git: d8f021add40c - main - jail: add JID, JNAME and JPATH to environment for exec.* commands

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Warner Losh <imp_at_FreeBSD.org>
Date: Fri, 13 Jun 2025 01:21:52 UTC
The branch main has been updated by imp:

URL: https://cgit.FreeBSD.org/src/commit/?id=d8f021add40c321c4578da55dae52fb93c7ccb5f

commit d8f021add40c321c4578da55dae52fb93c7ccb5f
Author:     Quentin Thébault <quentin.thebault@defenso.fr>
AuthorDate: 2025-03-05 09:51:06 +0000
Commit:     Warner Losh <imp@FreeBSD.org>
CommitDate: 2025-06-13 01:21:45 +0000

    jail: add JID, JNAME and JPATH to environment for exec.* commands
    
    Although variable substitution is available in the jail configuration
    file, the jail identifier is often not since it is dynamically
    attributed at run time.
    
    In order to facilitate scripting of exec.* commands executed on the
    system, this change sets the JID, JNAME and JPATH environment variables.
    
    These variables are not added when using exec.clean. Neither are they
    for commands executed inside jails, to avoid disclosing information
    about the host system.
    
    Reviewed by: imp
    Pull Request: https://github.com/freebsd/freebsd-src/pull/1609
    Closes: https://github.com/freebsd/freebsd-src/pull/1609
---
 usr.sbin/jail/command.c                | 14 +++++++++++++-
 usr.sbin/jail/jail.8                   | 21 +++++++++++++++++++++
 usr.sbin/jail/tests/commands.jail.conf |  3 +++
 usr.sbin/jail/tests/jail_basic_test.sh | 11 +++++++++--
 4 files changed, 46 insertions(+), 3 deletions(-)

diff --git a/usr.sbin/jail/command.c b/usr.sbin/jail/command.c
index fe6563230bde..8ea3f3ee8795 100644
--- a/usr.sbin/jail/command.c
+++ b/usr.sbin/jail/command.c
@@ -290,7 +290,7 @@ run_command(struct cfjail *j)
 	const struct cfstring *comstring, *s;
 	login_cap_t *lcap;
 	const char **argv;
-	char *acs, *cs, *comcs, *devpath;
+	char *acs, *ajidstr, *cs, *comcs, *devpath;
 	const char *jidstr, *conslog, *fmt, *path, *ruleset, *term, *username;
 	enum intparam comparam;
 	size_t comlen, ret;
@@ -795,6 +795,18 @@ run_command(struct cfjail *j)
 		}
 		endpwent();
 	}
+	if (!injail) {
+		if (asprintf(&ajidstr, "%d", j->jid) == -1) {
+			jail_warnx(j, "asprintf jid=%d: %s", j->jid,
+				strerror(errno));
+			exit(1);
+		}
+		setenv("JID", ajidstr, 1);
+		free(ajidstr);
+		setenv("JNAME", string_param(j->intparams[KP_NAME]), 1);
+		path = string_param(j->intparams[KP_PATH]);
+		setenv("JPATH", path ? path : "", 1);
+	}
 
 	if (consfd != 0 && (dup2(consfd, 1) < 0 || dup2(consfd, 2) < 0)) {
 		jail_warnx(j, "exec.consolelog: %s", strerror(errno));
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index 8d7bc25a8694..dd7b91d5cefa 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -858,6 +858,22 @@ commands in sequence.
 All commands must succeed (return a zero exit status), or the jail will
 not be created or removed, as appropriate.
 .Pp
+The following variables are added to the environment:
+.Bl -tag -width indent -offset indent
+.It Ev JID
+The
+.Va jid ,
+or jail identifier.
+.It Ev JNAME
+The
+.Va name
+of the jail.
+.It Ev JPATH
+The
+.Va path
+of the jail.
+.El
+.Pp
 The pseudo-parameters are:
 .Bl -tag -width indent
 .It Va exec.prepare
@@ -922,6 +938,11 @@ is imported from the current environment.
 is set to "/bin:/usr/bin".
 The environment variables from the login class capability database for the
 target login are also set.
+.Ev JID ,
+.Ev JNAME ,
+and
+.Ev JPATH
+are not set.
 If a user is specified (as with
 .Va exec.jail_user ) ,
 commands are run from that (possibly jailed) user's directory.
diff --git a/usr.sbin/jail/tests/commands.jail.conf b/usr.sbin/jail/tests/commands.jail.conf
index 4ea24ec6b058..afd56d1fa5d6 100644
--- a/usr.sbin/jail/tests/commands.jail.conf
+++ b/usr.sbin/jail/tests/commands.jail.conf
@@ -1,6 +1,9 @@
 
 exec.prestop = "echo STOP";
 exec.prestart = "echo START";
+exec.poststart = "env";
 persist;
 
+path = "/tmp/test_${name}_root";
+
 basejail {}
diff --git a/usr.sbin/jail/tests/jail_basic_test.sh b/usr.sbin/jail/tests/jail_basic_test.sh
index 5d67f42c2d56..6498eb1c1fdc 100755
--- a/usr.sbin/jail/tests/jail_basic_test.sh
+++ b/usr.sbin/jail/tests/jail_basic_test.sh
@@ -129,13 +129,19 @@ commands_head()
 {
 	atf_set descr 'Commands jail test'
 	atf_set require.user root
+	mkdir /tmp/test_basejail_root
 }
 
 commands_body()
 {
-	# exec.prestart
-	atf_check -s exit:0 -o inline:"START\n" \
+	# exec.prestart (START) and exec.poststart (env)
+	atf_check -s exit:0 -o save:stdout -e empty \
 		jail -f $(atf_get_srcdir)/commands.jail.conf -qc basejail
+	grep -E '^START$' stdout || atf_fail "exec.prestart output not found"
+	grep -E '^JID=[0-9]+' stdout || atf_fail "JID not found in exec.poststart env output"
+	grep -E '^JNAME=basejail$' stdout || atf_fail "JNAME not found in exec.poststart env output"
+	grep -E '^JPATH=/tmp/test_basejail_root$' stdout || atf_fail "JPATH not found in exec.poststart env output"
+
 	# exec.prestop by jailname
 	atf_check -s exit:0 -o inline:"STOP\n" \
 		jail -f $(atf_get_srcdir)/commands.jail.conf -qr basejail 
@@ -152,6 +158,7 @@ commands_cleanup()
 	then
 	    jail -r basejail
 	fi
+	rmdir /tmp/test_basejail_root
 }
 
 atf_init_test_cases()