From nobody Sun Mar 17 05:12:41 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Ty5hn3g8dz5FJWD; Sun, 17 Mar 2024 05:12:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ty5hn1MV2z4jtf; Sun, 17 Mar 2024 05:12:41 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1710652361; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cyoW4afAMa75h9krEcLiEU+Bv09H/IMvHwrzyYyU9Ek=; b=FvZPiDC2oszWLjU8d1bEXWdXs/TYFJuEx6PhBpUZFOXAf3DOd0+qGWwVMfD3PWuE0kmUPm 0PDz4xrNofgJG1CVEJNMiiO4DOek9FzGmGwzhVAfqIK39uFUNU2C/SstCzilYbdzP1KLnU 3+KkKdr3232fx9o3AifDp+JWwwZzH+pVrsSFkr4/cOaJ3JElYyhb/bGlNWNvi+gOZKKDfH k1xfvPqUPE9iYRHxBheqoXKK+fyjlpRpx3Kidy8EL6c8lOMbVJlnLhp1Dp4R4y39U7DU8L TBcCxum3dgwvUF2v2cNvp8VFkGuHdmojjRd+YcZEMJKlvtpu8cVF4ts3GogKig== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1710652361; a=rsa-sha256; cv=none; b=L6cQr+I4Kd1o31etyKITOAtlcygyYw/qVTTpgnOs7jfWrz+VOBN8YKTWW4epc8yD9D5iqX HgqOYBqXnnz0I7iymGGfJP/iMkS15r3ydTDC3BkQ1BPwB6Tigt7/9R7IehaDji6yBjYgYV 7vxGcbKe2tSfJUM++y6/hZ3jVNeg+jXb/m0KfkpvFoNGW8/gF0DDJb4RTj2UL/gVJwf2Yo vXkDhNLVlAz+GQ8nbgFFBRLTfAsacp6zq5zzxED/oELYOgj2I34Imx4Rp8iU6dsMWzuOQ7 6nw+gNDehPHphqTTYcZWyjqo25m/nbGkb850HnGAZOnkygN+7L3HUkO6Kw9lIg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1710652361; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cyoW4afAMa75h9krEcLiEU+Bv09H/IMvHwrzyYyU9Ek=; b=NbxtjU/Eqtc4+jUFR9qIM4gPhGMOWL3V1fgOWhOY+HFGqoXJMN0RY0pCpBk973jHWMFwzC kzX4DNVXfJV5qllXBVMHY8I+ZR7W2pji65ktEdjuQqLM1TCyS9CF08WQ1O734ox9KKKKKw IqVkMjuxbPnrXbaThBwg9vGjdRdaynvwfsEmedR13podRoNjOR1MMG/EfMlV8JQ8atBB1X kmADFzwHl8l4DKXdT7gaTigxTxPTe9PYA/witdSbFy+68njgXJBeRyfaZAZmdM89pvVlWN o7FpLgSK7dtnMheFznq9Z3KV6Q9bv6fjKYDKHlyWv7/dNiBklRgNZ96bQ4OLqw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Ty5hn0yjrzQJ3; Sun, 17 Mar 2024 05:12:41 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 42H5CfhU080033; Sun, 17 Mar 2024 05:12:41 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 42H5Cff2080030; Sun, 17 Mar 2024 05:12:41 GMT (envelope-from git) Date: Sun, 17 Mar 2024 05:12:41 GMT Message-Id: <202403170512.42H5Cff2080030@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Jamie Gritton Subject: git: d50685b303e3 - main - jail: add the -C flag to clean up after a partially removed jail List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jamie X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: d50685b303e3353aa1aeaea022a80f31e3732a29 Auto-Submitted: auto-generated The branch main has been updated by jamie: URL: https://cgit.FreeBSD.org/src/commit/?id=d50685b303e3353aa1aeaea022a80f31e3732a29 commit d50685b303e3353aa1aeaea022a80f31e3732a29 Author: Jamie Gritton AuthorDate: 2024-03-17 05:11:14 +0000 Commit: Jamie Gritton CommitDate: 2024-03-17 05:11:14 +0000 jail: add the -C flag to clean up after a partially removed jail Differential Revision: https://reviews.freebsd.org/D42670 --- usr.sbin/jail/jail.8 | 9 ++++++--- usr.sbin/jail/jail.c | 56 +++++++++++++++++++++++++++++++++++++++++---------- usr.sbin/jail/jailp.h | 1 + usr.sbin/jail/state.c | 4 ++-- 4 files changed, 54 insertions(+), 16 deletions(-) diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index e49c3fe95e7f..d58192623952 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd January 17, 2024 +.Dd March 16, 2024 .Dt JAIL 8 .Os .Sh NAME @@ -33,13 +33,13 @@ .Ss From Configuration File .Nm .Op Fl cm -.Op Fl dqv +.Op Fl Cdqv .Op Fl f Ar conf_file .Op Fl p Ar limit .Op Ar jail .Nm .Op Fl r -.Op Fl qv +.Op Fl Cqv .Op Fl f Ar conf_file .Op Fl p Ar limit .Op Cm * | Ar jail ... @@ -144,6 +144,9 @@ jail if it does exist. .Pp Other available options are: .Bl -tag -width indent +.It Fl C +Clean up after an already-removed jail, running commands and operations +that are typically run following jail removal. .It Fl f Ar conf_file Use configuration file .Ar conf_file diff --git a/usr.sbin/jail/jail.c b/usr.sbin/jail/jail.c index df0a32321794..53e05870ff26 100644 --- a/usr.sbin/jail/jail.c +++ b/usr.sbin/jail/jail.c @@ -128,6 +128,24 @@ static const enum intparam stopcommands[] = { IP__NULL }; +static const enum intparam cleancommands[] = { + IP__NULL, + IP_EXEC_POSTSTOP, + IP_MOUNT_PROCFS, + IP_MOUNT_FDESCFS, + IP_MOUNT_DEVFS, + IP__MOUNT_FROM_FSTAB, + IP_MOUNT, +#ifdef INET6 + IP__IP6_IFADDR, +#endif +#ifdef INET + IP__IP4_IFADDR, +#endif + IP_EXEC_RELEASE, + IP__NULL +}; + int main(int argc, char **argv) { @@ -153,11 +171,14 @@ main(int argc, char **argv) cfname = CONF_FILE; JidFile = NULL; - while ((ch = getopt(argc, argv, "cde:f:hiJ:lmn:p:qrRs:u:U:v")) != -1) { + while ((ch = getopt(argc, argv, "cCde:f:hiJ:lmn:p:qrRs:u:U:v")) != -1) { switch (ch) { case 'c': op |= JF_START; break; + case 'C': + op |= JF_CLEANUP; + break; case 'd': dflag = 1; break; @@ -305,7 +326,7 @@ main(int argc, char **argv) note_remove = docf || argc > 1 || wild_jail_name(argv[0]); } else if (argc > 1 || (argc == 1 && strchr(argv[0], '='))) { /* Single jail specified on the command line */ - if (Rflag) + if (Rflag || (op & JF_CLEANUP)) usage(); docf = 0; for (i = 0; i < argc; i++) { @@ -355,7 +376,7 @@ main(int argc, char **argv) /* Find out which jails will be run. */ dep_setup(docf); error = 0; - if (op == JF_STOP) { + if ((op & JF_OP_MASK) == JF_STOP) { for (i = 0; i < argc; i++) if (start_state(argv[i], docf, op, Rflag) < 0) error = 1; @@ -415,22 +436,24 @@ main(int argc, char **argv) * depending on the jail's current status. */ case JF_START_SET: - j->flags = j->jid < 0 ? JF_START : JF_SET; + j->flags = j->jid < 0 + ? (j->flags & JF_CLEANUP) | JF_START : JF_SET; break; case JF_SET_RESTART: - if (j->jid < 0) { + if (j->jid < 0 && !(j->flags & JF_CLEANUP)) { jail_quoted_warnx(j, "not found", "no jail specified"); failed(j); continue; } - j->flags = rdtun_params(j, 0) ? JF_RESTART : JF_SET; + j->flags = rdtun_params(j, 0) + ? (j->flags & JF_CLEANUP) | JF_RESTART : JF_SET; if (j->flags == JF_RESTART) dep_reset(j); break; case JF_START_SET_RESTART: - j->flags = j->jid < 0 ? JF_START - : rdtun_params(j, 0) ? JF_RESTART : JF_SET; + j->flags = j->jid < 0 ? JF_START : rdtun_params(j, 0) + ? (j->flags & JF_CLEANUP) | JF_RESTART : JF_SET; if (j->flags == JF_RESTART) dep_reset(j); } @@ -449,11 +472,18 @@ main(int argc, char **argv) continue; if (j->jid > 0) goto jail_create_done; + if (j->flags & JF_CLEANUP) { + j->flags |= JF_STOP; + j->comparam = cleancommands; + } else + j->comparam = startcommands; j->comparam = startcommands; j->comstring = NULL; } if (next_command(j)) continue; + if (j->flags & JF_STOP) + goto jail_remove_done; jail_create_done: clear_persist(j); if (jfp != NULL) @@ -485,7 +515,10 @@ main(int argc, char **argv) if (j->comparam == NULL) { if (dep_check(j)) continue; - if (j->jid < 0) { + if (j->flags & JF_CLEANUP) { + j->comparam = j->jid < 0 + ? cleancommands : stopcommands; + } else if (j->jid < 0) { if (!(j->flags & (JF_DEPEND|JF_WILD))) { if (verbose >= 0) jail_quoted_warnx(j, @@ -494,7 +527,8 @@ main(int argc, char **argv) } goto jail_remove_done; } - j->comparam = stopcommands; + else + j->comparam = stopcommands; j->comstring = NULL; } else if ((j->flags & JF_FAILED) && j->jid > 0) goto jail_remove_done; @@ -504,7 +538,7 @@ main(int argc, char **argv) dep_done(j, 0); if ((j->flags & (JF_START | JF_FAILED)) == JF_START) { j->comparam = NULL; - j->flags &= ~JF_STOP; + j->flags &= ~(JF_STOP | JF_CLEANUP); dep_reset(j); requeue(j, j->ndeps ? &depend : &ready); } diff --git a/usr.sbin/jail/jailp.h b/usr.sbin/jail/jailp.h index 74ef2a8acab8..ccd96f5f247e 100644 --- a/usr.sbin/jail/jailp.h +++ b/usr.sbin/jail/jailp.h @@ -67,6 +67,7 @@ #define JF_TIMEOUT 0x0200 /* A command (or process kill) timed out */ #define JF_SLEEPQ 0x0400 /* Waiting on a command and/or timeout */ #define JF_FROM_RUNQ 0x0800 /* Has already been on the run queue */ +#define JF_CLEANUP 0x1000 /* -C Run post-removal commands */ #define JF_OP_MASK (JF_START | JF_SET | JF_STOP) #define JF_RESTART (JF_START | JF_STOP) diff --git a/usr.sbin/jail/state.c b/usr.sbin/jail/state.c index 6cbe879acc55..1d200beacef9 100644 --- a/usr.sbin/jail/state.c +++ b/usr.sbin/jail/state.c @@ -306,7 +306,7 @@ start_state(const char *target, int docf, unsigned state, int running) int jid; char namebuf[MAXHOSTNAMELEN]; - if (!target || (!docf && state != JF_STOP) || + if (!target || (!docf && (state & JF_OP_MASK) != JF_STOP) || (!running && !strcmp(target, "*"))) { /* * For a global wildcard (including no target specified), @@ -365,7 +365,7 @@ start_state(const char *target, int docf, unsigned state, int running) } } else { j = find_jail(target); - if (j == NULL && state == JF_STOP) { + if (j == NULL && (state & JF_OP_MASK) == JF_STOP) { /* Allow -[rR] to specify a currently running jail. */ j = running_jail(target, JAIL_DYING); }