git: 943ad2ce5988 - stable/14 - rc: Use check_jail to check values of security.jail MIBs

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Mateusz Piotrowski <0mp_at_FreeBSD.org>
Date: Wed, 30 Jul 2025 09:55:40 UTC
The branch stable/14 has been updated by 0mp:

URL: https://cgit.FreeBSD.org/src/commit/?id=943ad2ce59887a63182e5e26ea6962e978ac59bd

commit 943ad2ce59887a63182e5e26ea6962e978ac59bd
Author:     Mateusz Piotrowski <0mp@FreeBSD.org>
AuthorDate: 2025-07-12 16:20:32 +0000
Commit:     Mateusz Piotrowski <0mp@FreeBSD.org>
CommitDate: 2025-07-30 09:55:24 +0000

    rc: Use check_jail to check values of security.jail MIBs
    
    PR:             282404
    Reviewed by:    markj, netchild
    Approved by:    markj (mentor)
    MFC after:      2 weeks
    Event:          Berlin Hackathon 202507
    Differential Revision:  https://reviews.freebsd.org/D47329
    
    (cherry picked from commit 46f18ecf8d3cdda1cd433841c44a4c1268ab9721)
---
 libexec/rc/rc            | 4 ++--
 libexec/rc/rc.d/hostname | 4 ++--
 libexec/rc/rc.d/routing  | 2 +-
 libexec/rc/rc.d/zfs      | 8 ++++----
 libexec/rc/rc.d/zfsbe    | 2 +-
 libexec/rc/rc.shutdown   | 4 ++--
 libexec/rc/rc.subr       | 2 +-
 7 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/libexec/rc/rc b/libexec/rc/rc
index 462967703d60..ae1b24a6f36d 100644
--- a/libexec/rc/rc
+++ b/libexec/rc/rc
@@ -78,9 +78,9 @@ load_rc_config
 trap "_rc_conf_loaded=false; load_rc_config" ALRM
 
 skip="-s nostart"
-if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then
+if check_jail jailed; then
 	skip="$skip -s nojail"
-	if [ `/sbin/sysctl -n security.jail.vnet` -ne 1 ]; then
+	if ! check_jail vnet; then
 		skip="$skip -s nojailvnet"
 	fi
 fi
diff --git a/libexec/rc/rc.d/hostname b/libexec/rc/rc.d/hostname
index f6ac95c9c888..8c3fb23edd71 100755
--- a/libexec/rc/rc.d/hostname
+++ b/libexec/rc/rc.d/hostname
@@ -42,8 +42,8 @@ hostname_start()
 	# If we are not inside a jail, set the host name.
 	# If we are inside a jail, set the host name if it is permitted.
 	#
-	if [ `$SYSCTL_N security.jail.jailed` -eq 1 ]; then
-		if [ `$SYSCTL_N security.jail.set_hostname_allowed` -eq 0 ]; then
+	if check_jail jailed; then
+		if ! check_jail set_hostname_allowed; then
 			return
 		fi
 	else
diff --git a/libexec/rc/rc.d/routing b/libexec/rc/rc.d/routing
index d7113eb90722..89a5620fb5df 100755
--- a/libexec/rc/rc.d/routing
+++ b/libexec/rc/rc.d/routing
@@ -331,7 +331,7 @@ _check_dynamicrouting()
 
 	# copied from /etc/rc
 	skip="-s nostart"
-	if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then
+	if check_jail jailed; then
 		skip="$skip -s nojail"
 	fi
 	[ -n "$local_startup" ] && find_local_scripts_new
diff --git a/libexec/rc/rc.d/zfs b/libexec/rc/rc.d/zfs
index d7c5b20ee6d1..1e887c67f804 100755
--- a/libexec/rc/rc.d/zfs
+++ b/libexec/rc/rc.d/zfs
@@ -18,7 +18,7 @@ required_modules="zfs"
 
 zfs_start_jail()
 {
-	if [ `$SYSCTL_N security.jail.mount_allowed` -eq 1 ]; then
+	if check_jail mount_allowed; then
 		zfs mount -a
 	fi
 }
@@ -34,7 +34,7 @@ zfs_start_main()
 
 zfs_start()
 {
-	if [ `$SYSCTL_N security.jail.jailed` -eq 1 ]; then
+	if check_jail jailed; then
 		zfs_start_jail
 	else
 		zfs_start_main
@@ -54,7 +54,7 @@ zfs_poststart()
 
 zfs_stop_jail()
 {
-	if [ `$SYSCTL_N security.jail.mount_allowed` -eq 1 ]; then
+	if check_jail mount_allowed; then
 		zfs unmount -a
 	fi
 }
@@ -67,7 +67,7 @@ zfs_stop_main()
 
 zfs_stop()
 {
-	if [ `$SYSCTL_N security.jail.jailed` -eq 1 ]; then
+	if check_jail jailed; then
 		zfs_stop_jail
 	else
 		zfs_stop_main
diff --git a/libexec/rc/rc.d/zfsbe b/libexec/rc/rc.d/zfsbe
index 31b0a180800f..5154a35377d0 100755
--- a/libexec/rc/rc.d/zfsbe
+++ b/libexec/rc/rc.d/zfsbe
@@ -64,7 +64,7 @@ activate_bootonce()
 
 be_start()
 {
-	if [ `$SYSCTL_N security.jail.jailed` -eq 1 ]; then
+	if check_jail jailed; then
 		:
 	else
 		mount -p | while read _dev _mp _type _rest; do
diff --git a/libexec/rc/rc.shutdown b/libexec/rc/rc.shutdown
index 18f67f5ca124..3dfd7a7e0936 100644
--- a/libexec/rc/rc.shutdown
+++ b/libexec/rc/rc.shutdown
@@ -83,9 +83,9 @@ fi
 # and perform the operation
 #
 rcorder_opts="-k shutdown"
-if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then
+if check_jail jailed; then
 	rcorder_opts="$rcorder_opts -s nojail"
-	if [ `/sbin/sysctl -n security.jail.vnet` -ne 1 ]; then
+	if ! check_jail vnet; then
 		rcorder_opts="$rcorder_opts -s nojailvnet"
 	fi
 fi
diff --git a/libexec/rc/rc.subr b/libexec/rc/rc.subr
index 61c10370250e..75110a0313cd 100644
--- a/libexec/rc/rc.subr
+++ b/libexec/rc/rc.subr
@@ -1314,7 +1314,7 @@ $_cpusetcmd $command $rc_flags $command_args"
 		start)
 			# We cannot use protect(1) inside jails.
 			if [ -n "$_oomprotect" ] && [ -f "${PROTECT}" ] &&
-			    [ "$(sysctl -n security.jail.jailed)" -eq 0 ]; then
+			    ! check_jail jailed; then
 				[ -z "${rc_pid}" ] && eval $_pidcmd
 				case $_oomprotect in
 				[Aa][Ll][Ll])