac Ns Va _fstab
 .It Li mount
 set from
-.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable
-or
-.Va jail_ Ns Ao Ar jname Ac Ns Va _procfs_enable.
+.Va jail_ Ns Ao Ar jname Ac Ns Va _procfs_enable .
 .It Li exec.fib
 set from
 .Va jail_ Ns Ao Ar jname Ac Ns Va _fib
@@ -4042,6 +4040,9 @@ set from
 .Va jail_ Ns Ao Ar jname Ac Ns Va _devfs_ruleset .
 This must be an integer,
 not a string.
+.It Li mount.fdescfs
+set from
+.Va jail_ Ns Ao Ar jname Ac Ns Va _fdescfs_enable
 .It Li allow.set_hostname
 set from
 .Va jail_ Ns Ao Ar jname Ac Ns Va _set_hostname_allow

Modified: head/usr.sbin/jail/command.c
==============================================================================
--- head/usr.sbin/jail/command.c	Sat Oct 12 16:11:57 2013	(r256384)
+++ head/usr.sbin/jail/command.c	Sat Oct 12 17:27:59 2013	(r256385)
@@ -106,7 +106,12 @@ next_command(struct cfjail *j)
 			case IP_MOUNT_DEVFS:
 				if (!bool_param(j->intparams[IP_MOUNT_DEVFS]))
 					continue;
-				/* FALLTHROUGH */
+				j->comstring = &dummystring;
+				break;
+			case IP_MOUNT_FDESCFS:
+				if (!bool_param(j->intparams[IP_MOUNT_FDESCFS]))
+					continue;
+				j->comstring = &dummystring;
 			case IP__OP:
 			case IP_STOP_TIMEOUT:
 				j->comstring = &dummystring;
@@ -452,6 +457,32 @@ run_command(struct cfjail *j)
 		}
 		break;
 
+	case IP_MOUNT_FDESCFS:
+		argv = alloca(7 * sizeof(char *));
+		path = string_param(j->intparams[KP_PATH]);
+		if (path == NULL) {
+			jail_warnx(j, "mount.fdescfs: no path");
+			return -1;
+		}
+		devpath = alloca(strlen(path) + 8);
+		sprintf(devpath, "%s/dev/fd", path);
+		if (check_path(j, "mount.fdescfs", devpath, 0,
+		    down ? "fdescfs" : NULL) < 0)
+			return -1;
+		if (down) {
+			*(const char **)&argv[0] = "/sbin/umount";
+			argv[1] = devpath;
+			argv[2] = NULL;
+		} else {
+			*(const char **)&argv[0] = _PATH_MOUNT;
+			*(const char **)&argv[1] = "-t";
+			*(const char **)&argv[2] = "fdescfs";
+			*(const char **)&argv[3] = ".";
+			argv[4] = devpath;
+			argv[5] = NULL;
+		}
+		break;
+
 	case IP_COMMAND:
 		if (j->name != NULL)
 			goto default_command;

Modified: head/usr.sbin/jail/config.c
==============================================================================
--- head/usr.sbin/jail/config.c	Sat Oct 12 16:11:57 2013	(r256384)
+++ head/usr.sbin/jail/config.c	Sat Oct 12 17:27:59 2013	(r256385)
@@ -83,6 +83,7 @@ static const struct ipspec intparams[] =
 #endif
     [IP_MOUNT] =		{"mount",		PF_INTERNAL | PF_REV},
     [IP_MOUNT_DEVFS] =		{"mount.devfs",		PF_INTERNAL | PF_BOOL},
+    [IP_MOUNT_FDESCFS] =	{"mount.fdescfs",	PF_INTERNAL | PF_BOOL},
     [IP_MOUNT_FSTAB] =		{"mount.fstab",		PF_INTERNAL},
     [IP_STOP_TIMEOUT] =		{"stop.timeout",	PF_INTERNAL | PF_INT},
     [IP_VNET_INTERFACE] =	{"vnet.interface",	PF_INTERNAL},

Modified: head/usr.sbin/jail/jail.8
==============================================================================
--- head/usr.sbin/jail/jail.8	Sat Oct 12 16:11:57 2013	(r256384)
+++ head/usr.sbin/jail/jail.8	Sat Oct 12 17:27:59 2013	(r256385)
@@ -25,7 +25,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd August 23, 2013
+.Dd October 12, 2013
 .Dt JAIL 8
 .Os
 .Sh NAME
@@ -682,7 +682,7 @@ to.
 An alias for each address will be added to the interface before the
 prison is created, and will be removed from the interface after the
 prison is removed.
-.It Op Va ip4.addr
+.It Va ip4.addr
 In addition to the IP addresses that are passed to the kernel, and
 interface and/or a netmask may also be specified, in the form
 .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar netmask .
@@ -691,7 +691,7 @@ will be added to that interface, as it i
 .Va interface
 parameter.  If a netmask in either dotted-quad or CIDR form is given
 after IP address, it will be used when adding the IP alias.
-.It Op Va ip6.addr
+.It Va ip6.addr
 In addition to the IP addresses that are passed to the kernel,
 and interface and/or a prefix may also be specified, in the form
 .Dq Ar interface Ns | Ns Ar ip-address Ns / Ns Ar prefix .
@@ -722,11 +722,19 @@ An
 format file containing filesystems to mount before creating a jail.
 .It Va mount.devfs
 Mount a
-.Xr devfs
-filesystem on the chrooted /dev directory, and apply the ruleset in the
+.Xr devfs 5
+filesystem on the chrooted
+.Pa /dev
+directory, and apply the ruleset in the
 .Va devfs_ruleset
 parameter (or a default of ruleset 4: devfsrules_jail)
 to restrict the devices visible inside the prison.
+.It Va mount.fdescfs
+Mount a
+.Xr fdescfs 5
+filesystem on the chrooted
+.Pa /dev/fd
+directory.
 .It Va allow.dying
 Allow making changes to a
 .Va dying
@@ -1165,6 +1173,8 @@ environment of the first jail.
 .Xr ps 1 ,
 .Xr quota 1 ,
 .Xr jail_set 2 ,
+.Xr devfs 5 ,
+.Xr fdescfs 5 ,
 .Xr jail.conf 5 ,
 .Xr procfs 5 ,
 .Xr rc.conf 5 ,

Modified: head/usr.sbin/jail/jail.c
==============================================================================
--- head/usr.sbin/jail/jail.c	Sat Oct 12 16:11:57 2013	(r256384)
+++ head/usr.sbin/jail/jail.c	Sat Oct 12 17:27:59 2013	(r256385)
@@ -92,6 +92,7 @@ static const enum intparam startcommands
     IP_MOUNT,
     IP__MOUNT_FROM_FSTAB,
     IP_MOUNT_DEVFS,
+    IP_MOUNT_FDESCFS,
     IP_EXEC_PRESTART, 
     IP__OP,
     IP_VNET_INTERFACE,
@@ -108,6 +109,7 @@ static const enum intparam stopcommands[
     IP_STOP_TIMEOUT,
     IP__OP,
     IP_EXEC_POSTSTOP,
+    IP_MOUNT_FDESCFS,
     IP_MOUNT_DEVFS,
     IP__MOUNT_FROM_FSTAB,
     IP_MOUNT,

Modified: head/usr.sbin/jail/jailp.h
==============================================================================
--- head/usr.sbin/jail/jailp.h	Sat Oct 12 16:11:57 2013	(r256384)
+++ head/usr.sbin/jail/jailp.h	Sat Oct 12 17:27:59 2013	(r256385)
@@ -95,6 +95,7 @@ enum intparam {
 #endif
 	IP_MOUNT,		/* Mount points in fstab(5) form */
 	IP_MOUNT_DEVFS,		/* Mount /dev under prison root */
+	IP_MOUNT_FDESCFS,	/* Mount /dev/fd under prison root */
 	IP_MOUNT_FSTAB,		/* A standard fstab(5) file */
 	IP_STOP_TIMEOUT,	/* Time to wait after sending SIGTERM */
 	IP_VNET_INTERFACE,	/* Assign interface(s) to vnet jail */
