Hello all, I very much liked the possibillity to easily manage jails via rc.conf. Unfortunately I was missing some features.First, there are many security.jail.allow_* sysctl which didn't get attention. Second; I needed to allow different things on different jails. For examply only one distinct jail should habe sysvIPC.
Please find attached a patch wich extends rc.d to my needs.Some jail_start() modifications were neccessary and some cleanups could be done in the "Configuring jails:" section (not needed any more) amd in the _ip_multi processing, since that's not needed any more. One have to seperatly define ip4 and ip6 addresses. The can be with or without mask, single oder comma seperated list, doesn't matter, thanks to the jail_handle_ips_option() coder, it just works :)
Thanks, -Harry
--- src/etc/defaults/rc.conf 2010-06-28 19:22:08.000000000 +0200
+++ src/etc/defaults/rc.conf 2010-07-03 09:54:55.000000000 +0200
@@ -642,8 +642,13 @@
jail_enable="NO" # Set to NO to disable starting of any jails
jail_list="" # Space separated list of names of jails
jail_set_hostname_allow="YES" # Allow root user in a jail to change its
hostname
-jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
jail_sysvipc_allow="NO" # Allow SystemV IPC use from within a jail
+jail_socket_unixiproute_only="YES" # Route only TCP/IP within a jail
+jail_raw_sockets_allow="NO" # Prison root can create raw sockets
+jail_chflags_allow="NO" # Processes in jail can alter system file flags
+jail_mount_allow="NO" # Processes in jail can mount/unmount jail-friendly file
systems
+jail_quotas_allow="NO" # The prison root may administer quotas on the jail's
filesystem(s)
+socket_af_allow="NO" # Sockets within a jail are normally restricted to IPv4,
IPv6, local (UNIX), and route.
#
# To use rc's built-in jail infrastructure create entries for
@@ -672,6 +677,14 @@
#jail_example_procfs_enable="NO" # mount procfs in jail
#jail_example_mount_enable="NO" # mount/umount jail's fs
#jail_example_fstab="" # fstab(5) for mount/umount
+#jail_example_allow_set_hostname="NO" # This jail can set hostname
+#jail_example_allow_sysvipc="NO" # This jail can use SystemV IPC
+#jail_example_allow_raw_sockets="NO" # This jail can create raw
sockets (ping)
+#jail_example_allow_chflags="NO" # This jail can alter it's
filesystem flags
+#jail_example_allow_mount="NO" # This jail can mount jail
friendly filesystems
+#jail_example_allow_quotas="NO" # This jail can modify
quotas on it's filesystems
+#jail_example_allow_socket_af="NO" # This jail can use other
protocol stacks than IP4, IP6 and local
+
#jail_example_flags="-l -U root" # flags for jail(8)
##############################################################
--- src/etc/rc.d/jail 2010-06-28 19:22:11.000000000 +0200
+++ src/etc/rc.d/jail 2010-07-03 10:02:34.000000000 +0200
@@ -21,6 +21,8 @@
start_cmd="jail_start"
stop_cmd="jail_stop"
+jail_restrictions="set_hostname sysvipc raw_sockets chflags mount quotas
socket_af"
+
# init_variables _j
# Initialize the various jail variables for jail _j.
#
@@ -38,7 +40,8 @@
_fdescdir="${_devdir}/fd"
_procdir="${_rootdir}/proc"
eval _hostname=\"\$jail_${_j}_hostname\"
- eval _ip=\"\$jail_${_j}_ip\"
+ eval _ip4=\"\$jail_${_j}_ip4\"
+ eval _ip6=\"\$jail_${_j}_ip6\"
eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\"
eval _exec=\"\$jail_${_j}_exec\"
@@ -122,8 +125,9 @@
debug "$_j procfs enable: $_procfs"
debug "$_j mount enable: $_mount"
debug "$_j hostname: $_hostname"
- debug "$_j ip: $_ip"
- jail_show_addresses ${_j}
+ debug "$_j ip4: $_ip4"
+ debug "$_j ip6: $_ip6"
+# jail_show_addresses ${_j}
debug "$_j interface: $_interface"
debug "$_j fib: $_fib"
debug "$_j root: $_rootdir"
@@ -347,27 +351,27 @@
# Debug print the input for the given _multi aliases
# for a jail for init_variables().
#
-jail_show_addresses()
-{
- local _j _type alias
- _j="$1"
- alias=0
-
- if [ -z "${_j}" ]; then
- warn "jail_show_addresses: you must specify a jail"
- return
- fi
-
- while : ; do
- eval _addr=\"\$jail_${_j}_ip_multi${alias}\"
- if [ -n "${_addr}" ]; then
- debug "${_j} ip_multi${alias}: $_addr"
- alias=$((${alias} + 1))
- else
- break
- fi
- done
-}
+#jail_show_addresses()
+#{
+# local _j _type alias
+# _j="$1"
+# alias=0
+#
+# if [ -z "${_j}" ]; then
+# warn "jail_show_addresses: you must specify a jail"
+# return
+# fi
+#
+# while : ; do
+# eval _addr=\"\$jail_${_j}_ip_multi${alias}\"
+# if [ -n "${_addr}" ]; then
+# debug "${_j} ip_multi${alias}: $_addr"
+# alias=$((${alias} + 1))
+# else
+# break
+# fi
+# done
+#}
# jail_extract_address argument
# The second argument is the string from one of the _ip
@@ -481,20 +485,26 @@
*) ;;
esac
- # Append address to list of addresses for the jail command.
- case "${_addrl}" in
- "") _addrl="${_addr}" ;;
- *) _addrl="${_addrl},${_addr}" ;;
- esac
-
# Configure interface alias if requested by a given interface
# and if we could correctly parse everything.
case "${_iface}" in
"") continue ;;
esac
case "${_type}" in
- inet) ;;
- inet6) ;;
+ inet) {
+ # Append address to list of addresses for the jail
command.
+ case "${_addrl4}" in
+ "") _addrl4="${_addr}" ;;
+ *) _addrl4="${_addrl4},${_addr}" ;;
+ esac
+ };;
+ inet6) {
+ # Append address to list of addresses for the jail
command.
+ case "${_addrl6}" in
+ "") _addrl6="${_addr}" ;;
+ *) _addrl6="${_addrl6},${_addr}" ;;
+ esac
+ };;
*) warn "Could not determine address family. Not going" \
"to ${_action} address '${_addr}' for ${_jail}."
continue
@@ -531,18 +541,18 @@
esac
# Handle addresses.
- jail_handle_ips_option ${_action} "${_ip}"
+ jail_handle_ips_option ${_action} "${_ip4},${_ip6}"
# Handle jail_xxx_ip_multi<N>
- alias=0
- while : ; do
- eval _x=\"\$jail_${_jail}_ip_multi${alias}\"
- case "${_x}" in
- "") break ;;
- *) jail_handle_ips_option ${_action} "${_x}"
- alias=$((${alias} + 1))
- ;;
- esac
- done
+# alias=0
+# while : ; do
+# eval _x=\"\$jail_${_jail}_ip4_multi${alias}\"
+# case "${_x}" in
+# "") break ;;
+# *) jail_handle_ips_option ${_action} "${_x}"
+# alias=$((${alias} + 1))
+# ;;
+# esac
+# done
}
jail_start()
@@ -566,7 +576,8 @@
echo -n " [${_hostname} already running
(/var/run/jail_${_jail}.id exists)]"
continue;
fi
- _addrl=""
+ _addrl4=""
+ _addrl6=""
jail_ips "add"
if [ -n "${_fib}" ]; then
_setfib="setfib -F '${_fib}'"
@@ -625,6 +636,15 @@
fi
fi
fi
+ _j_allow_parms=""
+ for relax in ${jail_restrictions}; do
+ eval
_param_allow=\"\${jail_${_jail}_allow_${relax}:-\${jail_allow_$relax}}\"
+ [ -z "${_param_allow}" ] && _param_allow="NO"
+ checkyesno _param_allow && \
+
_j_allow_parms="${_j_allow_parms}allow.${relax}=1 "
+ debug "$_jail _allow_${relax}: $_param_allow"
+ done
+ debug "$_jail selectiv relaxation: $_j_allow_parms"
_tmp_jail=${_tmp_dir}/jail.$$
i=0
@@ -634,9 +654,10 @@
${out}
i=$((i + 1))
done
-
- eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \
- \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1
+
+ eval ${_setfib} jail ${_flags} -i -c name=${_jail}\
+ path=${_rootdir} host.hostname=${_hostname} \
+ ip4.addr=${_addrl4} ip6.addr=${_addrl6}
${_j_allow_parms} command=${_exec_start} > ${_tmp_jail} 2>&1
if [ "$?" -eq 0 ] ; then
_jail_id=$(head -1 ${_tmp_jail})
signature.asc
Description: OpenPGP digital signature
