git: f99f0ee14e3a - main - rc.d: add a service jails config to all base system services

From: Alexander Leidinger <netchild_at_FreeBSD.org>
Date: Wed, 22 May 2024 13:41:55 UTC
The branch main has been updated by netchild:

URL: https://cgit.FreeBSD.org/src/commit/?id=f99f0ee14e3af81c23150a6a340259ca8a33d01a

commit f99f0ee14e3af81c23150a6a340259ca8a33d01a
Author:     Alexander Leidinger <netchild@FreeBSD.org>
AuthorDate: 2024-05-22 13:31:47 +0000
Commit:     Alexander Leidinger <netchild@FreeBSD.org>
CommitDate: 2024-05-22 13:41:49 +0000

    rc.d: add a service jails config to all base system services
    
    This gives more permissions to services (e.g. network access to
    services which require this) when they are started as an automatic
    service jail.
    
    The sshd patch is important for the sshd-related functionality as
    described in the man-page in the service jails part.
    
    The location of the added env vars is supposed to allow overriding them
    in rc.conf, and to hard-disable the use of svcj for some parts where it
    doesn't make sense or will not work.
    
    Only a subset of all of the services are fully tested (I'm running this
    since more than a year with various services started as service jails).
    The untested parts should be most of the time ok, in some edge-cases
    more permissions are needed inside the service jail.
    Differential Revision:  https://reviews.freebsd.org/D40371
---
 libexec/rc/rc.d/accounting         |  4 ++++
 libexec/rc/rc.d/adjkerntz          |  4 ++++
 libexec/rc/rc.d/apm                |  4 ++++
 libexec/rc/rc.d/apmd               |  4 ++++
 libexec/rc/rc.d/auditd             |  4 ++++
 libexec/rc/rc.d/auditdistd         |  2 ++
 libexec/rc/rc.d/automount          |  4 ++++
 libexec/rc/rc.d/automountd         |  4 ++++
 libexec/rc/rc.d/autounmountd       |  4 ++++
 libexec/rc/rc.d/bgfsck             |  4 ++++
 libexec/rc/rc.d/blacklistd         |  3 +++
 libexec/rc/rc.d/bluetooth          |  3 +++
 libexec/rc/rc.d/bootparams         |  2 ++
 libexec/rc/rc.d/bridge             |  4 ++++
 libexec/rc/rc.d/bsnmpd             |  2 ++
 libexec/rc/rc.d/bthidd             |  3 +++
 libexec/rc/rc.d/ccd                |  4 ++++
 libexec/rc/rc.d/cfumass            |  4 ++++
 libexec/rc/rc.d/cleanvar           |  4 ++++
 libexec/rc/rc.d/cleartmp           |  4 ++++
 libexec/rc/rc.d/cron               |  5 +++++
 libexec/rc/rc.d/ctld               |  4 ++++
 libexec/rc/rc.d/ddb                |  3 +++
 libexec/rc/rc.d/defaultroute       |  4 ++++
 libexec/rc/rc.d/devd               |  4 ++++
 libexec/rc/rc.d/devfs              |  4 ++++
 libexec/rc/rc.d/devmatch           |  4 ++++
 libexec/rc/rc.d/dhclient           |  3 +++
 libexec/rc/rc.d/dmesg              |  4 ++++
 libexec/rc/rc.d/dnctl              |  3 +++
 libexec/rc/rc.d/dumpon             |  4 ++++
 libexec/rc/rc.d/fsck               |  4 ++++
 libexec/rc/rc.d/ftp-proxy          |  2 ++
 libexec/rc/rc.d/ftpd               | 10 ++++------
 libexec/rc/rc.d/geli               |  4 ++++
 libexec/rc/rc.d/geli2              |  4 ++++
 libexec/rc/rc.d/ggated             |  3 +++
 libexec/rc/rc.d/gptboot            |  4 ++++
 libexec/rc/rc.d/growfs             |  4 ++++
 libexec/rc/rc.d/growfs_fstab       |  4 ++++
 libexec/rc/rc.d/gssd               |  2 ++
 libexec/rc/rc.d/hastd              |  4 ++++
 libexec/rc/rc.d/hcsecd             |  3 +++
 libexec/rc/rc.d/hostapd            |  4 ++++
 libexec/rc/rc.d/hostid             |  4 ++++
 libexec/rc/rc.d/hostid_save        |  4 ++++
 libexec/rc/rc.d/hostname           |  4 ++++
 libexec/rc/rc.d/inetd              |  2 ++
 libexec/rc/rc.d/iovctl             |  4 ++++
 libexec/rc/rc.d/ip6addrctl         |  4 ++++
 libexec/rc/rc.d/ipfilter           |  3 +++
 libexec/rc/rc.d/ipfs               |  4 ++++
 libexec/rc/rc.d/ipfw               |  3 +++
 libexec/rc/rc.d/ipfw_netflow       |  3 +++
 libexec/rc/rc.d/ipmon              |  3 +++
 libexec/rc/rc.d/ipnat              |  3 +++
 libexec/rc/rc.d/ippool             |  4 ++++
 libexec/rc/rc.d/ipropd_master      | 12 ++++++++----
 libexec/rc/rc.d/ipropd_slave       | 14 +++++++++-----
 libexec/rc/rc.d/ipsec              |  4 ++++
 libexec/rc/rc.d/iscsictl           |  4 ++++
 libexec/rc/rc.d/iscsid             |  4 ++++
 libexec/rc/rc.d/jail               |  4 ++++
 libexec/rc/rc.d/kadmind            | 10 +++-------
 libexec/rc/rc.d/kdc                |  1 +
 libexec/rc/rc.d/keyserv            |  2 ++
 libexec/rc/rc.d/kfd                |  8 ++------
 libexec/rc/rc.d/kld                |  4 ++++
 libexec/rc/rc.d/kldxref            |  4 ++++
 libexec/rc/rc.d/kpasswdd           | 10 +++-------
 libexec/rc/rc.d/ldconfig           |  4 ++++
 libexec/rc/rc.d/linux              |  4 ++++
 libexec/rc/rc.d/local              |  4 ++++
 libexec/rc/rc.d/local_unbound      |  1 +
 libexec/rc/rc.d/localpkg           |  6 ++++++
 libexec/rc/rc.d/lockd              |  7 +++++--
 libexec/rc/rc.d/lpd                |  2 ++
 libexec/rc/rc.d/mdconfig           |  3 +++
 libexec/rc/rc.d/mdconfig2          |  3 +++
 libexec/rc/rc.d/mixer              |  4 ++++
 libexec/rc/rc.d/motd               |  4 ++++
 libexec/rc/rc.d/mountcritlocal     |  4 ++++
 libexec/rc/rc.d/mountcritremote    |  4 ++++
 libexec/rc/rc.d/mountd             |  6 ++++++
 libexec/rc/rc.d/mountlate          |  4 ++++
 libexec/rc/rc.d/moused             |  5 +++++
 libexec/rc/rc.d/msgs               |  4 ++++
 libexec/rc/rc.d/natd               |  4 ++++
 libexec/rc/rc.d/netif              |  4 ++++
 libexec/rc/rc.d/netoptions         |  4 ++++
 libexec/rc/rc.d/netwait            |  4 ++++
 libexec/rc/rc.d/newsyslog          |  4 ++++
 libexec/rc/rc.d/nfscbd             |  2 ++
 libexec/rc/rc.d/nfsclient          |  4 ++++
 libexec/rc/rc.d/nfsd               |  4 ++++
 libexec/rc/rc.d/nfsuserd           |  4 ++++
 libexec/rc/rc.d/nisdomain          |  4 ++++
 libexec/rc/rc.d/nscd               |  3 +++
 libexec/rc/rc.d/ntpd               |  3 +++
 libexec/rc/rc.d/ntpdate            |  4 ++++
 libexec/rc/rc.d/opensm             |  2 ++
 libexec/rc/rc.d/os-release         |  4 ++++
 libexec/rc/rc.d/pf                 |  3 +++
 libexec/rc/rc.d/pflog              |  6 ++++++
 libexec/rc/rc.d/pfsync             |  4 ++++
 libexec/rc/rc.d/power_profile      |  3 +++
 libexec/rc/rc.d/powerd             |  4 ++++
 libexec/rc/rc.d/ppp                |  4 ++++
 libexec/rc/rc.d/pppoed             |  4 ++++
 libexec/rc/rc.d/pwcheck            |  4 ++++
 libexec/rc/rc.d/quota              |  3 +++
 libexec/rc/rc.d/random             |  4 ++++
 libexec/rc/rc.d/rarpd              |  2 ++
 libexec/rc/rc.d/rctl               |  4 ++++
 libexec/rc/rc.d/resolv             |  4 ++++
 libexec/rc/rc.d/rfcomm_pppd_server |  4 ++++
 libexec/rc/rc.d/root               |  4 ++++
 libexec/rc/rc.d/route6d            |  2 ++
 libexec/rc/rc.d/routed             |  2 ++
 libexec/rc/rc.d/routing            |  4 ++++
 libexec/rc/rc.d/rpcbind            |  2 ++
 libexec/rc/rc.d/rtadvd             |  5 +++++
 libexec/rc/rc.d/rtsold             |  2 ++
 libexec/rc/rc.d/rwho               |  2 ++
 libexec/rc/rc.d/savecore           |  4 ++++
 libexec/rc/rc.d/sdpd               |  3 +++
 libexec/rc/rc.d/securelevel        |  4 ++++
 libexec/rc/rc.d/sendmail           |  2 ++
 libexec/rc/rc.d/sshd               |  6 ++++++
 libexec/rc/rc.d/statd              |  7 +++++--
 libexec/rc/rc.d/static_arp         |  4 ++++
 libexec/rc/rc.d/static_ndp         |  4 ++++
 libexec/rc/rc.d/stf                |  4 ++++
 libexec/rc/rc.d/swap               |  4 ++++
 libexec/rc/rc.d/swaplate           |  4 ++++
 libexec/rc/rc.d/syscons            |  4 ++++
 libexec/rc/rc.d/sysctl             |  4 ++++
 libexec/rc/rc.d/sysctl_lastload    |  4 ++++
 libexec/rc/rc.d/syslogd            |  2 ++
 libexec/rc/rc.d/sysvipc            |  4 ++++
 libexec/rc/rc.d/tlsclntd           |  2 ++
 libexec/rc/rc.d/tlsservd           |  2 ++
 libexec/rc/rc.d/tmp                |  3 +++
 libexec/rc/rc.d/ubthidhci          |  4 ++++
 libexec/rc/rc.d/ugidfw             |  4 ++++
 libexec/rc/rc.d/utx                |  4 ++++
 libexec/rc/rc.d/var                |  3 +++
 libexec/rc/rc.d/var_run            |  3 +++
 libexec/rc/rc.d/virecover          |  4 ++++
 libexec/rc/rc.d/watchdogd          |  4 ++++
 libexec/rc/rc.d/wpa_supplicant     |  3 +++
 libexec/rc/rc.d/ypbind             |  2 ++
 libexec/rc/rc.d/ypldap             |  2 ++
 libexec/rc/rc.d/yppasswdd          |  2 ++
 libexec/rc/rc.d/ypserv             |  2 ++
 libexec/rc/rc.d/ypset              |  3 +++
 libexec/rc/rc.d/ypupdated          |  2 ++
 libexec/rc/rc.d/ypxfrd             |  2 ++
 libexec/rc/rc.d/zfs                |  4 ++++
 libexec/rc/rc.d/zfsbe              |  4 ++++
 libexec/rc/rc.d/zfsd               |  4 ++++
 libexec/rc/rc.d/zfskeys            |  4 ++++
 libexec/rc/rc.d/zpool              |  4 ++++
 libexec/rc/rc.d/zpoolreguid        |  4 ++++
 libexec/rc/rc.d/zpoolupgrade       |  4 ++++
 libexec/rc/rc.d/zvol               |  4 ++++
 166 files changed, 598 insertions(+), 39 deletions(-)

diff --git a/libexec/rc/rc.d/accounting b/libexec/rc/rc.d/accounting
index 5c08f18cd2ca..1e0ece84fb15 100755
--- a/libexec/rc/rc.d/accounting
+++ b/libexec/rc/rc.d/accounting
@@ -76,4 +76,8 @@ accounting_rotate_log()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: jail can't manipulate accounting
+accounting_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/adjkerntz b/libexec/rc/rc.d/adjkerntz
index 81ee596369a5..339f8add7201 100755
--- a/libexec/rc/rc.d/adjkerntz
+++ b/libexec/rc/rc.d/adjkerntz
@@ -14,4 +14,8 @@ start_cmd="adjkerntz -i"
 stop_cmd=":"
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: jail can't modify kerntz
+adjkerntz_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/apm b/libexec/rc/rc.d/apm
index b2bde4d32d1c..3187f41c3a50 100755
--- a/libexec/rc/rc.d/apm
+++ b/libexec/rc/rc.d/apm
@@ -43,4 +43,8 @@ apm_status()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+apm_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/apmd b/libexec/rc/rc.d/apmd
index 8c6293549dc0..aeb5042342d6 100755
--- a/libexec/rc/rc.d/apmd
+++ b/libexec/rc/rc.d/apmd
@@ -34,4 +34,8 @@ apmd_prestart()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+apmd_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/auditd b/libexec/rc/rc.d/auditd
index 90017d88ab85..caea2587a2e9 100755
--- a/libexec/rc/rc.d/auditd
+++ b/libexec/rc/rc.d/auditd
@@ -32,4 +32,8 @@ auditd_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+auditd_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/auditdistd b/libexec/rc/rc.d/auditdistd
index e7ae7d64d39d..0814c2a4d2c7 100755
--- a/libexec/rc/rc.d/auditdistd
+++ b/libexec/rc/rc.d/auditdistd
@@ -17,5 +17,7 @@ command="/usr/sbin/${name}"
 required_files="/etc/security/${name}.conf"
 extra_commands="reload"
 
+: ${auditdistd_svcj_options:="net_basic"}
+
 load_rc_config $name
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/automount b/libexec/rc/rc.d/automount
index b01928651ec4..19f367837189 100755
--- a/libexec/rc/rc.d/automount
+++ b/libexec/rc/rc.d/automount
@@ -28,4 +28,8 @@ automount_stop()
 }
 
 load_rc_config $name
+
+# mounting shall not be performed in a svcj
+automount_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/automountd b/libexec/rc/rc.d/automountd
index 4bc6f7d01862..b809e9dfc8ad 100755
--- a/libexec/rc/rc.d/automountd
+++ b/libexec/rc/rc.d/automountd
@@ -17,4 +17,8 @@ command="/usr/sbin/${name}"
 required_modules="autofs"
 
 load_rc_config $name
+
+# mounting shall not be performed in a svcj
+automountd_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/autounmountd b/libexec/rc/rc.d/autounmountd
index c939c6d8d011..1d8b3bfa354f 100755
--- a/libexec/rc/rc.d/autounmountd
+++ b/libexec/rc/rc.d/autounmountd
@@ -16,4 +16,8 @@ pidfile="/var/run/${name}.pid"
 command="/usr/sbin/${name}"
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+autounmountd_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/bgfsck b/libexec/rc/rc.d/bgfsck
index 24753f9f561f..dd5c330c3d11 100755
--- a/libexec/rc/rc.d/bgfsck
+++ b/libexec/rc/rc.d/bgfsck
@@ -46,4 +46,8 @@ bgfsck_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj
+bgfsck_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/blacklistd b/libexec/rc/rc.d/blacklistd
index b58c7c8a76b6..ecbb71e41fca 100755
--- a/libexec/rc/rc.d/blacklistd
+++ b/libexec/rc/rc.d/blacklistd
@@ -40,5 +40,8 @@ rcvar="blacklistd_enable"
 command="/usr/sbin/${name}"
 required_files="/etc/blacklistd.conf"
 
+# no svcj options needed
+: ${blacklistd_svcj_options:=""}
+
 load_rc_config $name
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/bluetooth b/libexec/rc/rc.d/bluetooth
index 679d669a6191..22bd5078034d 100755
--- a/libexec/rc/rc.d/bluetooth
+++ b/libexec/rc/rc.d/bluetooth
@@ -317,5 +317,8 @@ bluetooth_stop()
 load_rc_config $name
 hccontrol="${bluetooth_hccontrol:-/usr/sbin/hccontrol}"
 
+# doesn't make sense to run in a svcj: nojail keyword
+bluetooth_svcj="NO"
+
 run_rc_command $*
 
diff --git a/libexec/rc/rc.d/bootparams b/libexec/rc/rc.d/bootparams
index ce0b8a45e672..1d435d4ee480 100755
--- a/libexec/rc/rc.d/bootparams
+++ b/libexec/rc/rc.d/bootparams
@@ -15,5 +15,7 @@ rcvar="bootparamd_enable"
 required_files="/etc/bootparams"
 command="/usr/sbin/${name}"
 
+: ${bootparamd_svcj_options:="net_basic"}
+
 load_rc_config $name
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/bridge b/libexec/rc/rc.d/bridge
index a42d82adacc5..98d9212593e5 100755
--- a/libexec/rc/rc.d/bridge
+++ b/libexec/rc/rc.d/bridge
@@ -90,4 +90,8 @@ bridge_stop()
 iflist=$2
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+bridge_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/bsnmpd b/libexec/rc/rc.d/bsnmpd
index 60c7242f0c1f..60f4f5e86617 100755
--- a/libexec/rc/rc.d/bsnmpd
+++ b/libexec/rc/rc.d/bsnmpd
@@ -13,6 +13,8 @@ desc="Simple and extensible SNMP daemon"
 rcvar="bsnmpd_enable"
 command="/usr/sbin/${name}"
 
+: ${bsnmpd_svcj_options:="net_basic"}
+
 load_rc_config $name
 pidfile="${bsnmpd_pidfile:-/var/run/snmpd.pid}"
 command_args="-p ${pidfile}"
diff --git a/libexec/rc/rc.d/bthidd b/libexec/rc/rc.d/bthidd
index ec7da8181ca3..4b230406c4d5 100755
--- a/libexec/rc/rc.d/bthidd
+++ b/libexec/rc/rc.d/bthidd
@@ -50,4 +50,7 @@ if evdev_enabled; then
 fi
 required_files="${config}"
 
+# doesn't make sense to run in a svcj: nojail keyword
+bthidd_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/ccd b/libexec/rc/rc.d/ccd
index f7dde1c23f4e..5f2427e4beb0 100755
--- a/libexec/rc/rc.d/ccd
+++ b/libexec/rc/rc.d/ccd
@@ -21,4 +21,8 @@ ccd_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+ccd_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/cfumass b/libexec/rc/rc.d/cfumass
index 79c9b0ae63d4..7d1117d7c388 100755
--- a/libexec/rc/rc.d/cfumass
+++ b/libexec/rc/rc.d/cfumass
@@ -145,4 +145,8 @@ cfumass_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+cfumass_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/cleanvar b/libexec/rc/rc.d/cleanvar
index 08e647dde5ae..dce5baa6875b 100755
--- a/libexec/rc/rc.d/cleanvar
+++ b/libexec/rc/rc.d/cleanvar
@@ -43,4 +43,8 @@ cleanvar_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj
+cleanvar_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/cleartmp b/libexec/rc/rc.d/cleartmp
index 8101474b33cf..c4dfb5367dcb 100755
--- a/libexec/rc/rc.d/cleartmp
+++ b/libexec/rc/rc.d/cleartmp
@@ -57,4 +57,8 @@ cleartmp_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj
+cleartmp_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/cron b/libexec/rc/rc.d/cron
index a37d3ceee02e..584db590d835 100755
--- a/libexec/rc/rc.d/cron
+++ b/libexec/rc/rc.d/cron
@@ -16,6 +16,11 @@ command="/usr/sbin/${name}"
 pidfile="/var/run/${name}.pid"
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: in the generic case it may need
+# access to more than a jails allows
+cron_svcj="NO"
+
 if checkyesno cron_dst
 then
 	cron_flags="$cron_flags -s"
diff --git a/libexec/rc/rc.d/ctld b/libexec/rc/rc.d/ctld
index f09c032575d9..c91d7a9be921 100755
--- a/libexec/rc/rc.d/ctld
+++ b/libexec/rc/rc.d/ctld
@@ -19,4 +19,8 @@ required_modules="ctl"
 extra_commands="reload"
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+ctld_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/ddb b/libexec/rc/rc.d/ddb
index 40235bebf90e..08a7d345c326 100755
--- a/libexec/rc/rc.d/ddb
+++ b/libexec/rc/rc.d/ddb
@@ -35,4 +35,7 @@ load_rc_config $name
 required_files="${ddb_config}"
 command_args="${ddb_config}"
 
+# doesn't make sense to run in a svcj: privileged operation
+ddb_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/defaultroute b/libexec/rc/rc.d/defaultroute
index d8d6b2e97dcd..b96f91d36118 100755
--- a/libexec/rc/rc.d/defaultroute
+++ b/libexec/rc/rc.d/defaultroute
@@ -70,4 +70,8 @@ defaultroute_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+defaultroute_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/devd b/libexec/rc/rc.d/devd
index 43fb9d5928dd..47326662339c 100755
--- a/libexec/rc/rc.d/devd
+++ b/libexec/rc/rc.d/devd
@@ -38,4 +38,8 @@ devd_prestart()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: executing potential privileged operations
+devd_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/devfs b/libexec/rc/rc.d/devfs
index b7835bd561ce..9987d35f6ad3 100755
--- a/libexec/rc/rc.d/devfs
+++ b/libexec/rc/rc.d/devfs
@@ -68,4 +68,8 @@ read_devfs_conf()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: may need more permissions
+devfs_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/devmatch b/libexec/rc/rc.d/devmatch
index 67bb14761614..21846355fcfe 100755
--- a/libexec/rc/rc.d/devmatch
+++ b/libexec/rc/rc.d/devmatch
@@ -78,4 +78,8 @@ devmatch_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: privileged operations
+devmatch_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/dhclient b/libexec/rc/rc.d/dhclient
index e2f204076eb6..78442da29193 100755
--- a/libexec/rc/rc.d/dhclient
+++ b/libexec/rc/rc.d/dhclient
@@ -59,6 +59,9 @@ dhclient_prestart()
 load_rc_config $name
 load_rc_config network
 
+# dhclient_prestart is not compatible with svcj
+dhclient_svcj="NO"
+
 if [ -z $ifn ] ; then
 	# only complain if a command was specified but no interface
 	if [ -n "$1" ] ; then
diff --git a/libexec/rc/rc.d/dmesg b/libexec/rc/rc.d/dmesg
index ed36ec17b419..51e35d5d4e80 100755
--- a/libexec/rc/rc.d/dmesg
+++ b/libexec/rc/rc.d/dmesg
@@ -23,4 +23,8 @@ do_dmesg()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj
+dmesg_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/dnctl b/libexec/rc/rc.d/dnctl
index 7e65b899bd01..9067d278088e 100644
--- a/libexec/rc/rc.d/dnctl
+++ b/libexec/rc/rc.d/dnctl
@@ -16,6 +16,9 @@ start_cmd="${name}_start"
 required_files="$dnctl_rules"
 required_modules="dummynet"
 
+# doesn't make sense to run in a svcj: config setting
+dnctl_svcj="NO"
+
 dnctl_start()
 {
 	startmsg -n "Enabling ${name}"
diff --git a/libexec/rc/rc.d/dumpon b/libexec/rc/rc.d/dumpon
index a6748711b796..0dfcdb266b20 100755
--- a/libexec/rc/rc.d/dumpon
+++ b/libexec/rc/rc.d/dumpon
@@ -97,4 +97,8 @@ dumpon_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+dumpon_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/fsck b/libexec/rc/rc.d/fsck
index 359733d8484c..e755f055dbe6 100755
--- a/libexec/rc/rc.d/fsck
+++ b/libexec/rc/rc.d/fsck
@@ -91,4 +91,8 @@ fsck_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj
+fsck_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/ftp-proxy b/libexec/rc/rc.d/ftp-proxy
index 250088d6bb35..c77dd36cd60b 100755
--- a/libexec/rc/rc.d/ftp-proxy
+++ b/libexec/rc/rc.d/ftp-proxy
@@ -13,6 +13,8 @@ desc="Internet File Transfer Protocol proxy daemon"
 rcvar="ftpproxy_enable"
 command="/usr/sbin/ftp-proxy"
 
+: ${ftpproxy_svcj_options:="net_basic"}
+
 load_rc_config $name
 
 #
diff --git a/libexec/rc/rc.d/ftpd b/libexec/rc/rc.d/ftpd
index 9bb9a722a2af..e25a561a520a 100755
--- a/libexec/rc/rc.d/ftpd
+++ b/libexec/rc/rc.d/ftpd
@@ -13,13 +13,11 @@ desc="Internet File Transfer Protocol daemon"
 rcvar="ftpd_enable"
 command="/usr/libexec/${name}"
 pidfile="/var/run/${name}.pid"
-start_precmd=ftpd_prestart
 
-ftpd_prestart()
-{
-	rc_flags="-D ${rc_flags}"
-	return 0
-}
+: ${ftpd_svcj_options:="net_basic"}
 
 load_rc_config $name
+
+flags="-D ${flags} ${rc_flags}"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/geli b/libexec/rc/rc.d/geli
index 16d24efd1e39..5fc5ded54ec3 100755
--- a/libexec/rc/rc.d/geli
+++ b/libexec/rc/rc.d/geli
@@ -121,4 +121,8 @@ geli_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+geli_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/geli2 b/libexec/rc/rc.d/geli2
index 16248d32ece8..cedd48a312ee 100755
--- a/libexec/rc/rc.d/geli2
+++ b/libexec/rc/rc.d/geli2
@@ -55,4 +55,8 @@ geli2_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+geli2_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/ggated b/libexec/rc/rc.d/ggated
index 22bc8beb7ca0..846019acb055 100755
--- a/libexec/rc/rc.d/ggated
+++ b/libexec/rc/rc.d/ggated
@@ -14,6 +14,9 @@ pidfile="/var/run/${name}.pid"
 load_rc_config $name
 required_files="${ggated_config}"
 
+# XXX?: doesn't make sense to run in a svcj: low-level access
+ggated_svcj="NO"
+
 command_args="${ggated_config}"
 
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/gptboot b/libexec/rc/rc.d/gptboot
index 3f04143e79ec..188f1bb77557 100755
--- a/libexec/rc/rc.d/gptboot
+++ b/libexec/rc/rc.d/gptboot
@@ -73,4 +73,8 @@ gptboot_report()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+gptboot_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/growfs b/libexec/rc/rc.d/growfs
index d16951b4bc3e..86bf199a8611 100755
--- a/libexec/rc/rc.d/growfs
+++ b/libexec/rc/rc.d/growfs
@@ -306,4 +306,8 @@ growfs_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+growfs_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/growfs_fstab b/libexec/rc/rc.d/growfs_fstab
index a9d18c1eaed3..8b7cea3a63e5 100755
--- a/libexec/rc/rc.d/growfs_fstab
+++ b/libexec/rc/rc.d/growfs_fstab
@@ -58,4 +58,8 @@ growfs_fstab_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+growfs_fstab_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/gssd b/libexec/rc/rc.d/gssd
index fa0edcead140..7ab3c181eeb1 100755
--- a/libexec/rc/rc.d/gssd
+++ b/libexec/rc/rc.d/gssd
@@ -13,5 +13,7 @@ name=gssd
 desc="Generic Security Services Daemon"
 rcvar=gssd_enable
 
+: ${gssd_svcj_options:="net_basic nfsd"}
+
 load_rc_config $name
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/hastd b/libexec/rc/rc.d/hastd
index 8c1d9e8bc16a..37df43d26c7d 100755
--- a/libexec/rc/rc.d/hastd
+++ b/libexec/rc/rc.d/hastd
@@ -26,4 +26,8 @@ hastd_stop_precmd()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+hastd_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/hcsecd b/libexec/rc/rc.d/hcsecd
index 542305040357..8827e53777f3 100755
--- a/libexec/rc/rc.d/hcsecd
+++ b/libexec/rc/rc.d/hcsecd
@@ -21,4 +21,7 @@ config="${hcsecd_config:-/etc/bluetooth/${name}.conf}"
 command_args="-f ${config}"
 required_files="${config}"
 
+# doesn't make sense to run in a svcj: nojail keyword
+hcsecd_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/hostapd b/libexec/rc/rc.d/hostapd
index fe3dac1dea06..251df91a280b 100755
--- a/libexec/rc/rc.d/hostapd
+++ b/libexec/rc/rc.d/hostapd
@@ -38,4 +38,8 @@ required_modules="wlan_xauth wlan_wep wlan_tkip wlan_ccmp"
 extra_commands="reload"
 
 load_rc_config ${name}
+
+# doesn't make sense to run in a svcj: nojail keyword
+hostapd_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/hostid b/libexec/rc/rc.d/hostid
index 0210ca433501..18d0fbabf6e4 100755
--- a/libexec/rc/rc.d/hostid
+++ b/libexec/rc/rc.d/hostid
@@ -156,4 +156,8 @@ hostid_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+hostid_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/hostid_save b/libexec/rc/rc.d/hostid_save
index af7f4138a5dd..b9727d24bc57 100755
--- a/libexec/rc/rc.d/hostid_save
+++ b/libexec/rc/rc.d/hostid_save
@@ -44,4 +44,8 @@ hostid_save()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+hostid_save_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/hostname b/libexec/rc/rc.d/hostname
index f6ac95c9c888..8b26c4f60633 100755
--- a/libexec/rc/rc.d/hostname
+++ b/libexec/rc/rc.d/hostname
@@ -77,4 +77,8 @@ hostname_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+hostname_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/inetd b/libexec/rc/rc.d/inetd
index 9820f8dc319a..81cc18d95be2 100755
--- a/libexec/rc/rc.d/inetd
+++ b/libexec/rc/rc.d/inetd
@@ -16,5 +16,7 @@ pidfile="/var/run/${name}.pid"
 required_files="/etc/${name}.conf"
 extra_commands="reload"
 
+: ${inetd_svcj_options:="net_basic"}
+
 load_rc_config $name
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/iovctl b/libexec/rc/rc.d/iovctl
index 01e16221cc4a..b2404f5665b1 100755
--- a/libexec/rc/rc.d/iovctl
+++ b/libexec/rc/rc.d/iovctl
@@ -35,4 +35,8 @@ iovctl_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+iovctl_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/ip6addrctl b/libexec/rc/rc.d/ip6addrctl
index 50d9408d0731..eac1d2729e78 100755
--- a/libexec/rc/rc.d/ip6addrctl
+++ b/libexec/rc/rc.d/ip6addrctl
@@ -120,4 +120,8 @@ ip6addrctl_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+ipv6addrctl_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/ipfilter b/libexec/rc/rc.d/ipfilter
index e951bc9b7878..d0cb09ab527c 100755
--- a/libexec/rc/rc.d/ipfilter
+++ b/libexec/rc/rc.d/ipfilter
@@ -15,6 +15,9 @@ rcvar="ipfilter_enable"
 load_rc_config $name
 stop_precmd="test -f ${ipfilter_rules}"
 
+# doesn't make sense to run in a svcj: config setting
+ipfilter_svcj="NO"
+
 start_precmd="$stop_precmd"
 start_cmd="ipfilter_start"
 stop_cmd="ipfilter_stop"
diff --git a/libexec/rc/rc.d/ipfs b/libexec/rc/rc.d/ipfs
index c51527bde43c..2ec4ad3b1d00 100755
--- a/libexec/rc/rc.d/ipfs
+++ b/libexec/rc/rc.d/ipfs
@@ -49,4 +49,8 @@ ipfs_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+ipfs_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/ipfw b/libexec/rc/rc.d/ipfw
index 2f6b20a41b1a..6d6f7577828f 100755
--- a/libexec/rc/rc.d/ipfw
+++ b/libexec/rc/rc.d/ipfw
@@ -163,4 +163,7 @@ ipfw_status()
 load_rc_config $name
 firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"
 
+# doesn't make sense to run in a svcj: config setting
+ipfw_svcj="NO"
+
 run_rc_command $*
diff --git a/libexec/rc/rc.d/ipfw_netflow b/libexec/rc/rc.d/ipfw_netflow
index 219f0a4facf6..129488ce60d0 100755
--- a/libexec/rc/rc.d/ipfw_netflow
+++ b/libexec/rc/rc.d/ipfw_netflow
@@ -73,4 +73,7 @@ ipfw_netflow_stop()
 
 load_rc_config $name
 
+# doesn't make sense to run in a svcj: config setting
+ipfw_netflow_svcj="NO"
+
 run_rc_command $*
diff --git a/libexec/rc/rc.d/ipmon b/libexec/rc/rc.d/ipmon
index a6449f241b87..3ef0c895ad16 100755
--- a/libexec/rc/rc.d/ipmon
+++ b/libexec/rc/rc.d/ipmon
@@ -15,6 +15,9 @@ rcvar="ipmon_enable"
 command="/sbin/${name}"
 start_precmd="ipmon_precmd"
 
+# no svcj options needed
+: ${ipmon_svcj_options:=""}
+
 ipmon_precmd()
 {
 	# Continue only if ipfilter or ipnat is enabled and the
diff --git a/libexec/rc/rc.d/ipnat b/libexec/rc/rc.d/ipnat
index 88cf368876d7..56fe443686b1 100755
--- a/libexec/rc/rc.d/ipnat
+++ b/libexec/rc/rc.d/ipnat
@@ -18,6 +18,9 @@ extra_commands="reload"
 required_files="${ipnat_rules}"
 required_modules="ipl:ipfilter"
 
+# doesn't make sense to run in a svcj: config setting
+ipnat_svcj="NO"
+
 ipnat_start()
 {
 	echo "Installing NAT rules."
diff --git a/libexec/rc/rc.d/ippool b/libexec/rc/rc.d/ippool
index 42cef3faf7eb..0db8bbe98f61 100755
--- a/libexec/rc/rc.d/ippool
+++ b/libexec/rc/rc.d/ippool
@@ -13,6 +13,10 @@ name="ippool"
 desc="user interface to the IPFilter pools"
 rcvar="ippool_enable"
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+ippool_svcj="NO"
+
 start_precmd="ippool_start_precmd"
 stop_cmd="${ippool_program} -F"
 reload_cmd="ippool_reload"
diff --git a/libexec/rc/rc.d/ipropd_master b/libexec/rc/rc.d/ipropd_master
index 9f8e1ee14490..a3ca498afe6c 100755
--- a/libexec/rc/rc.d/ipropd_master
+++ b/libexec/rc/rc.d/ipropd_master
@@ -14,6 +14,8 @@ required_files="$ipropd_master_keytab"
 start_precmd=${name}_start_precmd
 start_postcmd=${name}_start_postcmd
 
+: ${ipropd_master_svcj_options:="net_basic"}
+
 ipropd_master_start_precmd()
 {
 
@@ -24,10 +26,6 @@ ipropd_master_start_precmd()
 	for _slave in $ipropd_master_slaves; do
 		echo $_slave
 	done > /var/heimdal/slaves || return 1
-	command_args="$command_args \
-	    --keytab=\"$ipropd_master_keytab\" \
-	    --detach \
-	"
 }
 ipropd_master_start_postcmd()
 {
@@ -36,4 +34,10 @@ ipropd_master_start_postcmd()
 }
 
 load_rc_config $name
+
+command_args="$command_args \
+    --keytab=\"$ipropd_master_keytab\" \
+    --detach \
+"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/ipropd_slave b/libexec/rc/rc.d/ipropd_slave
index 9d4b06f0e8f3..1735cff3de86 100755
*** 1539 LINES SKIPPED ***