Page MenuHomeFreeBSD
Files F147493227

D40370.id122693.diff
No OneTemporary
Actions

D40370.id122693.diff
View Options

Index: libexec/rc/rc.subr
===================================================================
--- libexec/rc/rc.subr
+++ libexec/rc/rc.subr
@@ -51,6 +51,9 @@
ID="/usr/bin/id"
IDCMD="if [ -x $ID ]; then $ID -un; fi"
PS="/bin/ps -ww"
+SERVICE=/usr/sbin/service
+JAIL_CMD=/usr/sbin/jail
+_svcj_generic_params="path=/ mount.nodevfs host=inherit"
JID=0
# rc_service provides the path to the service script that we are executing.
# This is not being set here in an execution context, necessarily, so it's
@@ -368,6 +371,16 @@
$_procname|$_procnamebn|${_procnamebn}:|"(${_procnamebn})"|"[${_procnamebn}]")'
fi
+ if checkyesno ${name}_svcj; then
+ JID=$(/usr/sbin/jls -j svcj-${name} jid)
+
+ case ${JID} in
+ ''|*[!0-9]*)
+ # svj-jail doesn't exist, fallback to host-check
+ JID=0
+ ;;
+ esac
+ fi
_proccheck="\
$PS 2>/dev/null -o pid= -o jid= -o command= $_psargs"' |
while read _npid _jid '"$_fp_args"'; do
@@ -963,6 +976,18 @@
_pidcmd=
_procname=${procname:-${command}}
+ # If a specifc jail has a specific svcj request, honor it (YES/NO).
+ # If not (variable empty), evaluate the global svcj catch-call.
+ # A global YES can be overriden by a specific NO, and a global NO is overriden
+ # by a specific YES.
+ eval _svcj=\$${name}_svcj
+ if [ -z "$_svcj" ]; then
+ _svcj=${svcj_all_enable}
+ if [ -z "$_svcj" ]; then
+ eval ${name}_svcj=NO
+ fi
+ fi
+
# setup pid check command
if [ -n "$_procname" ]; then
if [ -n "$pidfile" ]; then
@@ -999,7 +1024,7 @@
_prepend=\$${name}_prepend _login_class=\${${name}_login_class:-daemon} \
_limits=\$${name}_limits _oomprotect=\$${name}_oomprotect \
_setup=\$${name}_setup _env_file=\$${name}_env_file \
- _umask=\$${name}_umask
+ _umask=\$${name}_umask _svcj_options=\$${name}_svcj_options
if [ -n "$_env_file" ] && [ -r "${_env_file}" ]; then # load env from file
set -a
@@ -1013,6 +1038,42 @@
fi
fi
+ if [ -n "$_svcj_options" ]; then # translate service jail options
+ _svcj_cmd_options=""
+
+ for _svcj_option in $_svcj_options; do
+ case "$_svcj_option" in
+ netv4)
+ _svcj_cmd_options="ip4=inherit allow.reserved_ports ${_svcj_cmd_options}"
+ ;;
+ netv6)
+ _svcj_cmd_options="ip6=inherit allow.reserved_ports ${_svcj_cmd_options}"
+ ;;
+ net_basic)
+ _svcj_cmd_options="ip4=inherit ip6=inherit allow.reserved_ports ${_svcj_cmd_options}"
+ ;;
+ net_raw)
+ _svcj_cmd_options="allow.raw_sockets ${_svcj_cmd_options}"
+ ;;
+ net_all)
+ _svcj_cmd_options="allow.socket_af allow.raw_sockets allow.reserved_ports ip4=inherit ip6=inherit ${_svcj_cmd_options}"
+ ;;
+ sysvipc)
+ _svcj_cmd_options="sysvmsg=inherit sysvsem=inherit sysvshm=inherit ${_svcj_cmd_options}"
+ ;;
+ mlock)
+ _svcj_cmd_options="allow.mlock ${_svcj_cmd_options}"
+ ;;
+ vmm)
+ _svcj_cmd_options="allow.vmm ${_svcj_cmd_options}"
+ ;;
+ *)
+ echo ${name}: unknown service jail option: $_svcj_option
+ ;;
+ esac
+ done
+ fi
+
[ -z "$autoboot" ] && eval $_pidcmd # determine the pid if necessary
for _elem in $_keywords; do
@@ -1058,9 +1119,50 @@
if [ -n "$_env" ]; then
eval "export -- $_env"
fi
- _run_rc_precmd || return 1
- _run_rc_doit "$_cmd $rc_extra_args" || return 1
- _run_rc_postcmd
+
+ if [ "${_rc_svcj}" != jailing ]; then
+ _run_rc_precmd || return 1
+ fi
+ if ! checkyesno ${name}_svcj; then
+ _run_rc_doit "$_cmd $rc_extra_args" || return 1
+ else
+ case "$rc_arg" in
+ start)
+ if [ "${_rc_svcj}" != jailing ]; then
+ _return=1
+ $JAIL_CMD -c $_svcj_generic_params $_svcj_cmd_options \
+ exec.start="${SERVICE} -E _rc_svcj=jailing ${name} ${_rc_prefix}start $rc_extra_args" \
+ exec.stop="${SERVICE} -E _rc_svcj=jailing ${name} ${_rc_prefix}stop $rc_extra_args" \
+ exec.consolelog="/var/log/svcj_${name}_console.log" \
+ name=svcj-${name} && _return=0
+ else
+ _run_rc_doit "$_cmd $rc_extra_args" || _return=1
+ fi
+ ;;
+ stop)
+ if [ "${_rc_svcj}" != jailing ]; then
+ $SERVICE -E _rc_svcj=jailing -j svcj-${name} ${name} ${_rc_prefix}stop $rc_extra_args || _return=1
+ $JAIL_CMD -r svcj-${name} 2>/dev/null
+ else
+ _run_rc_doit "$_cmd $rc_extra_args" || _return=1
+ fi
+ ;;
+ restart|status) ;; # no special case needed for svcj or handled somewhere else
+ *)
+if checkyesno ${name}_svcj; then
+echo INFO: non-standard command \"$rc_arg\" detected, not executing it in the service-jail.
+fi
+# if [ "${_rc_svcj}" != jailing ]; then
+# $SERVICE -j svcj-${name} ${name} ${_rc_prefix}${rc_arg} $rc_extra_args || _return=1
+# else
+ _run_rc_doit "$_cmd $rc_extra_args" || _return=1
+# fi
+ ;;
+ esac
+ fi
+ if [ "${_rc_svcj}" != jailing ]; then
+ _run_rc_postcmd
+ fi
return $_return
fi
@@ -1118,9 +1220,21 @@
return 1
fi
- if ! _run_rc_precmd; then
- warn "failed precmd routine for ${name}"
- return 1
+ if [ "${_rc_svcj}" != jailing ]; then
+ if ! _run_rc_precmd; then
+ warn "failed precmd routine for ${name}"
+ return 1
+ fi
+ fi
+
+ if checkyesno ${name}_svcj; then
+ if [ "${_rc_svcj}" != jailing ]; then
+ $JAIL_CMD -c $_svcj_generic_params $_svcj_cmd_options\
+ exec.start="${SERVICE} -E _rc_svcj=jailing ${name} ${_rc_prefix}start $rc_extra_args" \
+ exec.stop="${SERVICE} -E _rc_svcj=jailing ${name} ${_rc_prefix}stop $rc_extra_args" \
+ exec.consolelog="/var/log/svcj_${name}_console.log" \
+ name=svcj-${name} || return 1
+ fi
fi
# setup the full command to run
@@ -1163,16 +1277,28 @@
# Prepend default limits
_doit="$_cd limits -C $_login_class $_limits $_doit"
+
+ local _really_run_it=true
+ if checkyesno ${name}_svcj; then
+ if [ "${_rc_svcj}" != jailing ]; then
+ _really_run_it=false
+ fi
+ fi
+
+ if [ "$_really_run_it" = true ]; then
# run the full command
#
- if ! _run_rc_doit "$_doit"; then
- warn "failed to start ${name}"
- return 1
+ if ! _run_rc_doit "$_doit"; then
+ warn "failed to start ${name}"
+ return 1
+ fi
fi
+ if [ "${_rc_svcj}" != jailing ]; then
# finally, run postcmd
#
- _run_rc_postcmd
+ _run_rc_postcmd
+ fi
;;
stop)
@@ -1194,6 +1320,11 @@
# and run postcmd.
wait_for_pids $rc_pid
+ if checkyesno ${name}_svcj; then
+ # remove service jail
+ $JAIL_CMD -r svcj-${name} 2>/dev/null
+ fi
+
_run_rc_postcmd
;;
Index: share/man/man5/rc.conf.5
===================================================================
--- share/man/man5/rc.conf.5
+++ share/man/man5/rc.conf.5
@@ -252,6 +252,19 @@
.It Ao Ar name Ac Ns Va _user
.Pq Vt str
Run the service under this user account.
+.It Ao Ar name Ac Ns Va _svcj
+.Pq Vt bool
+If set to
+.Dq Li YES ,
+auto-jail the service with inherited filesystem and other
+jail properties depending on
+.Ao Ar name Ac Ns Va _svcj_options .
+.It Ao Ar name Ac Ns Va _svcj_options
+.Pq Vt str
+A list of jail properties for the service.
+See
+.Sx SERVICE JAILS
+for a list of valid properties.
.It Va apm_enable
.Pq Vt bool
If set to
@@ -385,6 +398,12 @@
these are the flags to pass to the
.Xr powerd 8
daemon.
+.It Va svcj_all_enable
+Enable auto-jailing of all services which are not explicitely
+excluded.
+See
+.Sx SERVICE JAILS
+for more info.
.It Va tmpmfs
Controls the creation of a
.Pa /tmp
@@ -4912,6 +4931,94 @@
these are the flags to pass to the
.Xr sendmail 8
.El
+.Sh SERVICE JAILS
+The service jails part of the rc system automatically puts a service
+into a jail.
+This jail inherits the filesystem and various other parts of the
+parent (if you allow child-jails in your jails, service jails
+can be used in jails) depending on the content of the
+.Ao Ar name Ac Ns Va _svcj_options
+variable.
+Typically this variable is set inside rc scripts, but it can be
+overriden in the rc config.
+Valid options for
+.Ao Ar name Ac Ns Va _svcj_options
+are:
+.Bl -tag -width indent-two
+.It netv4
+Inherit the IPv4 address and allows to open reserved ports.
+This can not be combined with
+.Pa netv6 .
+.It netv6
+Inherit the IPv6 address and allows to open reserved ports.
+This can not be combined with
+.Pa netv4 .
+.It net_basic
+Inherits the IPv4 and IPv6 addresses and allows to open
+reserved ports.
+.It net_raw
+Allow to open raw sockets. This option can be combined with
+.Pa netv4 ,
+.Pa netv6 ,
+.Pa net_basic .
+.It net_all
+Inherits the IPv4 and IPv6 addresses, allows to open reserved
+ports, allows to open raw sockets, and allows to open sockets
+of protocol stacks that have not had jail functionality added
+to them.
+.It sysvipc
+Allows access to SysV semaphores, SysV shared memory and
+SysV messages.
+.It mlock
+Allows to lock memory pages into the physical memory.
+.It vmm
+Allows access to
+.Xr vmm 4 .
+This option is only available when
+.Xr vmm 4
+is enabled in the kernel.
+.El
+
+All non-network options can be combined with all other options.
+
+If the
+.Ao Ar name Ac Ns Va _svcj
+variable is set to
+.Dq Li YES ,
+this particular service is started in a
+service jail named
+.Va svcj- Ns Ar name Ac .
+
+The
+.Va svcj_all_enable
+variable allows to enable service jails for all services of the
+system at once.
+Services which have
+.Ao Ar name Ac Ns Va _svcj
+set to
+.Dq Li NO
+are excluded.
+Some services may set
+.Ao Ar name Ac Ns Va _svcj
+to
+.Dq Li NO
+in the script to either prevent service jails for this
+service at all, or may set it to
+.Dq Li NO
+if it is not set in the
+rc config, to exclude it from
+.Va svcj_all_enable
+but allow to explicitely enable it.
+The sshd service for example would not see other jails, if
+it would run as a service jail.
+This may or may not be what is needed, and as such it is
+excluded from
+.Va svcj_all_enable
+but can be enabled via setting
+.Va sshd_svcj
+to
+.Dq Li YES .
+.El
.Sh FILES
.Bl -tag -width "/etc/defaults/rc.conf" -compact
.It Pa /etc/defaults/rc.conf

File Metadata

Mime Type
text/plain
Expires
Thu, Mar 12, 10:13 AM (5 h, 52 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
29577360
Default Alt Text
D40370.id122693.diff (9 KB)

Event Timeline