On Feb 6, 2015, at 9:54, Jamie Gritton <ja...@freebsd.org> wrote: > Author: jamie > Date: Fri Feb 6 17:54:53 2015 > New Revision: 278323 > URL: https://svnweb.freebsd.org/changeset/base/278323 > > Log: > Add mount.procfs jail parameter, so procfs can be mounted when a prison's > root is in its fstab. > > Also fix a typo while I'm at it. > > PR: 197237 197066 > MFC after: 3 days > > Modified: > head/etc/rc.d/jail > head/usr.sbin/jail/command.c > head/usr.sbin/jail/config.c > head/usr.sbin/jail/jail.8 > head/usr.sbin/jail/jail.c > head/usr.sbin/jail/jailp.h > > Modified: head/etc/rc.d/jail > ============================================================================== > --- head/etc/rc.d/jail Fri Feb 6 17:43:13 2015 (r278322) > +++ head/etc/rc.d/jail Fri Feb 6 17:54:53 2015 (r278323) > @@ -28,7 +28,7 @@ extra_commands="config console status" > > need_dad_wait= > > -# extact_var jail name param num defval > +# extract_var jail name param num defval > # Extract value from ${jail_$jail_$name} or ${jail_$name} and > # set it to $param. If not defined, $defval is used. > # When $num is [0-9]*, ${jail_$jail_$name$num} are looked up and > @@ -233,8 +233,7 @@ parse_options() > fi > eval : \${jail_${_j}_procfs_enable:=${jail_procfs_enable:-NO}} > if checkyesno jail_${_j}_procfs_enable; then > - echo " mount += " \ > - "\"procfs ${_rootdir%/}/proc procfs rw 0 0\";" > + echo " mount.procfs;" > fi > > eval : \${jail_${_j}_mount_enable:=${jail_mount_enable:-NO}} > > Modified: head/usr.sbin/jail/command.c > ============================================================================== > --- head/usr.sbin/jail/command.c Fri Feb 6 17:43:13 2015 > (r278322) > +++ head/usr.sbin/jail/command.c Fri Feb 6 17:54:53 2015 > (r278323) > @@ -112,6 +112,12 @@ next_command(struct cfjail *j) > if (!bool_param(j->intparams[IP_MOUNT_FDESCFS])) > continue; > j->comstring = &dummystring; > + break; > + case IP_MOUNT_PROCFS: > + if (!bool_param(j->intparams[IP_MOUNT_PROCFS])) > + continue; > + j->comstring = &dummystring; > + break;
Did you intend on adding another break? The code would previously fall through
to the next case statement...
> case IP__OP:
> case IP_STOP_TIMEOUT:
> j->comstring = &dummystring;
> @@ -528,6 +534,32 @@ run_command(struct cfjail *j)
> }
> break;
>
> + case IP_MOUNT_PROCFS:
> + argv = alloca(7 * sizeof(char *));
> + path = string_param(j->intparams[KP_PATH]);
> + if (path == NULL) {
> + jail_warnx(j, "mount.procfs: no path");
> + return -1;
> + }
> + devpath = alloca(strlen(path) + 6);
> + sprintf(devpath, "%s/proc", path);
> + if (check_path(j, "mount.procfs", devpath, 0,
> + down ? "procfs" : NULL) < 0)
> + return -1;
> + if (down) {
> + argv[0] = "/sbin/umount";
> + argv[1] = devpath;
> + argv[2] = NULL;
> + } else {
> + argv[0] = _PATH_MOUNT;
> + argv[1] = "-t";
> + argv[2] = "procfs";
> + argv[3] = ".";
> + argv[4] = devpath;
> + argv[5] = NULL;
> + }
> + break;
> +
> case IP_COMMAND:
> if (j->name != NULL)
> goto default_command;
>
> Modified: head/usr.sbin/jail/config.c
> ==============================================================================
> --- head/usr.sbin/jail/config.c Fri Feb 6 17:43:13 2015
> (r278322)
> +++ head/usr.sbin/jail/config.c Fri Feb 6 17:54:53 2015
> (r278323)
> @@ -84,6 +84,7 @@ static const struct ipspec intparams[] =
> [IP_MOUNT] = {"mount", PF_INTERNAL | PF_REV},
> [IP_MOUNT_DEVFS] = {"mount.devfs", PF_INTERNAL |
> PF_BOOL},
> [IP_MOUNT_FDESCFS] = {"mount.fdescfs", PF_INTERNAL | PF_BOOL},
> + [IP_MOUNT_PROCFS] = {"mount.procfs", PF_INTERNAL |
> PF_BOOL},
> [IP_MOUNT_FSTAB] = {"mount.fstab", PF_INTERNAL},
> [IP_STOP_TIMEOUT] = {"stop.timeout", PF_INTERNAL |
> PF_INT},
> [IP_VNET_INTERFACE] = {"vnet.interface", PF_INTERNAL},
>
> Modified: head/usr.sbin/jail/jail.8
> ==============================================================================
> --- head/usr.sbin/jail/jail.8 Fri Feb 6 17:43:13 2015 (r278322)
> +++ head/usr.sbin/jail/jail.8 Fri Feb 6 17:54:53 2015 (r278323)
> @@ -25,7 +25,7 @@
> .\"
> .\" $FreeBSD$
> .\"
> -.Dd January 28, 2015
> +.Dd February 6, 2015
> .Dt JAIL 8
> .Os
> .Sh NAME
> @@ -753,6 +753,12 @@ Mount a
> filesystem on the chrooted
> .Pa /dev/fd
> directory.
> +.It Va mount.procfs
> +Mount a
> +.Xr procfs 5
> +filesystem on the chrooted
> +.Pa /proc
> +directory.
> .It Va allow.dying
> Allow making changes to a
> .Va dying
> @@ -1207,6 +1213,7 @@ environment of the first jail.
> .Xr jls 8 ,
> .Xr mount 8 ,
> .Xr named 8 ,
> +.Xr procfs 5 ,
> .Xr reboot 8 ,
> .Xr rpcbind 8 ,
> .Xr sendmail 8 ,
>
> Modified: head/usr.sbin/jail/jail.c
> ==============================================================================
> --- head/usr.sbin/jail/jail.c Fri Feb 6 17:43:13 2015 (r278322)
> +++ head/usr.sbin/jail/jail.c Fri Feb 6 17:54:53 2015 (r278323)
> @@ -93,6 +93,7 @@ static const enum intparam startcommands
> IP__MOUNT_FROM_FSTAB,
> IP_MOUNT_DEVFS,
> IP_MOUNT_FDESCFS,
> + IP_MOUNT_PROCFS,
> IP_EXEC_PRESTART,
> IP__OP,
> IP_VNET_INTERFACE,
> @@ -109,6 +110,7 @@ static const enum intparam stopcommands[
> IP_STOP_TIMEOUT,
> IP__OP,
> IP_EXEC_POSTSTOP,
> + IP_MOUNT_PROCFS,
> IP_MOUNT_FDESCFS,
> IP_MOUNT_DEVFS,
> IP__MOUNT_FROM_FSTAB,
>
> Modified: head/usr.sbin/jail/jailp.h
> ==============================================================================
> --- head/usr.sbin/jail/jailp.h Fri Feb 6 17:43:13 2015
> (r278322)
> +++ head/usr.sbin/jail/jailp.h Fri Feb 6 17:54:53 2015
> (r278323)
> @@ -96,6 +96,7 @@ enum intparam {
> IP_MOUNT, /* Mount points in fstab(5) form */
> IP_MOUNT_DEVFS, /* Mount /dev under prison root */
> IP_MOUNT_FDESCFS, /* Mount /dev/fd under prison root */
> + IP_MOUNT_PROCFS, /* Mount /proc under prison root */
> IP_MOUNT_FSTAB, /* A standard fstab(5) file */
> IP_STOP_TIMEOUT, /* Time to wait after sending SIGTERM */
> IP_VNET_INTERFACE, /* Assign interface(s) to vnet jail */
>
signature.asc
Description: Message signed with OpenPGP using GPGMail
