jail: fix backfilling the "name" for jid-named jails
ClosedPublic
Actions

Authored by kevans on Aug 8 2025, 5:59 PM.

Details

Reviewers

jamie

Group Reviewers

Jails

Commits

rGb81fd3fc8b20: jail: fix backfilling the "name" for jid-named jails

Summary

Using the cfparam variant of add_param() will actually copy the name and
flags from the passed-in param, which I hadn't considered. We actually
want the name/flags from the "name" param so that we can do variable
expansion against it right after that -- otherwise it cannot be found,
since variable expansion actually searches by name.

While we're here, jls -e was the intermediate name for jls -c that
never saw the light of the day. Fix our existence test.

Fixes: 02944d8c49 ("jail: consistently populate the KP_JID [...]")

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kevans created this revision.Aug 8 2025, 5:59 PM

Herald added a subscriber: imp. · View Herald TranscriptAug 8 2025, 5:59 PM

kevans requested review of this revision.Aug 8 2025, 5:59 PM

Harbormaster completed remote builds in B66120: Diff 160080.Aug 8 2025, 5:59 PM

Gentle ping; this is the result of a discussion on the mailing list about how jid { host.hostname = "${name}" } doesn't work; it almost works in FreeBSD 15.0, but we end up not resolving the "name" variable because I had inadvertently copied the name of the jid parameter into this value for the KP_NAME due to how add_param() works when passed a cfparam instead of a string value.

The current behavior is that if the jail block opens with a number instead of a string the number is bound to the jid parameter and the name parameter is left unbound. This means there're probably existing configurations in someone's production that use this way to set the jid and assign the name inside the jail block e.g. 42 { name = "my_jail"; } instead of my_jail { jid = 42; }. Changing this long standing, but underdocumented behaviour would break those jail configurations. :-/

In D51831#1186084, @crest_freebsd_rlwinm.de wrote:

The current behavior is that if the jail block opens with a number instead of a string the number is bound to the jid parameter and the name parameter is left unbound. This means there're probably existing configurations in someone's production that use this way to set the jid and assign the name inside the jail block e.g. 42 { name = "my_jail"; } instead of my_jail { jid = 42; }. Changing this long standing, but underdocumented behaviour would break those jail configurations. :-/

That's why this is positioned where it is, so that it doesn't override an existing name. You'll note the test line 212 is that exact scenario, but I guess it doesn't confirm explicitly that the name did not get overridden.

Yep, tried it out and it looks good now.

This revision is now accepted and ready to land.Aug 14 2025, 7:18 PM

Closed by commit rGb81fd3fc8b20: jail: fix backfilling the "name" for jid-named jails (authored by kevans). · Explain WhyAug 16 2025, 5:40 PM

This revision was automatically updated to reflect the committed changes.

kevans added a commit: rGb81fd3fc8b20: jail: fix backfilling the "name" for jid-named jails.