svn commit: r214117 - projects/jailconf/usr.sbin/jail

Jamie Gritton jamie at FreeBSD.org
Wed Oct 20 20:42:34 UTC 2010


Author: jamie
Date: Wed Oct 20 20:42:33 2010
New Revision: 214117
URL: http://svn.freebsd.org/changeset/base/214117

Log:
  Initial work on the new jail(8).  There are more features to add, and some
  cleaning up to do on existing features, but this is pretty much what the
  final product will look like.

Added:
  projects/jailconf/usr.sbin/jail/command.c   (contents, props changed)
  projects/jailconf/usr.sbin/jail/config.c   (contents, props changed)
  projects/jailconf/usr.sbin/jail/jail.conf.5   (contents, props changed)
  projects/jailconf/usr.sbin/jail/jaillex.l   (contents, props changed)
  projects/jailconf/usr.sbin/jail/jailp.h   (contents, props changed)
  projects/jailconf/usr.sbin/jail/jailparse.y   (contents, props changed)
  projects/jailconf/usr.sbin/jail/state.c   (contents, props changed)
Modified:
  projects/jailconf/usr.sbin/jail/Makefile
  projects/jailconf/usr.sbin/jail/jail.8
  projects/jailconf/usr.sbin/jail/jail.c

Modified: projects/jailconf/usr.sbin/jail/Makefile
==============================================================================
--- projects/jailconf/usr.sbin/jail/Makefile	Wed Oct 20 20:01:45 2010	(r214116)
+++ projects/jailconf/usr.sbin/jail/Makefile	Wed Oct 20 20:42:33 2010	(r214117)
@@ -3,12 +3,19 @@
 .include <bsd.own.mk>
 
 PROG=	jail
-MAN=	jail.8
-DPADD=	${LIBJAIL} ${LIBUTIL}
-LDADD=	-ljail -lutil
+MAN=	jail.8 jail.conf.5
+SRCS=	jail.c command.c config.c state.c jailp.h jaillex.l jailparse.y y.tab.h
+
+DPADD=	${LIBJAIL} ${LIBKVM} ${LIBUTIL} ${LIBL}
+LDADD=	-ljail -lkvm -lutil -ll
+
+YFLAGS+=-v
+CFLAGS+=-I. -I${.CURDIR}
 
 .if ${MK_INET6_SUPPORT} != "no"
 CFLAGS+= -DINET6
 .endif
 
+CLEANFILES= y.output
+
 .include <bsd.prog.mk>

Added: projects/jailconf/usr.sbin/jail/command.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ projects/jailconf/usr.sbin/jail/command.c	Wed Oct 20 20:42:33 2010	(r214117)
@@ -0,0 +1,675 @@
+/*-
+ * Copyright (c) 2010 James Gritton
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/types.h>
+#include <sys/event.h>
+#include <sys/stat.h>
+#include <sys/sysctl.h>
+#include <sys/user.h>
+#include <sys/wait.h>
+
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <kvm.h>
+#include <login_cap.h>
+#include <paths.h>
+#include <pwd.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "jailp.h"
+
+#define COMSTRING_DUMMY		((struct cfstring *)1)
+#define DEFAULT_STOP_TIMEOUT	10
+#define PHASH_SIZE		256
+
+LIST_HEAD(phhead, phash);
+
+struct phash {
+	LIST_ENTRY(phash)	le;
+	struct cfjail		*j;
+	pid_t			pid;
+};
+
+extern char **environ;
+
+static int get_user_info(struct cfjail *j, const char *username,
+    const struct passwd **pwdp, login_cap_t **lcapp);
+static void add_proc(struct cfjail *j, pid_t pid);
+static void clear_procs(struct cfjail *j);
+static struct cfjail *find_proc(pid_t pid);
+
+static struct cfjails sleeping = TAILQ_HEAD_INITIALIZER(sleeping);
+static struct cfjails runnable = TAILQ_HEAD_INITIALIZER(runnable);
+static struct phhead phash[PHASH_SIZE];
+static int kq;
+
+/*
+ * Run a command associated with a jail, possibly inside the jail.
+ */
+int
+run_command(struct cfjail *j, int *plimit, enum intparam comparam)
+{
+	const struct passwd *pwd;
+	struct cfstring *comstring, *s;
+	login_cap_t *lcap;
+	char **argv;
+	char *cs, *addr, *comcs;
+	const char *jidstr, *conslog, *path, *ruleset, *term, *username;
+	size_t comlen;
+	pid_t pid;
+	int argc, bg, clean, consfd, down, fib, i, injail, sjuser, timeout;
+
+	static char *cleanenv;
+
+	if (comparam) {
+		if (comparam == IP_MOUNT_DEVFS
+		    ? !bool_param(j->intparams[IP_MOUNT_DEVFS])
+		    : j->intparams[comparam] == NULL)
+			return 0;
+		j->comparam = comparam;
+		j->comstring = comparam == IP_MOUNT_DEVFS ? COMSTRING_DUMMY
+		    : STAILQ_FIRST(&j->intparams[comparam]->val);
+	} else {
+		comparam = j->comparam;
+		if (!(j->flags & JF_RUNQ))
+			j->comstring = j->comstring == COMSTRING_DUMMY
+			    ? NULL : STAILQ_NEXT(j->comstring, tq);
+	}
+	comstring = j->comstring;
+	if (comstring == NULL ||
+	    (comstring != COMSTRING_DUMMY && comstring->len == 0))
+		return 0;
+	if (plimit && *plimit == 0) {
+		j->flags |= JF_RUNQ;
+		requeue(j, &runnable);
+		return 1;
+	}
+	j->flags &= ~(JF_RUNQ | JF_BACKGROUND);
+	/*
+	 * Collect exec arguments.  Internal commands for network and
+	 * mounting build their own argument lists (XXX they should be
+	 * truly internal).
+	 */
+	bg = j->flags & JF_FAILED;
+	down = j->flags & (JF_STOP | JF_FAILED);
+	if (comparam == IP__IP4_IFADDR) {
+		argv = alloca(8 * sizeof(char *));
+		*(const char **)&argv[0] = _PATH_IFCONFIG;
+		if ((cs = strchr(comstring->s, '|'))) {
+			argv[1] = alloca(cs - comstring->s + 1);
+			strlcpy(argv[1], comstring->s, cs - comstring->s + 1);
+			addr = cs + 1;
+		} else {
+			*(const char **)&argv[1] =
+			    string_param(j->intparams[IP_INTERFACE]);
+			addr = comstring->s;
+		}
+		*(const char **)&argv[2] = "inet";
+		if (!(cs = strchr(addr, '/'))) {
+			argv[3] = addr;
+			*(const char **)&argv[4] = "netmask";
+			*(const char **)&argv[5] = "255.255.255.255";
+			argc = 6;
+		} else if (strchr(cs + 1, '.')) {
+			argv[3] = alloca(cs - addr + 1);
+			strlcpy(argv[3], addr, cs - addr + 1);
+			*(const char **)&argv[4] = "netmask";
+			*(const char **)&argv[5] = cs + 1;
+			argc = 6;
+		} else {
+			argv[3] = addr;
+			argc = 4;
+		}
+		*(const char **)&argv[argc] = down ? "-alias" : "alias";
+		argv[argc + 1] = NULL;
+		j->flags |= JF_IFUP;
+#ifdef INET6
+	} else if (comparam == IP__IP6_IFADDR) {
+		argv = alloca(8 * sizeof(char *));
+		*(const char **)&argv[0] = _PATH_IFCONFIG;
+		if ((cs = strchr(comstring->s, '|'))) {
+			argv[1] = alloca(cs - comstring->s + 1);
+			strlcpy(argv[1], comstring->s, cs - comstring->s + 1);
+			addr = cs + 1;
+		} else {
+			*(const char **)&argv[1] =
+			    string_param(j->intparams[IP_INTERFACE]);
+			addr = comstring->s;
+		}
+		*(const char **)&argv[2] = "inet6";
+		argv[3] = addr;
+		if (!(cs = strchr(addr, '/'))) {
+			*(const char **)&argv[4] = "prefixlen";
+			*(const char **)&argv[5] = "128";
+			argc = 6;
+		} else
+			argc = 4;
+		*(const char **)&argv[argc] = down ? "-alias" : "alias";
+		argv[argc + 1] = NULL;
+		j->flags |= JF_IFUP;
+#endif
+	} else if (comparam == IP_VNET_INTERFACE) {
+		argv = alloca(5 * sizeof(char *));
+		*(const char **)&argv[0] = _PATH_IFCONFIG;
+		argv[1] = comstring->s;
+		*(const char **)&argv[2] = down ? "-vnet" : "vnet";
+		jidstr = string_param(j->intparams[KP_JID]);
+		*(const char **)&argv[3] =
+			jidstr ? jidstr : string_param(j->intparams[KP_NAME]);
+		argv[4] = NULL;
+		j->flags |= JF_IFUP;
+	} else if (comparam == IP_MOUNT) {
+		argv = alloca(8 * sizeof(char *));
+		comcs = alloca(comstring->len + 1);
+		strcpy(comcs, comstring->s);
+		argc = 0;
+		for (cs = strtok(comcs, " \t\f\v\r\n"); cs && argc < 4;
+		     cs = strtok(NULL, " \t\f\v\r\n"))
+			argv[argc++] = cs;
+		if (argc < 3) {
+			jail_warnx(j, "mount: %s: missing information",
+			    comstring->s);
+			failed(j);
+			return -1;
+		}
+		if (down) {
+			argv[4] = NULL;
+			argv[3] = argv[1];
+			*(const char **)&argv[0] = "/sbin/umount";
+		} else {
+			if (argc == 4) {
+				argv[7] = NULL;
+				argv[6] = argv[1];
+				argv[5] = argv[0];
+				argv[4] = argv[3];
+				*(const char **)&argv[3] = "-o";
+			} else {
+				argv[5] = NULL;
+				argv[4] = argv[1];
+				argv[3] = argv[0];
+			}
+			*(const char **)&argv[0] = _PATH_MOUNT;
+		}
+		*(const char **)&argv[1] = "-t";
+		j->flags |= JF_MOUNTED;
+	} else if (comparam == IP_MOUNT_FSTAB) {
+		argv = alloca(4 * sizeof(char *));
+		*(const char **)&argv[0] = down ? "/sbin/umount" : _PATH_MOUNT;
+		*(const char **)&argv[1] = "-aF";
+		argv[2] = comstring->s;
+		argv[3] = NULL;
+		j->flags |= JF_MOUNTED;
+	} else if (comparam == IP_MOUNT_DEVFS) {
+		path = string_param(j->intparams[KP_PATH]);
+		if (path == NULL) {
+			jail_warnx(j, "mount.devfs: no path");
+			failed(j);
+			return -1;
+		}
+		if (down) {
+			argv = alloca(3 * sizeof(char *));
+			*(const char **)&argv[0] = "/sbin/umount";
+			argv[1] = alloca(strlen(path) + 5);
+			sprintf(argv[1], "%s/dev", path);
+			argv[2] = NULL;
+		} else {
+			argv = alloca(4 * sizeof(char *));
+			*(const char **)&argv[0] = _PATH_BSHELL;
+			*(const char **)&argv[1] = "-c";
+			ruleset = string_param(j->intparams
+			    [IP_MOUNT_DEVFS_RULESET]);
+			argv[2] = alloca(strlen(path) +
+			    (ruleset ? strlen(ruleset) + 1 : 0) + 56);
+			sprintf(argv[2], ". /etc/rc.subr; load_rc_config .; "
+			    "devfs_mount_jail %s/dev%s%s", path,
+			    ruleset ? " " : "", ruleset ? ruleset : "");
+			argv[3] = NULL;
+		}
+		j->flags |= JF_MOUNTED;
+	} else if (comparam == IP_COMMAND && j->name == NULL) {
+		argc = 0;
+		STAILQ_FOREACH(s, &j->intparams[IP_COMMAND]->val, tq)
+			argc++;
+		argv = alloca((argc + 1) * sizeof(char *));
+		argc = 0;
+		STAILQ_FOREACH(s, &j->intparams[IP_COMMAND]->val, tq)
+			argv[argc++] = s->s;
+		argv[argc] = NULL;
+		j->comstring = NULL;
+	} else if ((cs = strpbrk(comstring->s, "!\"$&'()*;<>?[\\]`{|}~")) &&
+		   !(cs[0] == '&' && cs[1] == '\0')) {
+		argv = alloca(4 * sizeof(char *));
+		*(const char **)&argv[0] = _PATH_BSHELL;
+		*(const char **)&argv[1] = "-c";
+		argv[2] = comstring->s;
+		argv[3] = NULL;
+	} else {
+		if (cs) {
+			*cs = 0;
+			bg = 1;
+		}
+		comcs = alloca(comstring->len + 1);
+		strcpy(comcs, comstring->s);	
+		argc = 0;
+		for (cs = strtok(comcs, " \t\f\v\r\n"); cs;
+		     cs = strtok(NULL, " \t\f\v\r\n"))
+			argc++;
+		argv = alloca((argc + 1) * sizeof(char *));
+		strcpy(comcs, comstring->s);	
+		argc = 0;
+		for (cs = strtok(comcs, " \t\f\v\r\n"); cs;
+		     cs = strtok(NULL, " \t\f\v\r\n"))
+			argv[argc++] = cs;
+		argv[argc] = NULL;
+	}
+	if (argv[0] == NULL)
+		return 0;
+
+	j->pstatus = 0;
+	if (int_param(j->intparams[IP_EXEC_TIMEOUT], &timeout) &&
+	    timeout != 0) {
+		clock_gettime(CLOCK_REALTIME, &j->timeout);
+		j->timeout.tv_sec += timeout;
+	} else
+		j->timeout.tv_sec = 0;
+
+	injail = comparam == IP_EXEC_START || comparam == IP_COMMAND ||
+	    comparam == IP_EXEC_STOP;
+	clean = bool_param(j->intparams[IP_EXEC_CLEAN]);
+	username = string_param(j->intparams[injail
+	    ? IP_EXEC_JAIL_USER : IP_EXEC_SYSTEM_USER]);
+	sjuser = bool_param(j->intparams[IP_EXEC_SYSTEM_JAIL_USER]);
+
+	consfd = 0;
+	if (injail &&
+	    (conslog = string_param(j->intparams[IP_EXEC_CONSOLELOG]))) {
+		consfd =
+		    open(conslog, O_WRONLY | O_CREAT | O_APPEND, DEFFILEMODE);
+		if (consfd < 0) {
+			jail_warnx(j, "open %s: %s", conslog, strerror(errno));
+			failed(j);
+			return -1;
+		}
+	}
+
+	comlen = 0;
+	for (i = 0; argv[i]; i++)
+		comlen += strlen(argv[i]) + 1;
+	j->comline = cs = emalloc(comlen);
+	for (i = 0; argv[i]; i++) {
+		strcpy(cs, argv[i]);
+		if (argv[i + 1]) {
+			cs += strlen(argv[i]) + 1;
+			cs[-1] = ' ';
+		}
+	}
+	if (verbose > 0)
+		jail_note(j, "run command%s%s%s: %s\n",
+		    injail ? " in jail" : "", username ? " as " : "",
+		    username ? username : "", j->comline);
+
+	pid = fork();
+	if (pid < 0)
+		err(1, "fork");
+	if (pid > 0) {
+		if (bg) {
+			j->flags |= JF_BACKGROUND;
+			requeue(j, &ready);
+		} else {
+			--*plimit;
+			add_proc(j, pid);
+		}
+		return 1;
+	}
+	if (bg)
+		setsid();
+
+	pwd = NULL;
+	lcap = NULL;
+	if ((clean || username) && injail && sjuser &&
+	    get_user_info(j, username, &pwd, &lcap) < 0)
+		exit(1);
+	if (injail) {
+		/* jail_attach won't chdir along with its chroot. */
+		path = string_param(j->intparams[KP_PATH]);
+		if (path && chdir(path) < 0) {
+			jail_warnx(j, "chdir %s: %s", path, strerror(errno));
+			exit(1);
+		}
+		if (int_param(j->intparams[IP_EXEC_FIB], &fib) &&
+		    setfib(fib) < 0) {
+			jail_warnx(j, "setfib: %s", strerror(errno));
+			exit(1);
+		}
+		if (jail_attach(j->jid) < 0) {
+			jail_warnx(j, "jail_attach: %s", strerror(errno));
+			exit(1);
+		}
+	}
+	if (clean || username) {
+		if (!(injail && sjuser) &&
+		    get_user_info(j, username, &pwd, &lcap) < 0)
+			exit(1);
+		if (clean) {
+			term = getenv("TERM");
+			environ = &cleanenv;
+			setenv("PATH", "/bin:/usr/bin", 0);
+			setenv("TERM", term, 1);
+		}
+		if (setusercontext(lcap, pwd, pwd->pw_uid, username
+		    ? LOGIN_SETALL & ~LOGIN_SETGROUP & ~LOGIN_SETLOGIN
+		    : LOGIN_SETPATH | LOGIN_SETENV) < 0) {
+			jail_warnx(j, "setusercontext %s: %s", pwd->pw_name,
+			    strerror(errno));
+			exit(1);
+		}
+		login_close(lcap);
+		setenv("USER", pwd->pw_name, 1);
+		setenv("HOME", pwd->pw_dir, 1);
+		setenv("SHELL",
+		    *pwd->pw_shell ? pwd->pw_shell : _PATH_BSHELL, 1);
+		if (clean && chdir(pwd->pw_dir) < 0) {
+			jail_warnx(j, "chdir %s: %s",
+			    pwd->pw_dir, strerror(errno));
+			exit(1);
+		}
+		endpwent();
+	}
+
+	if (consfd != 0 && (dup2(consfd, 1) < 0 || dup2(consfd, 2) < 0)) {
+		jail_warnx(j, "exec.consolelog: %s", strerror(errno));
+		exit(1);
+	}
+	closefrom(3);
+	execvp(argv[0], argv);
+	jail_warnx(j, "exec %s: %s", argv[0], strerror(errno));
+	exit(1);
+}
+
+/*
+ * Check command exit status
+ */
+int
+finish_command(struct cfjail *j, int *plimit)
+{
+	int error;
+
+	if (j->flags & (JF_RUNQ | JF_BACKGROUND))
+		return 0;
+	++*plimit;
+	if (!TAILQ_EMPTY(&runnable))
+		requeue(TAILQ_FIRST(&runnable), &ready);
+	error = 0;
+	if (j->flags & JF_TIMEOUT) {
+		j->flags &= ~JF_TIMEOUT;
+		if (j->comparam != IP_STOP_TIMEOUT) {
+			jail_warnx(j, "%s: timed out", j->comline);
+			failed(j);
+			error = -1;
+		} else if (verbose > 0)
+			jail_note(j, "timed out\n");
+	} else if (j->pstatus != 0) {
+		if (WIFSIGNALED(j->pstatus))
+			jail_warnx(j, "%s: exited on signal %d",
+			    j->comline, WTERMSIG(j->pstatus));
+		else
+			jail_warnx(j, "%s: failed", j->comline);
+		failed(j);
+		error = -1;
+	}
+	free(j->comline);
+	return error;
+}
+
+/*
+ * Check for finished processed or timeouts.
+ */
+struct cfjail *
+next_proc(int nonblock)
+{
+	struct kevent ke;
+	struct timespec ts;
+	struct timespec *tsp;
+	struct cfjail *j;
+
+	if (!TAILQ_EMPTY(&sleeping)) {
+	again:
+		tsp = NULL;
+		if ((j = TAILQ_FIRST(&sleeping)) && j->timeout.tv_sec) {
+			clock_gettime(CLOCK_REALTIME, &ts);
+			ts.tv_sec = j->timeout.tv_sec - ts.tv_sec;
+			ts.tv_nsec = j->timeout.tv_nsec - ts.tv_nsec;
+			if (ts.tv_nsec < 0) {
+				ts.tv_sec--;
+				ts.tv_nsec += 1000000000;
+			}
+			if (ts.tv_sec < 0 ||
+			    (ts.tv_sec == 0 && ts.tv_nsec == 0)) {
+				j->flags |= JF_TIMEOUT;
+				clear_procs(j);
+				return j;
+			}
+			tsp = &ts;
+		}
+		if (nonblock) {
+			ts.tv_sec = 0;
+			ts.tv_nsec = 0;
+			tsp = &ts;
+		}
+		switch (kevent(kq, NULL, 0, &ke, 1, tsp)) {
+		case -1:
+			if (errno != EINTR)
+				err(1, "kevent");
+			goto again;
+		case 0:
+			if (!nonblock) {
+				j = TAILQ_FIRST(&sleeping);
+				j->flags |= JF_TIMEOUT;
+				clear_procs(j);
+				return j;
+			}
+			break;
+		case 1:
+			(void)waitpid(ke.ident, NULL, WNOHANG);
+			if ((j = find_proc(ke.ident))) {
+				j->pstatus = ke.data;
+				return j;
+			}
+			goto again;
+		}
+	}
+	return NULL;
+}
+
+/*
+ * Send SIGTERM to all processes in a jail and wait for them to die.
+ */
+int
+term_procs(struct cfjail *j)
+{
+	struct kinfo_proc *ki;
+	int i, noted, pcnt, timeout;
+
+	static kvm_t *kd;
+
+	if (!int_param(j->intparams[IP_STOP_TIMEOUT], &timeout))
+		timeout = DEFAULT_STOP_TIMEOUT;
+	else if (timeout == 0)
+		return 0;
+
+	if (kd == NULL) {
+		kd = kvm_open(NULL, NULL, NULL, O_RDONLY, "jail");
+		if (kd == NULL)
+			exit(1);
+	}
+
+	ki = kvm_getprocs(kd, KERN_PROC_PROC, 0, &pcnt);
+	if (ki == NULL)
+		exit(1);
+	noted = 0;
+	for (i = 0; i < pcnt; i++)
+		if (ki[i].ki_jid == j->jid &&
+		    kill(ki[i].ki_pid, SIGTERM) == 0) {
+			add_proc(j, ki[i].ki_pid);
+			if (verbose > 0) {
+				if (!noted) {
+					noted = 1;
+					jail_note(j, "sent SIGTERM to:");
+				}
+				printf(" %d", ki[i].ki_pid);
+			}
+		}
+	if (noted)
+		printf("\n");
+	if (j->nprocs > 0) {
+		clock_gettime(CLOCK_REALTIME, &j->timeout);
+		j->timeout.tv_sec += timeout;
+		return 1;
+	}
+	return 0;
+}
+
+/*
+ * Add a process to the hash, tied to a jail.
+ */
+static void
+add_proc(struct cfjail *j, pid_t pid)
+{
+	struct kevent ke;
+	struct cfjail *tj;
+	struct phash *ph;
+
+	if (!kq && (kq = kqueue()) < 0)
+		err(1, "kqueue");
+	EV_SET(&ke, pid, EVFILT_PROC, EV_ADD, NOTE_EXIT, 0, NULL);
+	if (kevent(kq, &ke, 1, NULL, 0, NULL) < 0)
+		err(1, "kevent");
+	ph = emalloc(sizeof(struct phash));
+	ph->j = j;
+	ph->pid = pid;
+	LIST_INSERT_HEAD(&phash[pid % PHASH_SIZE], ph, le);
+	j->nprocs++;
+	if (j->timeout.tv_sec) {
+		TAILQ_REMOVE(j->queue, j, tq);
+		TAILQ_FOREACH(tj, &sleeping, tq) {
+			if (!tj->timeout.tv_sec ||
+			    j->timeout.tv_sec < tj->timeout.tv_sec ||
+			    (j->timeout.tv_sec == tj->timeout.tv_sec &&
+			    j->timeout.tv_nsec <= tj->timeout.tv_nsec)) {
+				TAILQ_INSERT_BEFORE(tj, j, tq);
+				break;
+			}
+		}
+		if (tj == NULL)
+			TAILQ_INSERT_TAIL(&sleeping, j, tq);
+		j->queue = &sleeping;
+	} else
+		requeue(j, &sleeping);
+}
+
+/*
+ * Remove any processes from the hash that correspond to a jail.
+ */
+static void
+clear_procs(struct cfjail *j)
+{
+	struct kevent ke;
+	struct phash *ph, *tph;
+	int i;
+
+	j->nprocs = 0;
+	for (i = 0; i < PHASH_SIZE; i++)
+		LIST_FOREACH_SAFE(ph, &phash[i], le, tph)
+			if (ph->j == j) {
+				EV_SET(&ke, ph->pid, EVFILT_PROC, EV_DELETE,
+				    NOTE_EXIT, 0, NULL);
+				(void)kevent(kq, &ke, 1, NULL, 0, NULL);
+				LIST_REMOVE(ph, le);
+				free(ph);
+			}
+}
+
+/*
+ * Find the jail that corresponds to an exited process.
+ */
+static struct cfjail *
+find_proc(pid_t pid)
+{
+	struct cfjail *j;
+	struct phash *ph;
+
+	LIST_FOREACH(ph, &phash[pid % PHASH_SIZE], le)
+		if (ph->pid == pid) {
+			j = ph->j;
+			LIST_REMOVE(ph, le);
+			free(ph);
+			return --j->nprocs ? NULL : j;
+		}
+	return NULL;
+}
+
+/*
+ * Look up a user in the passwd and login.conf files.
+ */
+static int
+get_user_info(struct cfjail *j, const char *username,
+    const struct passwd **pwdp, login_cap_t **lcapp)
+{
+	const struct passwd *pwd;
+
+	*pwdp = pwd = username ? getpwnam(username) : getpwuid(getuid());
+	if (pwd == NULL) {
+		if (errno)
+			jail_warnx(j, "getpwnam%s%s: %s", username ? " " : "",
+			    username ? username : "", strerror(errno));
+		else if (username)
+			jail_warnx(j, "%s: no such user", username);
+		else
+			jail_warnx(j, "unknown uid %d", getuid());
+		return -1;
+	}
+	*lcapp = login_getpwclass(pwd);
+	if (*lcapp == NULL) {
+		jail_warnx(j, "getpwclass %s: %s", pwd->pw_name,
+		    strerror(errno));
+		return -1;
+	}
+	/* Set the groups while the group file is still available */
+	if (initgroups(pwd->pw_name, pwd->pw_gid) < 0) {
+		jail_warnx(j, "initgroups %s: %s", pwd->pw_name,
+		    strerror(errno));
+		return -1;
+	}
+	return 0;
+}

Added: projects/jailconf/usr.sbin/jail/config.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ projects/jailconf/usr.sbin/jail/config.c	Wed Oct 20 20:42:33 2010	(r214117)
@@ -0,0 +1,786 @@
+/*-
+ * Copyright (c) 2010 James Gritton
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/sysctl.h>
+
+#include <arpa/inet.h>
+#include <netinet/in.h>
+
+#include <err.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "jailp.h"
+
+struct ipspec {
+	const char	*name;
+	enum intparam	ipnum;
+	unsigned	flags;
+};
+
+extern FILE *yyin;
+extern int yynerrs;
+
+struct cfjails cfjails = TAILQ_HEAD_INITIALIZER(cfjails);
+
+static int cmp_intparam(const void *a, const void *b);
+static void free_param(struct cfparams *pp, struct cfparam *p);
+static void free_param_strings(struct cfparam *p);
+
+/* Note these must be in sort order */
+static const struct ipspec intparams[] = {
+    {"allow.dying",		IP_ALLOW_DYING,		PF_INTERNAL | PF_BOOL },
+    {"allow.nodying",		IP_ALLOW_DYING,		PF_INTERNAL | PF_BOOL },
+    {"command",			IP_COMMAND,		PF_INTERNAL },
+    {"depend",			IP_DEPEND,		PF_INTERNAL },
+    {"exec.clean",		IP_EXEC_CLEAN,		PF_INTERNAL | PF_BOOL },
+    {"exec.consolelog",		IP_EXEC_CONSOLELOG,	PF_INTERNAL },
+    {"exec.fib",		IP_EXEC_FIB,		PF_INTERNAL | PF_INT },
+    {"exec.jail_user",		IP_EXEC_JAIL_USER,	PF_INTERNAL },
+    {"exec.noclean",		IP_EXEC_CLEAN,		PF_INTERNAL | PF_BOOL },
+    {"exec.nosystem_jail_user",IP_EXEC_SYSTEM_JAIL_USER,PF_INTERNAL | PF_BOOL },
+    {"exec.poststart",		IP_EXEC_POSTSTART,	PF_INTERNAL },
+    {"exec.poststop",		IP_EXEC_POSTSTOP,	PF_INTERNAL },
+    {"exec.prestart",		IP_EXEC_PRESTART,	PF_INTERNAL },
+    {"exec.prestop",		IP_EXEC_PRESTOP,	PF_INTERNAL },
+    {"exec.start",		IP_EXEC_START,		PF_INTERNAL },
+    {"exec.stop",		IP_EXEC_STOP,		PF_INTERNAL },
+    {"exec.system_jail_user", IP_EXEC_SYSTEM_JAIL_USER,	PF_INTERNAL | PF_BOOL },
+    {"exec.system_user",	IP_EXEC_SYSTEM_USER,	PF_INTERNAL },
+    {"exec.timeout",		IP_EXEC_TIMEOUT,	PF_INTERNAL | PF_INT },
+    {"host.hostname",		KP_HOSTNAME,		0 },
+    {"interface",		IP_INTERFACE,		PF_INTERNAL },
+    {"ip4.addr",		KP_IP4_ADDR,		0 },
+#ifdef INET6
+    {"ip6.addr",		KP_IP6_ADDR,		0 },
+#endif
+    {"ip_hostname",		IP_IP_HOSTNAME,		PF_INTERNAL | PF_BOOL },
+    {"jid",			KP_JID,			PF_INT },
+    {"mount",			IP_MOUNT,		PF_INTERNAL },
+    {"mount.devfs",		IP_MOUNT_DEVFS,		PF_INTERNAL | PF_BOOL },
+    {"mount.devfs.ruleset",	IP_MOUNT_DEVFS_RULESET,	PF_INTERNAL },
+    {"mount.fstab",		IP_MOUNT_FSTAB,		PF_INTERNAL },
+    {"mount.nodevfs",		IP_MOUNT_DEVFS,		PF_INTERNAL | PF_BOOL },
+    {"name",			KP_NAME,		0 },
+    {"noip_hostname",		IP_IP_HOSTNAME,		PF_INTERNAL | PF_BOOL },
+    {"nopersist",		KP_PERSIST,		PF_BOOL },
+    {"path",			KP_PATH,		0 },
+    {"persist",			KP_PERSIST,		PF_BOOL },
+    {"stop.timeout",		IP_STOP_TIMEOUT,	PF_INTERNAL | PF_INT },
+    {"vnet",			KP_VNET,		0 },
+    {"vnet.interface",		IP_VNET_INTERFACE,	PF_INTERNAL },
+};
+
+/*
+ * Parse the jail configuration file.
+ */
+void
+load_config(void)
+{
+	struct cfjails wild;
+	struct cfparams opp;
+	struct cfjail *j, *tj, *wj;
+	struct cfparam *p, *vp, *tp;
+	struct cfstring *s, *vs, *ns;
+	struct cfvar *v;
+	char *ep;
+	size_t varoff;
+	int did_self, jseq, pgen;
+
+	if (!strcmp(cfname, "-")) {
+		cfname = "STDIN";
+		yyin = stdin;
+	} else {
+		yyin = fopen(cfname, "r");
+		if (!yyin)
+			err(1, "%s", cfname);
+	}
+	if (yyparse() || yynerrs)
+		exit(1);
+
+	/* Separate the wildcard jails out from the actual jails. */
+	jseq = 0;
+	TAILQ_INIT(&wild);
+	TAILQ_FOREACH_SAFE(j, &cfjails, tq, tj) {
+		j->seq = ++jseq;
+		if (wild_jail_name(j->name))
+			requeue(j, &wild);
+	}
+
+	TAILQ_FOREACH(j, &cfjails, tq) {
+		/* Set aside the jail's parameters. */
+		TAILQ_INIT(&opp);
+		TAILQ_CONCAT(&opp, &j->params, tq);
+		/*
+		 * The jail name implies its "name" or "jid" parameter,
+		 * though they may also be explicitly set later on.
+		 */
+		add_param(j, NULL,
+		    strtol(j->name, &ep, 10) && !*ep ? "jid" : "name",
+		    j->name);
+		/*
+		 * Collect parameters for the jail, global parameters/variables,
+		 * and any matching wildcard jails.
+		 */
+		did_self = 0;
+		TAILQ_FOREACH(wj, &wild, tq) {
+			if (j->seq < wj->seq && !did_self) {
+				TAILQ_FOREACH(p, &opp, tq)
+					add_param(j, p, NULL, NULL);
+				did_self = 1;
+			}
+			if (wild_jail_match(j->name, wj->name))
+				TAILQ_FOREACH(p, &wj->params, tq)
+					add_param(j, p, NULL, NULL);
+		}
+		if (!did_self)
+			TAILQ_FOREACH(p, &opp, tq)
+				add_param(j, p, NULL, NULL);
+
+		/* Resolve any variable substitutions. */
+		pgen = 0;
+		TAILQ_FOREACH(p, &j->params, tq) {
+		    p->gen = ++pgen;
+		find_vars:
+		    STAILQ_FOREACH(s, &p->val, tq) {
+			varoff = 0;
+			while ((v = STAILQ_FIRST(&s->vars))) {
+				TAILQ_FOREACH(vp, &j->params, tq)
+					if (!strcmp(vp->name, v->name))
+						break;
+				if (!vp) {
+					jail_warnx(j,
+					    "%s: variable \"%s\" not found",
+					    p->name, v->name);
+				bad_var:
+					j->flags |= JF_FAILED;
+					TAILQ_FOREACH(vp, &j->params, tq)
+						if (vp->gen == pgen)
+							vp->flags |= PF_BAD;
+					goto free_var;
+				}
+				if (vp->flags & PF_BAD)
+					goto bad_var;
+				if (vp->gen == pgen) {
+					jail_warnx(j, "%s: variable loop",
+					    v->name);
+					goto bad_var;
+				}
+				STAILQ_FOREACH(vs, &vp->val, tq)
+					if (!STAILQ_EMPTY(&vs->vars)) {
+						vp->gen = pgen;
+						TAILQ_REMOVE(&j->params, vp,
+						    tq);
+						TAILQ_INSERT_BEFORE(p, vp, tq);
+						p = vp;
+						goto find_vars;
+					}
+				vs = STAILQ_FIRST(&vp->val);
+				if (STAILQ_NEXT(vs, tq) != NULL &&
+				    (s->s[0] != '\0' ||
+				     STAILQ_NEXT(v, tq))) {
+					jail_warnx(j, "%s: array cannot be "
+					    "substituted inline",
+					    p->name);
+					goto bad_var;
+				}
+				s->s = erealloc(s->s, s->len + vs->len + 1);
+				memmove(s->s + v->pos + varoff + vs->len,
+				    s->s + v->pos + varoff,
+				    s->len - (v->pos + varoff) + 1);
+				memcpy(s->s + v->pos + varoff, vs->s, vs->len);
+				varoff += vs->len;
+				s->len += vs->len;
+				while ((vs = STAILQ_NEXT(vs, tq))) {
+					ns = emalloc(sizeof(struct cfstring));
+					ns->s = estrdup(vs->s);
+					ns->len = vs->len;
+					STAILQ_INIT(&ns->vars);
+					STAILQ_INSERT_AFTER(&p->val, s, ns, tq);
+					s = ns;
+				}
+			free_var:
+				free(v->name);
+				STAILQ_REMOVE_HEAD(&s->vars, tq);
+				free(v);
+			}
+		    }
+		}
+
+		/* Free the jail's original parameter list and any variables. */
+		while ((p = TAILQ_FIRST(&opp)))
+			free_param(&opp, p);
+		TAILQ_FOREACH_SAFE(p, &j->params, tq, tp)
+			if (p->flags & PF_VAR)
+				free_param(&j->params, p);
+	}
+	while ((wj = TAILQ_FIRST(&wild))) {
+		free(wj->name);
+		while ((p = TAILQ_FIRST(&wj->params)))
+			free_param(&wj->params, p);
+		TAILQ_REMOVE(&wild, wj, tq);
+	}
+}
+
+/*
+ * Create a new jail record.
+ */
+struct cfjail *
+add_jail(void)
+{
+	struct cfjail *j;
+
+	j = emalloc(sizeof(struct cfjail));
+	memset(j, 0, sizeof(struct cfjail));
+	TAILQ_INIT(&j->params);
+	STAILQ_INIT(&j->dep[DEP_FROM]);
+	STAILQ_INIT(&j->dep[DEP_TO]);
+	j->queue = &cfjails;
+	TAILQ_INSERT_TAIL(&cfjails, j, tq);
+	return j;
+}
+
+/*
+ * Add a parameter to a jail.
+ */
+void
+add_param(struct cfjail *j, const struct cfparam *p, const char *name,
+    const char *value)
+{
+	struct cfstrings nss;
+	struct cfparam *dp, *np;
+	struct cfstring *s, *ns;
+	struct cfvar *v, *nv;
+	unsigned flags;
+
+	if (j == NULL) {
+		/* Create a single anonymous jail if one doesn't yet exist. */
+		j = TAILQ_LAST(&cfjails, cfjails);
+		if (j == NULL)
+			j = add_jail();
+	}
+	STAILQ_INIT(&nss);
+	if (p != NULL) {
+		name = p->name;

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***


More information about the svn-src-projects mailing list