git: 2d08f6b577e9 - main - rc.subr: add some sanity checks for service jails
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 14 Jun 2024 18:15:51 UTC
The branch main has been updated by netchild:
URL: https://cgit.FreeBSD.org/src/commit/?id=2d08f6b577e9d58848cd7734dc979e60fe6f0165
commit 2d08f6b577e9d58848cd7734dc979e60fe6f0165
Author: Alexander Leidinger <netchild@FreeBSD.org>
AuthorDate: 2024-06-14 18:10:07 +0000
Commit: Alexander Leidinger <netchild@FreeBSD.org>
CommitDate: 2024-06-14 18:15:46 +0000
rc.subr: add some sanity checks for service jails
Add some sanity checks when service jails are used in jails:
- children.max > 0
- children.max - children.cur > 0
The nesting is too deep at those places to have a sane formatting, so no
line wrapping at the usual column.
If someone has a better idea how to format this: feel free to go ahead.
---
libexec/rc/rc.subr | 39 ++++++++++++++++++++++++++++++++++-----
1 file changed, 34 insertions(+), 5 deletions(-)
diff --git a/libexec/rc/rc.subr b/libexec/rc/rc.subr
index f9d8bf9a3cc3..e540d8f7d207 100644
--- a/libexec/rc/rc.subr
+++ b/libexec/rc/rc.subr
@@ -1332,11 +1332,28 @@ run_rc_command()
start)
if [ "${_rc_svcj}" != jailing ]; then
_return=1
- $JAIL_CMD -c $_svcj_generic_params $_svcj_cmd_options \
- exec.start="${SERVICE} -E _rc_svcj=jailing ${name} ${_rc_prefix}start $rc_extra_args" \
- exec.stop="${SERVICE} -E _rc_svcj=jailing ${name} ${_rc_prefix}stop $rc_extra_args" \
- exec.consolelog="/var/log/svcj_${name}_console.log" \
- name=svcj-${name} && _return=0
+ _do_jailing=1
+
+ if check_jail jailed; then
+ if [ $(${SYSCTL_N} security.jail.children.max) -eq 0 ]; then
+ echo ERROR: jail parameter children.max is set to 0, can not create a new service jail.
+ _do_jailing=0
+ else
+ _free_jails=$(($(${SYSCTL_N} security.jail.children.max) - $(${SYSCTL_N} security.jail.children.cur)))
+ if [ ${_free_jails} -eq 0 ]; then
+ echo ERROR: max number of jail children reached, can not create a new service jail.
+ _do_jailing=0
+
+ fi
+ fi
+ fi
+ if [ ${_do_jailing} -eq 1 ]; then
+ $JAIL_CMD -c $_svcj_generic_params $_svcj_cmd_options \
+ exec.start="${SERVICE} -E _rc_svcj=jailing ${name} ${_rc_prefix}start $rc_extra_args" \
+ exec.stop="${SERVICE} -E _rc_svcj=jailing ${name} ${_rc_prefix}stop $rc_extra_args" \
+ exec.consolelog="/var/log/svcj_${name}_console.log" \
+ name=svcj-${name} && _return=0
+ fi
else
_run_rc_doit "$_cpusetcmd $_cmd $rc_extra_args" || _return=1
fi
@@ -1432,6 +1449,18 @@ run_rc_command()
if checkyesno ${name}_svcj; then
if [ "${_rc_svcj}" != jailing ]; then
+ if check_jail jailed; then
+ if [ $(${SYSCTL_N} security.jail.children.max) -eq 0 ]; then
+ echo ERROR: jail parameter children.max is set to 0, can not create a new service jail.
+ return 1
+ else
+ _free_jails=$(($(${SYSCTL_N} security.jail.children.max) - $(${SYSCTL_N} security.jail.children.cur)))
+ if [ ${_free_jails} -eq 0 ]; then
+ echo ERROR: max number of jail children reached, can not create a new service jail.
+ return 1
+ fi
+ fi
+ fi
$JAIL_CMD -c $_svcj_generic_params $_svcj_cmd_options\
exec.start="${SERVICE} -E _rc_svcj=jailing ${name} ${_rc_prefix}start $rc_extra_args" \
exec.stop="${SERVICE} -E _rc_svcj=jailing ${name} ${_rc_prefix}stop $rc_extra_args" \