329 330#ifdef INET6 331 case IP__IP6_IFADDR: 332 argv = alloca(8 * sizeof(char *)); 333 *(const char **)&argv[0] = _PATH_IFCONFIG; 334 if ((cs = strchr(comstring->s, '|'))) { 335 argv[1] = alloca(cs - comstring->s + 1); 336 strlcpy(argv[1], comstring->s, cs - comstring->s + 1); 337 addr = cs + 1; 338 } else { 339 *(const char **)&argv[1] = 340 string_param(j->intparams[IP_INTERFACE]); 341 addr = comstring->s; 342 } 343 *(const char **)&argv[2] = "inet6"; 344 argv[3] = addr; 345 if (!(cs = strchr(addr, '/'))) { 346 *(const char **)&argv[4] = "prefixlen"; 347 *(const char **)&argv[5] = "128"; 348 argc = 6; 349 } else 350 argc = 4; 351 *(const char **)&argv[argc] = down ? "-alias" : "alias"; 352 argv[argc + 1] = NULL; 353 break; 354#endif 355 356 case IP_VNET_INTERFACE: 357 argv = alloca(5 * sizeof(char *)); 358 *(const char **)&argv[0] = _PATH_IFCONFIG; 359 argv[1] = comstring->s; 360 *(const char **)&argv[2] = down ? "-vnet" : "vnet"; 361 jidstr = string_param(j->intparams[KP_JID]); 362 *(const char **)&argv[3] = 363 jidstr ? jidstr : string_param(j->intparams[KP_NAME]); 364 argv[4] = NULL; 365 break; 366 367 case IP_MOUNT: 368 case IP__MOUNT_FROM_FSTAB: 369 argv = alloca(8 * sizeof(char *)); 370 comcs = alloca(comstring->len + 1); 371 strcpy(comcs, comstring->s); 372 argc = 0; 373 for (cs = strtok(comcs, " \t\f\v\r\n"); cs && argc < 4; 374 cs = strtok(NULL, " \t\f\v\r\n")) 375 argv[argc++] = cs; 376 if (argc == 0) 377 return 0; 378 if (argc < 3) { 379 jail_warnx(j, "%s: %s: missing information", 380 j->intparams[comparam]->name, comstring->s); 381 failed(j); 382 return -1; 383 } 384 if (check_path(j, j->intparams[comparam]->name, argv[1], 0, 385 down ? argv[2] : NULL) < 0) { 386 failed(j); 387 return -1; 388 } 389 if (down) { 390 argv[4] = NULL; 391 argv[3] = argv[1]; 392 *(const char **)&argv[0] = "/sbin/umount"; 393 } else { 394 if (argc == 4) { 395 argv[7] = NULL; 396 argv[6] = argv[1]; 397 argv[5] = argv[0]; 398 argv[4] = argv[3]; 399 *(const char **)&argv[3] = "-o"; 400 } else { 401 argv[5] = NULL; 402 argv[4] = argv[1]; 403 argv[3] = argv[0]; 404 } 405 *(const char **)&argv[0] = _PATH_MOUNT; 406 } 407 *(const char **)&argv[1] = "-t"; 408 break; 409 410 case IP_MOUNT_DEVFS: 411 path = string_param(j->intparams[KP_PATH]); 412 if (path == NULL) { 413 jail_warnx(j, "mount.devfs: no path"); 414 failed(j); 415 return -1; 416 } 417 devpath = alloca(strlen(path) + 5); 418 sprintf(devpath, "%s/dev", path); 419 if (check_path(j, "mount.devfs", devpath, 0, 420 down ? "devfs" : NULL) < 0) { 421 failed(j); 422 return -1; 423 } 424 if (down) { 425 argv = alloca(3 * sizeof(char *)); 426 *(const char **)&argv[0] = "/sbin/umount"; 427 argv[1] = devpath; 428 argv[2] = NULL; 429 } else { 430 argv = alloca(4 * sizeof(char *)); 431 *(const char **)&argv[0] = _PATH_BSHELL; 432 *(const char **)&argv[1] = "-c"; 433 ruleset = string_param(j->intparams 434 [IP_MOUNT_DEVFS_RULESET]); 435 argv[2] = alloca(strlen(path) + 436 (ruleset ? strlen(ruleset) + 1 : 0) + 56); 437 sprintf(argv[2], ". /etc/rc.subr; load_rc_config .; " 438 "devfs_mount_jail %s/dev%s%s", path, 439 ruleset ? " " : "", ruleset ? ruleset : ""); 440 argv[3] = NULL; 441 } 442 break; 443 444 case IP_COMMAND: 445 if (j->name != NULL) 446 goto default_command; 447 argc = 0; 448 TAILQ_FOREACH(s, &j->intparams[IP_COMMAND]->val, tq) 449 argc++; 450 argv = alloca((argc + 1) * sizeof(char *)); 451 argc = 0; 452 TAILQ_FOREACH(s, &j->intparams[IP_COMMAND]->val, tq) 453 argv[argc++] = s->s; 454 argv[argc] = NULL; 455 j->comstring = NULL; 456 break; 457 458 default: 459 default_command: 460 if ((cs = strpbrk(comstring->s, "!\"$&'()*;<>?[\\]`{|}~")) && 461 !(cs[0] == '&' && cs[1] == '\0')) { 462 argv = alloca(4 * sizeof(char *)); 463 *(const char **)&argv[0] = _PATH_BSHELL; 464 *(const char **)&argv[1] = "-c"; 465 argv[2] = comstring->s; 466 argv[3] = NULL; 467 } else { 468 if (cs) { 469 *cs = 0; 470 bg = 1; 471 } 472 comcs = alloca(comstring->len + 1); 473 strcpy(comcs, comstring->s); 474 argc = 0; 475 for (cs = strtok(comcs, " \t\f\v\r\n"); cs; 476 cs = strtok(NULL, " \t\f\v\r\n")) 477 argc++; 478 argv = alloca((argc + 1) * sizeof(char *)); 479 strcpy(comcs, comstring->s); 480 argc = 0; 481 for (cs = strtok(comcs, " \t\f\v\r\n"); cs; 482 cs = strtok(NULL, " \t\f\v\r\n")) 483 argv[argc++] = cs; 484 argv[argc] = NULL; 485 } 486 } 487 if (argv[0] == NULL) 488 return 0; 489 490 if (int_param(j->intparams[IP_EXEC_TIMEOUT], &timeout) && 491 timeout != 0) { 492 clock_gettime(CLOCK_REALTIME, &j->timeout); 493 j->timeout.tv_sec += timeout; 494 } else 495 j->timeout.tv_sec = 0; 496 497 injail = comparam == IP_EXEC_START || comparam == IP_COMMAND || 498 comparam == IP_EXEC_STOP; 499 clean = bool_param(j->intparams[IP_EXEC_CLEAN]); 500 username = string_param(j->intparams[injail 501 ? IP_EXEC_JAIL_USER : IP_EXEC_SYSTEM_USER]); 502 sjuser = bool_param(j->intparams[IP_EXEC_SYSTEM_JAIL_USER]); 503 504 consfd = 0; 505 if (injail && 506 (conslog = string_param(j->intparams[IP_EXEC_CONSOLELOG]))) { 507 if (check_path(j, "exec.consolelog", conslog, 1, NULL) < 0) { 508 failed(j); 509 return -1; 510 } 511 consfd = 512 open(conslog, O_WRONLY | O_CREAT | O_APPEND, DEFFILEMODE); 513 if (consfd < 0) { 514 jail_warnx(j, "open %s: %s", conslog, strerror(errno)); 515 failed(j); 516 return -1; 517 } 518 } 519 520 comlen = 0; 521 for (i = 0; argv[i]; i++) 522 comlen += strlen(argv[i]) + 1; 523 j->comline = cs = emalloc(comlen); 524 for (i = 0; argv[i]; i++) { 525 strcpy(cs, argv[i]); 526 if (argv[i + 1]) { 527 cs += strlen(argv[i]) + 1; 528 cs[-1] = ' '; 529 } 530 } 531 if (verbose > 0) 532 jail_note(j, "run command%s%s%s: %s\n", 533 injail ? " in jail" : "", username ? " as " : "", 534 username ? username : "", j->comline); 535 536 pid = fork(); 537 if (pid < 0) 538 err(1, "fork"); 539 if (pid > 0) { 540 if (bg) { 541 free(j->comline); 542 j->comline = NULL; 543 requeue(j, &ready); 544 } else { 545 paralimit--; 546 add_proc(j, pid); 547 } 548 return 1; 549 } 550 if (bg) 551 setsid(); 552 553 /* Set up the environment and run the command */ 554 pwd = NULL; 555 lcap = NULL; 556 if ((clean || username) && injail && sjuser && 557 get_user_info(j, username, &pwd, &lcap) < 0) 558 exit(1); 559 if (injail) { 560 /* jail_attach won't chdir along with its chroot. */ 561 path = string_param(j->intparams[KP_PATH]); 562 if (path && chdir(path) < 0) { 563 jail_warnx(j, "chdir %s: %s", path, strerror(errno)); 564 exit(1); 565 } 566 if (int_param(j->intparams[IP_EXEC_FIB], &fib) && 567 setfib(fib) < 0) { 568 jail_warnx(j, "setfib: %s", strerror(errno)); 569 exit(1); 570 } 571 if (jail_attach(j->jid) < 0) { 572 jail_warnx(j, "jail_attach: %s", strerror(errno)); 573 exit(1); 574 } 575 } 576 if (clean || username) { 577 if (!(injail && sjuser) && 578 get_user_info(j, username, &pwd, &lcap) < 0) 579 exit(1); 580 if (clean) { 581 term = getenv("TERM"); 582 environ = &cleanenv; 583 setenv("PATH", "/bin:/usr/bin", 0); 584 setenv("TERM", term, 1); 585 } 586 if (setusercontext(lcap, pwd, pwd->pw_uid, username 587 ? LOGIN_SETALL & ~LOGIN_SETGROUP & ~LOGIN_SETLOGIN 588 : LOGIN_SETPATH | LOGIN_SETENV) < 0) { 589 jail_warnx(j, "setusercontext %s: %s", pwd->pw_name, 590 strerror(errno)); 591 exit(1); 592 } 593 login_close(lcap); 594 setenv("USER", pwd->pw_name, 1); 595 setenv("HOME", pwd->pw_dir, 1); 596 setenv("SHELL", 597 *pwd->pw_shell ? pwd->pw_shell : _PATH_BSHELL, 1); 598 if (clean && chdir(pwd->pw_dir) < 0) { 599 jail_warnx(j, "chdir %s: %s", 600 pwd->pw_dir, strerror(errno)); 601 exit(1); 602 } 603 endpwent(); 604 } 605 606 if (consfd != 0 && (dup2(consfd, 1) < 0 || dup2(consfd, 2) < 0)) { 607 jail_warnx(j, "exec.consolelog: %s", strerror(errno)); 608 exit(1); 609 } 610 closefrom(3); 611 execvp(argv[0], argv); 612 jail_warnx(j, "exec %s: %s", argv[0], strerror(errno)); 613 exit(1); 614} 615 616/* 617 * Add a process to the hash, tied to a jail. 618 */ 619static void 620add_proc(struct cfjail *j, pid_t pid) 621{ 622 struct kevent ke; 623 struct cfjail *tj; 624 struct phash *ph; 625 626 if (!kq && (kq = kqueue()) < 0) 627 err(1, "kqueue"); 628 EV_SET(&ke, pid, EVFILT_PROC, EV_ADD, NOTE_EXIT, 0, NULL); 629 if (kevent(kq, &ke, 1, NULL, 0, NULL) < 0) 630 err(1, "kevent"); 631 ph = emalloc(sizeof(struct phash)); 632 ph->j = j; 633 ph->pid = pid; 634 LIST_INSERT_HEAD(&phash[pid % PHASH_SIZE], ph, le); 635 j->nprocs++; 636 j->flags |= JF_SLEEPQ; 637 if (j->timeout.tv_sec == 0) 638 requeue(j, &sleeping); 639 else { 640 /* File the jail in the sleep queue acording to its timeout. */ 641 TAILQ_REMOVE(j->queue, j, tq); 642 TAILQ_FOREACH(tj, &sleeping, tq) { 643 if (!tj->timeout.tv_sec || 644 j->timeout.tv_sec < tj->timeout.tv_sec || 645 (j->timeout.tv_sec == tj->timeout.tv_sec && 646 j->timeout.tv_nsec <= tj->timeout.tv_nsec)) { 647 TAILQ_INSERT_BEFORE(tj, j, tq); 648 break; 649 } 650 } 651 if (tj == NULL) 652 TAILQ_INSERT_TAIL(&sleeping, j, tq); 653 j->queue = &sleeping; 654 } 655} 656 657/* 658 * Remove any processes from the hash that correspond to a jail. 659 */ 660static void 661clear_procs(struct cfjail *j) 662{ 663 struct kevent ke; 664 struct phash *ph, *tph; 665 int i; 666 667 j->nprocs = 0; 668 for (i = 0; i < PHASH_SIZE; i++) 669 LIST_FOREACH_SAFE(ph, &phash[i], le, tph) 670 if (ph->j == j) { 671 EV_SET(&ke, ph->pid, EVFILT_PROC, EV_DELETE, 672 NOTE_EXIT, 0, NULL); 673 (void)kevent(kq, &ke, 1, NULL, 0, NULL); 674 LIST_REMOVE(ph, le); 675 free(ph); 676 } 677} 678 679/* 680 * Find the jail that corresponds to an exited process. 681 */ 682static struct cfjail * 683find_proc(pid_t pid) 684{ 685 struct cfjail *j; 686 struct phash *ph; 687 688 LIST_FOREACH(ph, &phash[pid % PHASH_SIZE], le) 689 if (ph->pid == pid) { 690 j = ph->j; 691 LIST_REMOVE(ph, le); 692 free(ph); 693 return --j->nprocs ? NULL : j; 694 } 695 return NULL; 696} 697 698/* 699 * Send SIGTERM to all processes in a jail and wait for them to die. 700 */ 701static int 702term_procs(struct cfjail *j) 703{ 704 struct kinfo_proc *ki; 705 int i, noted, pcnt, timeout; 706 707 static kvm_t *kd; 708 709 if (!int_param(j->intparams[IP_STOP_TIMEOUT], &timeout)) 710 timeout = DEFAULT_STOP_TIMEOUT; 711 else if (timeout == 0) 712 return 0; 713 714 if (kd == NULL) { 715 kd = kvm_open(NULL, NULL, NULL, O_RDONLY, "jail"); 716 if (kd == NULL) 717 exit(1); 718 } 719 720 ki = kvm_getprocs(kd, KERN_PROC_PROC, 0, &pcnt); 721 if (ki == NULL) 722 exit(1); 723 noted = 0; 724 for (i = 0; i < pcnt; i++) 725 if (ki[i].ki_jid == j->jid && 726 kill(ki[i].ki_pid, SIGTERM) == 0) { 727 add_proc(j, ki[i].ki_pid); 728 if (verbose > 0) { 729 if (!noted) { 730 noted = 1; 731 jail_note(j, "sent SIGTERM to:"); 732 } 733 printf(" %d", ki[i].ki_pid); 734 } 735 } 736 if (noted) 737 printf("\n"); 738 if (j->nprocs > 0) { 739 clock_gettime(CLOCK_REALTIME, &j->timeout); 740 j->timeout.tv_sec += timeout; 741 return 1; 742 } 743 return 0; 744} 745 746/* 747 * Look up a user in the passwd and login.conf files. 748 */ 749static int 750get_user_info(struct cfjail *j, const char *username, 751 const struct passwd **pwdp, login_cap_t **lcapp) 752{ 753 const struct passwd *pwd; 754 755 *pwdp = pwd = username ? getpwnam(username) : getpwuid(getuid()); 756 if (pwd == NULL) { 757 if (errno) 758 jail_warnx(j, "getpwnam%s%s: %s", username ? " " : "", 759 username ? username : "", strerror(errno)); 760 else if (username) 761 jail_warnx(j, "%s: no such user", username); 762 else 763 jail_warnx(j, "unknown uid %d", getuid()); 764 return -1; 765 } 766 *lcapp = login_getpwclass(pwd); 767 if (*lcapp == NULL) { 768 jail_warnx(j, "getpwclass %s: %s", pwd->pw_name, 769 strerror(errno)); 770 return -1; 771 } 772 /* Set the groups while the group file is still available */ 773 if (initgroups(pwd->pw_name, pwd->pw_gid) < 0) { 774 jail_warnx(j, "initgroups %s: %s", pwd->pw_name, 775 strerror(errno)); 776 return -1; 777 } 778 return 0; 779} 780 781/* 782 * Make sure a mount or consolelog path is a valid absolute pathname 783 * with no symlinks. 784 */ 785static int 786check_path(struct cfjail *j, const char *pname, const char *path, int isfile, 787 const char *umount_type) 788{ 789 struct stat st, mpst; 790 struct statfs stfs; 791 char *tpath, *p; 792 const char *jailpath; 793 size_t jplen; 794 795 if (path[0] != '/') { 796 jail_warnx(j, "%s: %s: not an absolute pathname", 797 pname, path); 798 return -1; 799 } 800 /* 801 * Only check for symlinks in components below the jail's path, 802 * since that's where the security risk lies. 803 */ 804 jailpath = string_param(j->intparams[KP_PATH]); 805 if (jailpath == NULL) 806 jailpath = ""; 807 jplen = strlen(jailpath); 808 if (!strncmp(path, jailpath, jplen) && path[jplen] == '/') { 809 tpath = alloca(strlen(path) + 1); 810 strcpy(tpath, path); 811 for (p = tpath + jplen; p != NULL; ) { 812 p = strchr(p + 1, '/'); 813 if (p) 814 *p = '\0'; 815 if (lstat(tpath, &st) < 0) { 816 if (errno == ENOENT && isfile && !p) 817 break; 818 jail_warnx(j, "%s: %s: %s", pname, tpath, 819 strerror(errno)); 820 return -1; 821 } 822 if (S_ISLNK(st.st_mode)) { 823 jail_warnx(j, "%s: %s is a symbolic link", 824 pname, tpath); 825 return -1; 826 } 827 if (p) 828 *p = '/'; 829 } 830 } 831 if (umount_type != NULL) { 832 if (stat(path, &st) < 0 || statfs(path, &stfs) < 0) { 833 jail_warnx(j, "%s: %s: %s", pname, path, 834 strerror(errno)); 835 return -1; 836 } 837 if (stat(stfs.f_mntonname, &mpst) < 0) { 838 jail_warnx(j, "%s: %s: %s", pname, stfs.f_mntonname, 839 strerror(errno)); 840 return -1; 841 } 842 if (st.st_ino != mpst.st_ino) { 843 jail_warnx(j, "%s: %s: not a mount point", 844 pname, path); 845 return -1; 846 } 847 if (strcmp(stfs.f_fstypename, umount_type)) { 848 jail_warnx(j, "%s: %s: not a %s mount", 849 pname, path, umount_type); 850 return -1; 851 } 852 } 853 return 0; 854}
| 334 335#ifdef INET6 336 case IP__IP6_IFADDR: 337 argv = alloca(8 * sizeof(char *)); 338 *(const char **)&argv[0] = _PATH_IFCONFIG; 339 if ((cs = strchr(comstring->s, '|'))) { 340 argv[1] = alloca(cs - comstring->s + 1); 341 strlcpy(argv[1], comstring->s, cs - comstring->s + 1); 342 addr = cs + 1; 343 } else { 344 *(const char **)&argv[1] = 345 string_param(j->intparams[IP_INTERFACE]); 346 addr = comstring->s; 347 } 348 *(const char **)&argv[2] = "inet6"; 349 argv[3] = addr; 350 if (!(cs = strchr(addr, '/'))) { 351 *(const char **)&argv[4] = "prefixlen"; 352 *(const char **)&argv[5] = "128"; 353 argc = 6; 354 } else 355 argc = 4; 356 *(const char **)&argv[argc] = down ? "-alias" : "alias"; 357 argv[argc + 1] = NULL; 358 break; 359#endif 360 361 case IP_VNET_INTERFACE: 362 argv = alloca(5 * sizeof(char *)); 363 *(const char **)&argv[0] = _PATH_IFCONFIG; 364 argv[1] = comstring->s; 365 *(const char **)&argv[2] = down ? "-vnet" : "vnet"; 366 jidstr = string_param(j->intparams[KP_JID]); 367 *(const char **)&argv[3] = 368 jidstr ? jidstr : string_param(j->intparams[KP_NAME]); 369 argv[4] = NULL; 370 break; 371 372 case IP_MOUNT: 373 case IP__MOUNT_FROM_FSTAB: 374 argv = alloca(8 * sizeof(char *)); 375 comcs = alloca(comstring->len + 1); 376 strcpy(comcs, comstring->s); 377 argc = 0; 378 for (cs = strtok(comcs, " \t\f\v\r\n"); cs && argc < 4; 379 cs = strtok(NULL, " \t\f\v\r\n")) 380 argv[argc++] = cs; 381 if (argc == 0) 382 return 0; 383 if (argc < 3) { 384 jail_warnx(j, "%s: %s: missing information", 385 j->intparams[comparam]->name, comstring->s); 386 failed(j); 387 return -1; 388 } 389 if (check_path(j, j->intparams[comparam]->name, argv[1], 0, 390 down ? argv[2] : NULL) < 0) { 391 failed(j); 392 return -1; 393 } 394 if (down) { 395 argv[4] = NULL; 396 argv[3] = argv[1]; 397 *(const char **)&argv[0] = "/sbin/umount"; 398 } else { 399 if (argc == 4) { 400 argv[7] = NULL; 401 argv[6] = argv[1]; 402 argv[5] = argv[0]; 403 argv[4] = argv[3]; 404 *(const char **)&argv[3] = "-o"; 405 } else { 406 argv[5] = NULL; 407 argv[4] = argv[1]; 408 argv[3] = argv[0]; 409 } 410 *(const char **)&argv[0] = _PATH_MOUNT; 411 } 412 *(const char **)&argv[1] = "-t"; 413 break; 414 415 case IP_MOUNT_DEVFS: 416 path = string_param(j->intparams[KP_PATH]); 417 if (path == NULL) { 418 jail_warnx(j, "mount.devfs: no path"); 419 failed(j); 420 return -1; 421 } 422 devpath = alloca(strlen(path) + 5); 423 sprintf(devpath, "%s/dev", path); 424 if (check_path(j, "mount.devfs", devpath, 0, 425 down ? "devfs" : NULL) < 0) { 426 failed(j); 427 return -1; 428 } 429 if (down) { 430 argv = alloca(3 * sizeof(char *)); 431 *(const char **)&argv[0] = "/sbin/umount"; 432 argv[1] = devpath; 433 argv[2] = NULL; 434 } else { 435 argv = alloca(4 * sizeof(char *)); 436 *(const char **)&argv[0] = _PATH_BSHELL; 437 *(const char **)&argv[1] = "-c"; 438 ruleset = string_param(j->intparams 439 [IP_MOUNT_DEVFS_RULESET]); 440 argv[2] = alloca(strlen(path) + 441 (ruleset ? strlen(ruleset) + 1 : 0) + 56); 442 sprintf(argv[2], ". /etc/rc.subr; load_rc_config .; " 443 "devfs_mount_jail %s/dev%s%s", path, 444 ruleset ? " " : "", ruleset ? ruleset : ""); 445 argv[3] = NULL; 446 } 447 break; 448 449 case IP_COMMAND: 450 if (j->name != NULL) 451 goto default_command; 452 argc = 0; 453 TAILQ_FOREACH(s, &j->intparams[IP_COMMAND]->val, tq) 454 argc++; 455 argv = alloca((argc + 1) * sizeof(char *)); 456 argc = 0; 457 TAILQ_FOREACH(s, &j->intparams[IP_COMMAND]->val, tq) 458 argv[argc++] = s->s; 459 argv[argc] = NULL; 460 j->comstring = NULL; 461 break; 462 463 default: 464 default_command: 465 if ((cs = strpbrk(comstring->s, "!\"$&'()*;<>?[\\]`{|}~")) && 466 !(cs[0] == '&' && cs[1] == '\0')) { 467 argv = alloca(4 * sizeof(char *)); 468 *(const char **)&argv[0] = _PATH_BSHELL; 469 *(const char **)&argv[1] = "-c"; 470 argv[2] = comstring->s; 471 argv[3] = NULL; 472 } else { 473 if (cs) { 474 *cs = 0; 475 bg = 1; 476 } 477 comcs = alloca(comstring->len + 1); 478 strcpy(comcs, comstring->s); 479 argc = 0; 480 for (cs = strtok(comcs, " \t\f\v\r\n"); cs; 481 cs = strtok(NULL, " \t\f\v\r\n")) 482 argc++; 483 argv = alloca((argc + 1) * sizeof(char *)); 484 strcpy(comcs, comstring->s); 485 argc = 0; 486 for (cs = strtok(comcs, " \t\f\v\r\n"); cs; 487 cs = strtok(NULL, " \t\f\v\r\n")) 488 argv[argc++] = cs; 489 argv[argc] = NULL; 490 } 491 } 492 if (argv[0] == NULL) 493 return 0; 494 495 if (int_param(j->intparams[IP_EXEC_TIMEOUT], &timeout) && 496 timeout != 0) { 497 clock_gettime(CLOCK_REALTIME, &j->timeout); 498 j->timeout.tv_sec += timeout; 499 } else 500 j->timeout.tv_sec = 0; 501 502 injail = comparam == IP_EXEC_START || comparam == IP_COMMAND || 503 comparam == IP_EXEC_STOP; 504 clean = bool_param(j->intparams[IP_EXEC_CLEAN]); 505 username = string_param(j->intparams[injail 506 ? IP_EXEC_JAIL_USER : IP_EXEC_SYSTEM_USER]); 507 sjuser = bool_param(j->intparams[IP_EXEC_SYSTEM_JAIL_USER]); 508 509 consfd = 0; 510 if (injail && 511 (conslog = string_param(j->intparams[IP_EXEC_CONSOLELOG]))) { 512 if (check_path(j, "exec.consolelog", conslog, 1, NULL) < 0) { 513 failed(j); 514 return -1; 515 } 516 consfd = 517 open(conslog, O_WRONLY | O_CREAT | O_APPEND, DEFFILEMODE); 518 if (consfd < 0) { 519 jail_warnx(j, "open %s: %s", conslog, strerror(errno)); 520 failed(j); 521 return -1; 522 } 523 } 524 525 comlen = 0; 526 for (i = 0; argv[i]; i++) 527 comlen += strlen(argv[i]) + 1; 528 j->comline = cs = emalloc(comlen); 529 for (i = 0; argv[i]; i++) { 530 strcpy(cs, argv[i]); 531 if (argv[i + 1]) { 532 cs += strlen(argv[i]) + 1; 533 cs[-1] = ' '; 534 } 535 } 536 if (verbose > 0) 537 jail_note(j, "run command%s%s%s: %s\n", 538 injail ? " in jail" : "", username ? " as " : "", 539 username ? username : "", j->comline); 540 541 pid = fork(); 542 if (pid < 0) 543 err(1, "fork"); 544 if (pid > 0) { 545 if (bg) { 546 free(j->comline); 547 j->comline = NULL; 548 requeue(j, &ready); 549 } else { 550 paralimit--; 551 add_proc(j, pid); 552 } 553 return 1; 554 } 555 if (bg) 556 setsid(); 557 558 /* Set up the environment and run the command */ 559 pwd = NULL; 560 lcap = NULL; 561 if ((clean || username) && injail && sjuser && 562 get_user_info(j, username, &pwd, &lcap) < 0) 563 exit(1); 564 if (injail) { 565 /* jail_attach won't chdir along with its chroot. */ 566 path = string_param(j->intparams[KP_PATH]); 567 if (path && chdir(path) < 0) { 568 jail_warnx(j, "chdir %s: %s", path, strerror(errno)); 569 exit(1); 570 } 571 if (int_param(j->intparams[IP_EXEC_FIB], &fib) && 572 setfib(fib) < 0) { 573 jail_warnx(j, "setfib: %s", strerror(errno)); 574 exit(1); 575 } 576 if (jail_attach(j->jid) < 0) { 577 jail_warnx(j, "jail_attach: %s", strerror(errno)); 578 exit(1); 579 } 580 } 581 if (clean || username) { 582 if (!(injail && sjuser) && 583 get_user_info(j, username, &pwd, &lcap) < 0) 584 exit(1); 585 if (clean) { 586 term = getenv("TERM"); 587 environ = &cleanenv; 588 setenv("PATH", "/bin:/usr/bin", 0); 589 setenv("TERM", term, 1); 590 } 591 if (setusercontext(lcap, pwd, pwd->pw_uid, username 592 ? LOGIN_SETALL & ~LOGIN_SETGROUP & ~LOGIN_SETLOGIN 593 : LOGIN_SETPATH | LOGIN_SETENV) < 0) { 594 jail_warnx(j, "setusercontext %s: %s", pwd->pw_name, 595 strerror(errno)); 596 exit(1); 597 } 598 login_close(lcap); 599 setenv("USER", pwd->pw_name, 1); 600 setenv("HOME", pwd->pw_dir, 1); 601 setenv("SHELL", 602 *pwd->pw_shell ? pwd->pw_shell : _PATH_BSHELL, 1); 603 if (clean && chdir(pwd->pw_dir) < 0) { 604 jail_warnx(j, "chdir %s: %s", 605 pwd->pw_dir, strerror(errno)); 606 exit(1); 607 } 608 endpwent(); 609 } 610 611 if (consfd != 0 && (dup2(consfd, 1) < 0 || dup2(consfd, 2) < 0)) { 612 jail_warnx(j, "exec.consolelog: %s", strerror(errno)); 613 exit(1); 614 } 615 closefrom(3); 616 execvp(argv[0], argv); 617 jail_warnx(j, "exec %s: %s", argv[0], strerror(errno)); 618 exit(1); 619} 620 621/* 622 * Add a process to the hash, tied to a jail. 623 */ 624static void 625add_proc(struct cfjail *j, pid_t pid) 626{ 627 struct kevent ke; 628 struct cfjail *tj; 629 struct phash *ph; 630 631 if (!kq && (kq = kqueue()) < 0) 632 err(1, "kqueue"); 633 EV_SET(&ke, pid, EVFILT_PROC, EV_ADD, NOTE_EXIT, 0, NULL); 634 if (kevent(kq, &ke, 1, NULL, 0, NULL) < 0) 635 err(1, "kevent"); 636 ph = emalloc(sizeof(struct phash)); 637 ph->j = j; 638 ph->pid = pid; 639 LIST_INSERT_HEAD(&phash[pid % PHASH_SIZE], ph, le); 640 j->nprocs++; 641 j->flags |= JF_SLEEPQ; 642 if (j->timeout.tv_sec == 0) 643 requeue(j, &sleeping); 644 else { 645 /* File the jail in the sleep queue acording to its timeout. */ 646 TAILQ_REMOVE(j->queue, j, tq); 647 TAILQ_FOREACH(tj, &sleeping, tq) { 648 if (!tj->timeout.tv_sec || 649 j->timeout.tv_sec < tj->timeout.tv_sec || 650 (j->timeout.tv_sec == tj->timeout.tv_sec && 651 j->timeout.tv_nsec <= tj->timeout.tv_nsec)) { 652 TAILQ_INSERT_BEFORE(tj, j, tq); 653 break; 654 } 655 } 656 if (tj == NULL) 657 TAILQ_INSERT_TAIL(&sleeping, j, tq); 658 j->queue = &sleeping; 659 } 660} 661 662/* 663 * Remove any processes from the hash that correspond to a jail. 664 */ 665static void 666clear_procs(struct cfjail *j) 667{ 668 struct kevent ke; 669 struct phash *ph, *tph; 670 int i; 671 672 j->nprocs = 0; 673 for (i = 0; i < PHASH_SIZE; i++) 674 LIST_FOREACH_SAFE(ph, &phash[i], le, tph) 675 if (ph->j == j) { 676 EV_SET(&ke, ph->pid, EVFILT_PROC, EV_DELETE, 677 NOTE_EXIT, 0, NULL); 678 (void)kevent(kq, &ke, 1, NULL, 0, NULL); 679 LIST_REMOVE(ph, le); 680 free(ph); 681 } 682} 683 684/* 685 * Find the jail that corresponds to an exited process. 686 */ 687static struct cfjail * 688find_proc(pid_t pid) 689{ 690 struct cfjail *j; 691 struct phash *ph; 692 693 LIST_FOREACH(ph, &phash[pid % PHASH_SIZE], le) 694 if (ph->pid == pid) { 695 j = ph->j; 696 LIST_REMOVE(ph, le); 697 free(ph); 698 return --j->nprocs ? NULL : j; 699 } 700 return NULL; 701} 702 703/* 704 * Send SIGTERM to all processes in a jail and wait for them to die. 705 */ 706static int 707term_procs(struct cfjail *j) 708{ 709 struct kinfo_proc *ki; 710 int i, noted, pcnt, timeout; 711 712 static kvm_t *kd; 713 714 if (!int_param(j->intparams[IP_STOP_TIMEOUT], &timeout)) 715 timeout = DEFAULT_STOP_TIMEOUT; 716 else if (timeout == 0) 717 return 0; 718 719 if (kd == NULL) { 720 kd = kvm_open(NULL, NULL, NULL, O_RDONLY, "jail"); 721 if (kd == NULL) 722 exit(1); 723 } 724 725 ki = kvm_getprocs(kd, KERN_PROC_PROC, 0, &pcnt); 726 if (ki == NULL) 727 exit(1); 728 noted = 0; 729 for (i = 0; i < pcnt; i++) 730 if (ki[i].ki_jid == j->jid && 731 kill(ki[i].ki_pid, SIGTERM) == 0) { 732 add_proc(j, ki[i].ki_pid); 733 if (verbose > 0) { 734 if (!noted) { 735 noted = 1; 736 jail_note(j, "sent SIGTERM to:"); 737 } 738 printf(" %d", ki[i].ki_pid); 739 } 740 } 741 if (noted) 742 printf("\n"); 743 if (j->nprocs > 0) { 744 clock_gettime(CLOCK_REALTIME, &j->timeout); 745 j->timeout.tv_sec += timeout; 746 return 1; 747 } 748 return 0; 749} 750 751/* 752 * Look up a user in the passwd and login.conf files. 753 */ 754static int 755get_user_info(struct cfjail *j, const char *username, 756 const struct passwd **pwdp, login_cap_t **lcapp) 757{ 758 const struct passwd *pwd; 759 760 *pwdp = pwd = username ? getpwnam(username) : getpwuid(getuid()); 761 if (pwd == NULL) { 762 if (errno) 763 jail_warnx(j, "getpwnam%s%s: %s", username ? " " : "", 764 username ? username : "", strerror(errno)); 765 else if (username) 766 jail_warnx(j, "%s: no such user", username); 767 else 768 jail_warnx(j, "unknown uid %d", getuid()); 769 return -1; 770 } 771 *lcapp = login_getpwclass(pwd); 772 if (*lcapp == NULL) { 773 jail_warnx(j, "getpwclass %s: %s", pwd->pw_name, 774 strerror(errno)); 775 return -1; 776 } 777 /* Set the groups while the group file is still available */ 778 if (initgroups(pwd->pw_name, pwd->pw_gid) < 0) { 779 jail_warnx(j, "initgroups %s: %s", pwd->pw_name, 780 strerror(errno)); 781 return -1; 782 } 783 return 0; 784} 785 786/* 787 * Make sure a mount or consolelog path is a valid absolute pathname 788 * with no symlinks. 789 */ 790static int 791check_path(struct cfjail *j, const char *pname, const char *path, int isfile, 792 const char *umount_type) 793{ 794 struct stat st, mpst; 795 struct statfs stfs; 796 char *tpath, *p; 797 const char *jailpath; 798 size_t jplen; 799 800 if (path[0] != '/') { 801 jail_warnx(j, "%s: %s: not an absolute pathname", 802 pname, path); 803 return -1; 804 } 805 /* 806 * Only check for symlinks in components below the jail's path, 807 * since that's where the security risk lies. 808 */ 809 jailpath = string_param(j->intparams[KP_PATH]); 810 if (jailpath == NULL) 811 jailpath = ""; 812 jplen = strlen(jailpath); 813 if (!strncmp(path, jailpath, jplen) && path[jplen] == '/') { 814 tpath = alloca(strlen(path) + 1); 815 strcpy(tpath, path); 816 for (p = tpath + jplen; p != NULL; ) { 817 p = strchr(p + 1, '/'); 818 if (p) 819 *p = '\0'; 820 if (lstat(tpath, &st) < 0) { 821 if (errno == ENOENT && isfile && !p) 822 break; 823 jail_warnx(j, "%s: %s: %s", pname, tpath, 824 strerror(errno)); 825 return -1; 826 } 827 if (S_ISLNK(st.st_mode)) { 828 jail_warnx(j, "%s: %s is a symbolic link", 829 pname, tpath); 830 return -1; 831 } 832 if (p) 833 *p = '/'; 834 } 835 } 836 if (umount_type != NULL) { 837 if (stat(path, &st) < 0 || statfs(path, &stfs) < 0) { 838 jail_warnx(j, "%s: %s: %s", pname, path, 839 strerror(errno)); 840 return -1; 841 } 842 if (stat(stfs.f_mntonname, &mpst) < 0) { 843 jail_warnx(j, "%s: %s: %s", pname, stfs.f_mntonname, 844 strerror(errno)); 845 return -1; 846 } 847 if (st.st_ino != mpst.st_ino) { 848 jail_warnx(j, "%s: %s: not a mount point", 849 pname, path); 850 return -1; 851 } 852 if (strcmp(stfs.f_fstypename, umount_type)) { 853 jail_warnx(j, "%s: %s: not a %s mount", 854 pname, path, umount_type); 855 return -1; 856 } 857 } 858 return 0; 859}
|