7 # REQUIRE: LOGIN cleanvar
9 # KEYWORD: nojail shutdown
11 # WARNING: This script deals with untrusted data (the data and
12 # processes inside the jails) and care must be taken when changing the
13 # code related to this! If you have any doubt whether a change is
14 # correct and have security impact, please get the patch reviewed by
15 # the FreeBSD Security Team prior to commit.
22 start_precmd="jail_prestart"
23 start_cmd="jail_start"
27 # Initialize the various jail variables for jail _j.
34 warn "init_variables: you must specify a jail"
38 eval _rootdir=\"\$jail_${_j}_rootdir\"
39 _devdir="${_rootdir}/dev"
40 _fdescdir="${_devdir}/fd"
41 _procdir="${_rootdir}/proc"
42 eval _hostname=\"\$jail_${_j}_hostname\"
43 eval _ip=\"\$jail_${_j}_ip\"
44 eval _interface=\"\${jail_${_j}_interface:-${jail_interface}}\"
45 eval _exec=\"\$jail_${_j}_exec\"
49 eval _exec_prestart${i}=\"\${jail_${_j}_exec_prestart${i}:-\${jail_exec_prestart${i}}}\"
50 [ -z "$(eval echo \"\$_exec_prestart${i}\")" ] && break
54 eval _exec_start=\"\${jail_${_j}_exec_start:-${jail_exec_start}}\"
58 eval _exec_afterstart${i}=\"\${jail_${_j}_exec_afterstart${i}:-\${jail_exec_afterstart${i}}}\"
59 [ -z "$(eval echo \"\$_exec_afterstart${i}\")" ] && break
65 eval _exec_poststart${i}=\"\${jail_${_j}_exec_poststart${i}:-\${jail_exec_poststart${i}}}\"
66 [ -z "$(eval echo \"\$_exec_poststart${i}\")" ] && break
72 eval _exec_prestop${i}=\"\${jail_${_j}_exec_prestop${i}:-\${jail_exec_prestop${i}}}\"
73 [ -z "$(eval echo \"\$_exec_prestop${i}\")" ] && break
77 eval _exec_stop=\"\${jail_${_j}_exec_stop:-${jail_exec_stop}}\"
81 eval _exec_poststop${i}=\"\${jail_${_j}_exec_poststop${i}:-\${jail_exec_poststop${i}}}\"
82 [ -z "$(eval echo \"\$_exec_poststop${i}\")" ] && break
86 if [ -n "${_exec}" ]; then
87 # simple/backward-compatible execution
88 _exec_start="${_exec}"
92 if [ -z "${_exec_start}" ]; then
93 _exec_start="/bin/sh /etc/rc"
94 if [ -z "${_exec_stop}" ]; then
95 _exec_stop="/bin/sh /etc/rc.shutdown"
100 # The default jail ruleset will be used by rc.subr if none is specified.
101 eval _ruleset=\"\${jail_${_j}_devfs_ruleset:-${jail_devfs_ruleset}}\"
102 eval _devfs=\"\${jail_${_j}_devfs_enable:-${jail_devfs_enable}}\"
103 [ -z "${_devfs}" ] && _devfs="NO"
104 eval _fdescfs=\"\${jail_${_j}_fdescfs_enable:-${jail_fdescfs_enable}}\"
105 [ -z "${_fdescfs}" ] && _fdescfs="NO"
106 eval _procfs=\"\${jail_${_j}_procfs_enable:-${jail_procfs_enable}}\"
107 [ -z "${_procfs}" ] && _procfs="NO"
109 eval _mount=\"\${jail_${_j}_mount_enable:-${jail_mount_enable}}\"
110 [ -z "${_mount}" ] && _mount="NO"
111 # "/etc/fstab.${_j}" will be used for {,u}mount(8) if none is specified.
112 eval _fstab=\"\${jail_${_j}_fstab:-${jail_fstab}}\"
113 [ -z "${_fstab}" ] && _fstab="/etc/fstab.${_j}"
114 eval _flags=\"\${jail_${_j}_flags:-${jail_flags}}\"
115 [ -z "${_flags}" ] && _flags="-l -U root"
116 eval _consolelog=\"\${jail_${_j}_consolelog:-${jail_consolelog}}\"
117 [ -z "${_consolelog}" ] && _consolelog="/var/log/jail_${_j}_console.log"
118 eval _fib=\"\${jail_${_j}_fib:-${jail_fib}}\"
122 debug "$_j devfs enable: $_devfs"
123 debug "$_j fdescfs enable: $_fdescfs"
124 debug "$_j procfs enable: $_procfs"
125 debug "$_j mount enable: $_mount"
126 debug "$_j hostname: $_hostname"
128 jail_show_addresses ${_j}
129 debug "$_j interface: $_interface"
130 debug "$_j fib: $_fib"
131 debug "$_j root: $_rootdir"
132 debug "$_j devdir: $_devdir"
133 debug "$_j fdescdir: $_fdescdir"
134 debug "$_j procdir: $_procdir"
135 debug "$_j ruleset: $_ruleset"
136 debug "$_j fstab: $_fstab"
140 eval out=\"\${_exec_prestart${i}:-''}\"
141 if [ -z "$out" ]; then
144 debug "$_j exec pre-start #${i}: ${out}"
148 debug "$_j exec start: $_exec_start"
152 eval out=\"\${_exec_afterstart${i}:-''}\"
154 if [ -z "$out" ]; then
158 debug "$_j exec after start #${i}: ${out}"
164 eval out=\"\${_exec_poststart${i}:-''}\"
165 if [ -z "$out" ]; then
168 debug "$_j exec post-start #${i}: ${out}"
174 eval out=\"\${_exec_prestop${i}:-''}\"
175 if [ -z "$out" ]; then
178 debug "$_j exec pre-stop #${i}: ${out}"
182 debug "$_j exec stop: $_exec_stop"
186 eval out=\"\${_exec_poststop${i}:-''}\"
187 if [ -z "$out" ]; then
190 debug "$_j exec post-stop #${i}: ${out}"
194 debug "$_j flags: $_flags"
195 debug "$_j consolelog: $_consolelog"
197 if [ -z "${_hostname}" ]; then
198 err 3 "$name: No hostname has been defined for ${_j}"
200 if [ -z "${_rootdir}" ]; then
201 err 3 "$name: No root directory has been defined for ${_j}"
205 # set_sysctl rc_knob mib msg
206 # If the mib sysctl is set according to what rc_knob
207 # specifies, this function does nothing. However if
208 # rc_knob is set differently than mib, then the mib
209 # is set accordingly and msg is displayed followed by
210 # an '=" sign and the word 'YES' or 'NO'.
218 _current=`${SYSCTL} -n $_mib 2>/dev/null`
219 if checkyesno $_knob ; then
220 if [ "$_current" -ne 1 ]; then
221 echo -n " ${_msg}=YES"
222 ${SYSCTL} 1>/dev/null ${_mib}=1
225 if [ "$_current" -ne 0 ]; then
226 echo -n " ${_msg}=NO"
227 ${SYSCTL} 1>/dev/null ${_mib}=0
232 # is_current_mountpoint()
233 # Is the directory mount point for a currently mounted file
236 is_current_mountpoint()
242 _dir=`echo $_dir | sed -Ee 's#//+#/#g' -e 's#/$##'`
243 [ ! -d "${_dir}" ] && return 1
244 _dir2=`df ${_dir} | tail +2 | awk '{ print $6 }'`
245 [ "${_dir}" = "${_dir2}" ]
249 # is_symlinked_mountpoint()
250 # Is a mount point, or any of its parent directories, a symlink?
252 is_symlinked_mountpoint()
258 [ -L "$_dir" ] && return 0
259 [ "$_dir" = "/" ] && return 1
260 is_symlinked_mountpoint `dirname $_dir`
265 # Try to unmount a mount point without being vulnerable to
274 if is_current_mountpoint ${_dir}; then
275 umount -f ${_dir} >/dev/null 2>&1
277 debug "Nothing mounted on ${_dir} - not unmounting"
283 # This function unmounts certain special filesystems in the
284 # currently selected jail. The caller must call the init_variables()
285 # routine before calling this one.
289 local _device _mountpt _rest
291 if checkyesno _fdescfs; then
292 if [ -d "${_fdescdir}" ] ; then
293 secure_umount ${_fdescdir}
296 if checkyesno _devfs; then
297 if [ -d "${_devdir}" ] ; then
298 secure_umount ${_devdir}
301 if checkyesno _procfs; then
302 if [ -d "${_procdir}" ] ; then
303 secure_umount ${_procdir}
306 if checkyesno _mount; then
307 [ -f "${_fstab}" ] || warn "${_fstab} does not exist"
308 tail -r ${_fstab} | while read _device _mountpt _rest; do
309 case ":${_device}" in
314 secure_umount ${_mountpt}
320 # Mount file systems from a per jail fstab while trying to
321 # secure against symlink attacks at the mount points.
323 # If we are certain we cannot secure against symlink attacks we
324 # do not mount all of the file systems (since we cannot just not
325 # mount the file system with the problematic mount point).
327 # The caller must call the init_variables() routine before
332 local _device _mountpt _rest
334 while read _device _mountpt _rest; do
335 case ":${_device}" in
340 if is_symlinked_mountpoint ${_mountpt}; then
341 warn "${_mountpt} has symlink as parent - not mounting from ${_fstab}"
345 mount -a -F "${_fstab}"
348 # jail_show_addresses jail
349 # Debug print the input for the given _multi aliases
350 # for a jail for init_variables().
352 jail_show_addresses()
358 if [ -z "${_j}" ]; then
359 warn "jail_show_addresses: you must specify a jail"
364 eval _addr=\"\$jail_${_j}_ip_multi${alias}\"
365 if [ -n "${_addr}" ]; then
366 debug "${_j} ip_multi${alias}: $_addr"
367 alias=$((${alias} + 1))
374 # jail_extract_address argument
375 # The second argument is the string from one of the _ip
376 # or the _multi variables. In case of a comma separated list
377 # only one argument must be passed in at a time.
378 # The function alters the _type, _iface, _addr and _mask variables.
380 jail_extract_address()
385 if [ -z "${_i}" ]; then
386 warn "jail_extract_address: called without input"
390 # Check if we have an interface prefix given and split into
393 *\|*) # ifN|.. prefix there
402 # In case the IP has no interface given, check if we have a global one.
403 _iface=${_iface:-${_interface}}
405 # Set address, cut off any prefix/netmask/prefixlen.
407 _addr=${_addr%%[/ ]*}
409 # Theoretically we can return here if interface is not set,
410 # as we only care about the _mask if we call ifconfig.
411 # This is not done because we may want to santize IP addresses
412 # based on _type later, and optionally change the type as well.
414 # Extract the prefix/netmask/prefixlen part by cutting off the address.
416 _mask=`expr "${_mask}" : "${_addr}\(.*\)"`
418 # Identify type {inet,inet6}.
420 *\.*\.*\.*) _type="inet" ;;
421 *:*) _type="inet6" ;;
422 *) warn "jail_extract_address: type not identified"
426 # Handle the special /netmask instead of /prefix or
427 # "netmask xxx" case for legacy IP.
428 # We do NOT support shortend class-full netmasks.
429 if [ "${_type}" = "inet" ]; then
431 /*\.*\.*\.*) _mask=" netmask ${_mask#/}" ;;
435 # In case _mask is still not set use /32.
438 elif [ "${_type}" = "inet6" ]; then
439 # In case _maske is not set for IPv6, use /128.
444 # jail_handle_ips_option {add,del} input
445 # Handle a single argument imput which can be a comma separated
446 # list of addresses (theoretically with an option interface and
447 # prefix/netmask/prefixlen).
449 jail_handle_ips_option()
451 local _x _action _type _i
455 if [ -z "${_x}" ]; then
456 # No IP given. This can happen for the primary address
457 # of each address family.
461 # Loop, in case we find a comma separated list, we need to handle
462 # each argument on its own.
463 while [ ${#_x} -gt 0 ]; do
465 *,*) # Extract the first argument and strip it off the list.
466 _i=`expr "${_x}" : '^\([^,]*\)'`
467 _x=`expr "${_x}" : "^[^,]*,\(.*\)"`
478 jail_extract_address "${_i}"
480 # make sure we got an address.
486 # Append address to list of addresses for the jail command.
488 "") _addrl="${_addr}" ;;
489 *) _addrl="${_addrl},${_addr}" ;;
492 # Configure interface alias if requested by a given interface
493 # and if we could correctly parse everything.
500 *) warn "Could not determine address family. Not going" \
501 "to ${_action} address '${_addr}' for ${_jail}."
506 add) ifconfig ${_iface} ${_type} ${_addr}${_mask} alias
508 del) # When removing the IP, ignore the _mask.
509 ifconfig ${_iface} ${_type} ${_addr} -alias
516 # Extract the comma separated list of addresses and return them
517 # for the jail command.
518 # Handle more than one address via the _multi option as well.
519 # If an interface is given also add/remove an alias for the
520 # address with an optional netmask.
530 *) warn "jail_ips: invalid action '${_action}'"
536 jail_handle_ips_option ${_action} "${_ip}"
537 # Handle jail_xxx_ip_multi<N>
540 eval _x=\"\$jail_${_jail}_ip_multi${alias}\"
543 *) jail_handle_ips_option ${_action} "${_x}"
544 alias=$((${alias} + 1))
552 if checkyesno jail_parallel_start; then
559 echo -n 'Configuring jails:'
560 set_sysctl jail_set_hostname_allow security.jail.set_hostname_allowed \
562 set_sysctl jail_socket_unixiproute_only \
563 security.jail.socket_unixiproute_only unixiproute_only
564 set_sysctl jail_sysvipc_allow security.jail.sysvipc_allowed \
568 echo -n 'Starting jails:'
569 _tmp_dir=`mktemp -d /tmp/jail.XXXXXXXX` || \
570 err 3 "$name: Can't create temp dir, exiting..."
571 for _jail in ${jail_list}
573 init_variables $_jail
574 if [ -f /var/run/jail_${_jail}.id ]; then
575 echo -n " [${_hostname} already running (/var/run/jail_${_jail}.id exists)]"
580 if [ -n "${_fib}" ]; then
581 _setfib="setfib -F '${_fib}'"
585 if checkyesno _mount; then
586 info "Mounting fstab for jail ${_jail} (${_fstab})"
587 if [ ! -f "${_fstab}" ]; then
588 err 3 "$name: ${_fstab} does not exist"
592 if checkyesno _devfs; then
593 # If devfs is already mounted here, skip it.
594 df -t devfs "${_devdir}" >/dev/null
595 if [ $? -ne 0 ]; then
596 if is_symlinked_mountpoint ${_devdir}; then
597 warn "${_devdir} has symlink as parent - not starting jail ${_jail}"
600 info "Mounting devfs on ${_devdir}"
601 devfs_mount_jail "${_devdir}" ${_ruleset}
602 # Transitional symlink for old binaries
603 if [ ! -L "${_devdir}/log" ]; then
606 ln -sf ../var/run/log log
611 # XXX - It seems symlinks don't work when there
612 # is a devfs(5) device of the same name.
613 # Jail console output
616 # ln -sf ../var/log/console console
619 if checkyesno _fdescfs; then
620 if is_symlinked_mountpoint ${_fdescdir}; then
621 warn "${_fdescdir} has symlink as parent, not mounting"
623 info "Mounting fdescfs on ${_fdescdir}"
624 mount -t fdescfs fdesc "${_fdescdir}"
627 if checkyesno _procfs; then
628 if is_symlinked_mountpoint ${_procdir}; then
629 warn "${_procdir} has symlink as parent, not mounting"
631 info "Mounting procfs onto ${_procdir}"
632 if [ -d "${_procdir}" ] ; then
633 mount -t procfs proc "${_procdir}"
637 _tmp_jail=${_tmp_dir}/jail.$$
641 eval out=\"\${_exec_prestart${i}:-''}\"
642 [ -z "$out" ] && break
647 eval ${_setfib} jail ${_flags} -i ${_rootdir} ${_hostname} \
648 \"${_addrl}\" ${_exec_start} > ${_tmp_jail} 2>&1 \
651 if [ "$?" -eq 0 ] ; then
652 _jail_id=$(head -1 ${_tmp_jail})
655 eval out=\"\${_exec_afterstart${i}:-''}\"
657 if [ -z "$out" ]; then
661 jexec "${_jail_id}" ${out}
665 echo -n " $_hostname"
666 tail +2 ${_tmp_jail} >${_consolelog}
667 echo ${_jail_id} > /var/run/jail_${_jail}.id
671 eval out=\"\${_exec_poststart${i}:-''}\"
672 [ -z "$out" ] && break
679 echo " cannot start jail \"${_jail}\": "
690 echo -n 'Stopping jails:'
691 for _jail in ${jail_list}
693 if [ -f "/var/run/jail_${_jail}.id" ]; then
694 _jail_id=$(cat /var/run/jail_${_jail}.id)
695 if [ ! -z "${_jail_id}" ]; then
696 init_variables $_jail
700 eval out=\"\${_exec_prestop${i}:-''}\"
701 [ -z "$out" ] && break
706 if [ -n "${_exec_stop}" ]; then
707 eval env -i /usr/sbin/jexec ${_jail_id} ${_exec_stop} \
708 >> ${_consolelog} 2>&1
710 killall -j ${_jail_id} -TERM > /dev/null 2>&1
712 killall -j ${_jail_id} -KILL > /dev/null 2>&1
714 echo -n " $_hostname"
718 eval out=\"\${_exec_poststop${i}:-''}\"
719 [ -z "$out" ] && break
725 rm /var/run/jail_${_jail}.id
727 echo " cannot stop jail ${_jail}. No jail id in /var/run"
735 if [ $# -gt 0 ]; then
742 run_rc_command "${cmd}"
projects / FreeBSD / releng / 9.0.git / blob