From nobody Fri Apr 01 12:00:35 2022
X-Original-To: jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 0527919F9256;
	Fri,  1 Apr 2022 12:01:08 +0000 (UTC)
	(envelope-from Alexander@leidinger.net)
Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature ECDSA (P-256) client-digest SHA256)
	(Client CN "mailgate.leidinger.net", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4KVJfV5zRfz3vkj;
	Fri,  1 Apr 2022 12:01:06 +0000 (UTC)
	(envelope-from Alexander@leidinger.net)
Received: from outgoing.leidinger.net (p508d4362.dip0.t-ipconnect.de [80.141.67.98])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
	 client-signature ECDSA (P-256) client-digest SHA256)
	(Client CN "outgoing.leidinger.net", Issuer "R3" (verified OK))
	by mailgate.Leidinger.net (Postfix) with ESMTPSA id D4A4523E57;
	Fri,  1 Apr 2022 14:00:56 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net;
	s=outgoing-alex; t=1648814457;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type;
	bh=vrZoto60ohjowkXyPGD+Cwv2G6ow+lqUe5Mb+PWLwak=;
	b=OV3++RhrAAje37ojtcN2EcWzLCD2ncl+biSG59/y8clnW9sbckTqeP+SGDRM8P0+6A9Plx
	dy4qlcNc3WrterVXOGqD/TaAfmmFh+oxx2bxc7OHzjKcAz2KSN2ydqNH3pWl7B0g6no349
	Cydnc2ohr3wDPniTGg4FU4OhHTHX1YFgkO5blukcMrLss08bW+8L1YuG58Cppm+AAsNHe1
	hKO/4XFanUJgl2hkbO6APoSZxsDUBFkb5bAsH76RfZdwT99MLa9QwJe3QN9McRmWown3s3
	SgIejZc5cgZ/zygiZkIJN50a4/HcaVzbLo3NmxkVPBliOED1N5P59yJ6omrgZA==
Received: from webmail.leidinger.net (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256)
	(Client did not present a certificate)
	by outgoing.leidinger.net (Postfix) with ESMTPS id 729E6C680;
	Fri,  1 Apr 2022 14:00:38 +0200 (CEST)
Date: Fri, 01 Apr 2022 14:00:35 +0200
Message-ID: <20220401140035.Horde.LYLAkhpBnQPotxJtLawHfO8@webmail.leidinger.net>
From: Alexander Leidinger <Alexander@leidinger.net>
To: current@freebsd.org, jail@freebsd.org
Subject: injecting vars into rc-service-scripts at jail-start?
Accept-Language: de,en
Content-Type: multipart/signed; boundary="=_OFj-_eOqdGFBDWtOYkHfhOt";
 protocol="application/pgp-signature"; micalg=pgp-sha256
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@freebsd.org
MIME-Version: 1.0
X-Rspamd-Queue-Id: 4KVJfV5zRfz3vkj
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=leidinger.net header.s=outgoing-alex header.b=OV3++Rhr;
	dmarc=pass (policy=quarantine) header.from=leidinger.net;
	spf=pass (mx1.freebsd.org: domain of Alexander@leidinger.net designates 2a00:1828:2000:313::1:5 as permitted sender) smtp.mailfrom=Alexander@leidinger.net
X-Spamd-Result: default: False [-5.10 / 15.00];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 ARC_NA(0.00)[];
	 R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex];
	 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	 FROM_HAS_DN(0.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 R_SPF_ALLOW(-0.20)[+mx];
	 MIME_GOOD(-0.20)[multipart/signed,text/plain];
	 TO_DN_NONE(0.00)[];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 RCVD_COUNT_THREE(0.00)[3];
	 MID_RHS_MATCH_FROMTLD(0.00)[];
	 DKIM_TRACE(0.00)[leidinger.net:+];
	 RCPT_COUNT_TWO(0.00)[2];
	 DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine];
	 NEURAL_HAM_SHORT(-1.00)[-1.000];
	 MLMMJ_DEST(0.00)[current,jail];
	 SIGNED_PGP(-2.00)[];
	 FROM_EQ_ENVFROM(0.00)[];
	 MIME_TRACE(0.00)[0:+,1:+,2:~];
	 SUBJECT_ENDS_QUESTION(1.00)[];
	 ASN(0.00)[asn:34240, ipnet:2a00:1828::/32, country:DE];
	 RCVD_TLS_ALL(0.00)[];
	 RECEIVED_SPAMHAUS_PBL(0.00)[80.141.67.98:received]
X-ThisMailContainsUnwantedMimeParts: N

This message is in MIME format and has been PGP signed.

--=_OFj-_eOqdGFBDWtOYkHfhOt
Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

I'm overlooking something fundamental it seems...

Context:
I'm working on my auto-jailing of services idea: if the auto-jail is=20=20
enabled,=20a service like syslog is started inside a jail (which=20=20
inherits=20the FS and depending on some settings also inherits network=20=
=20
and=20other stuff or not).

My previous implementation was using _rc_prefix (jailstart) to denote=20=20
the=20start of a service inside a jail so that "service XXX start" on a=20=
=20
host=20would "service XXX jailstart" inside a jail. This had off course=20=
=20
issues=20as there is no infrastructure for multiple prefix like=20=20
onejailstart=20or jailonestart...

Problem:
Now I try to find a way to do it without a prefix, and the first thing=20=
=20
which=20comes to my mind is to do "jail xxx 'exec.start=3D/usr/bin/env=20=
=20
_rc_svcs=3Djailing /usr/bin/service XXX CMD ARGS'".


My expectation is, that this would set _rc_svcs=3Djailing for the=20=20
command=20service XXX CMND args. Having a "set -x" in rc.subr shows=20=20
clearly=20in the jail-console log, that inside that jail, the variable=20=
=20
_rc_svcj=20is not set. Using "-v" for the env command shows in the log=20=
=20
that=20it is called and it sets the var and executes the service command=20=
=20
with=20syslog start as arguments.

I tried to find some env-cleanup part in rc.subr, which would discard=20=20
all=20_rc* variables, but if there is something like that I overlooked it.

For a stop, I call "jexec /usr/bin/env _rc_svcj=3Djailing=20=20
/usr/sbin/service=20XXX stop args", and it works, so I rather tend to=20=20
believe=20there is no env-cleanup.

What am I doing wrong so that _rc_svcj is not picked up inside the jail?

So here is my diff between "prefix driven" (=3D working) and "var=20=20
driven"=20(var not picked up inside the jail):
---snip---
                                 case "$rc_arg" in
                                 start)
-                                       if [ "${_rc_prefix}" !=3D jail ]; t=
hen
+                                       if [ "${_rc_svcj}" !=3D jailing ]; =
then
                                                 _return=3D1
                                                 $JAIL_CMD -c=20=20
$_svcj_generic_params=20$_svcj_cmd_options \
-=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20
exec.start=3D"/usr/sbin/service ${name} jailstart $rc_extra_args" \
-=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20
exec.stop=3D"/usr/sbin/service ${name} jailstop $rc_extra_args" \
+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20
exec.start=3D"/usr/bin/env _rc_svcj=3Djailing /usr/sbin/service ${name}=20=
=20
${rc_arg}=20$rc_extra_args" \
+=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20
exec.stop=3D"/usr/bin/env _rc_svcj=3Djailing /usr/sbin/service ${name}=20=
=20
${rc_arg}=20$rc_extra_args" \
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20
exec.consolelog=3D"/var/log/svcj_${name}_console.log" \
                                                     name=3Dsvcj-${name}=20=
=20
&&=20_return=3D0
                                         else
                                                     # normal start of=20=
=20
_cmd=20via _run_rc_doit
---snip---

What set -x tells what it calls:
---snip---
+ /usr/sbin/jail -c 'path=3D/' mount.nodevfs 'host=3Dinherit'=20=20
'ip4=3Dinherit' 'ip6=3Dinherit' allow.reserved_ports=20=20
'exec.start=3D/usr/bin/env -v _rc_svcj=3Djailing /usr/sbin/service -v=20=20
syslogd=20start  ' 'exec.stop=3D/usr/bin/env _rc_svcj=3Djailing=20=20
/usr/sbin/service=20syslogd start  '=20=20
'exec.consolelog=3D/var/log/svcj_syslogd_console.log' 'name=3Dsvcj-syslogd'
---snip---

Bye,
Alexander.

--=20
http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild@FreeBSD.org  : PGP 0x8F31830F9F2772BF

--=_OFj-_eOqdGFBDWtOYkHfhOt
Content-Type: application/pgp-signature
Content-Description: Digitale PGP-Signatur
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIzBAABCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmJG6WIACgkQEg2wmwP4
2IbsvRAAqMPhMXAr4CVQULA0/Xt61LneIcNV2PkkPVXoUL/aJA2hC2OVFZXq0Wwf
wnz6CuA3Dw50AJjUCfNySSkl4nCP4tGSiHaDu2iBZFiE3b4EehtPoqgpDghNJJ7M
bj9+ZkSTCZs+RrUyS3A+tD5Ib7ugWN1absvJ35srEvLfviR05YDD7j2aIinWC/8D
7wWlYXYZLN2CAubuueuHZ1g+1HAJtPWlGA1vLJGgAtdT6Bp07SbCtTJB2GMYLvq4
XzAnDLXhWB31GPMQrscPzBqyTBqQ/xz4YCBSECP7l88Zv7oshu4R23jJEY1jhKe0
8elCzOKCK53pScT3iS6jMVQrsLfuv8sSLgVEVxa48oaqyNcBfKK74ircaCAHakKY
NlG6main9TcO49lQVYidWcvZc1UHkgRsHy3yJucgUHoa+GH7KWvXEJoAmG4KlLHv
DKl6jHPoS6amH79NITwFWQiXz34LjpxT/KqpKqnoIJ+sEq/GmcAmL2kuPoErG1NO
hLlQMB3+3mB/nLHJW38Z8UBt8OQIl+8pXowr4b44lLKznom6zFIIARPpgd0VQ+z5
DEXDtqLgOM7ILwT3iiaeAMUwYNjQT31NnIWstAvdiK6iyoV1Xdga9N6062x7iX80
4NSQqXs9+VjUH3v8qegAhzcQl4UYxb4fTtgn5LS5O2BP+uL8Kf0=
=fEbf
-----END PGP SIGNATURE-----

--=_OFj-_eOqdGFBDWtOYkHfhOt--