1/*-
2 * Copyright (c) 2010 James Gritton
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27#include <sys/cdefs.h>
| 1/*-
2 * Copyright (c) 2010 James Gritton
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27#include <sys/cdefs.h>
|
28__FBSDID("$FreeBSD: projects/jailconf/usr.sbin/jail/config.c 214117 2010-10-20 20:42:33Z jamie $");
| 28__FBSDID("$FreeBSD: projects/jailconf/usr.sbin/jail/config.c 214423 2010-10-27 16:22:54Z jamie $");
|
29
30#include <sys/types.h>
31#include <sys/socket.h>
32#include <sys/sysctl.h>
33
34#include <arpa/inet.h>
35#include <netinet/in.h>
36
37#include <err.h>
38#include <netdb.h>
39#include <stdio.h>
40#include <stdlib.h>
41#include <string.h>
42
43#include "jailp.h"
44
45struct ipspec {
46 const char *name;
| 29
30#include <sys/types.h>
31#include <sys/socket.h>
32#include <sys/sysctl.h>
33
34#include <arpa/inet.h>
35#include <netinet/in.h>
36
37#include <err.h>
38#include <netdb.h>
39#include <stdio.h>
40#include <stdlib.h>
41#include <string.h>
42
43#include "jailp.h"
44
45struct ipspec {
46 const char *name;
|
47 enum intparam ipnum;
| |
48 unsigned flags;
49};
50
51extern FILE *yyin;
52extern int yynerrs;
53
54struct cfjails cfjails = TAILQ_HEAD_INITIALIZER(cfjails);
55
| 47 unsigned flags;
48};
49
50extern FILE *yyin;
51extern int yynerrs;
52
53struct cfjails cfjails = TAILQ_HEAD_INITIALIZER(cfjails);
54
|
56static int cmp_intparam(const void *a, const void *b);
| |
57static void free_param(struct cfparams *pp, struct cfparam *p);
58static void free_param_strings(struct cfparam *p);
59
| 55static void free_param(struct cfparams *pp, struct cfparam *p);
56static void free_param_strings(struct cfparam *p);
57
|
60/* Note these must be in sort order */
| |
61static const struct ipspec intparams[] = {
| 58static const struct ipspec intparams[] = {
|
62 {"allow.dying", IP_ALLOW_DYING, PF_INTERNAL | PF_BOOL },
63 {"allow.nodying", IP_ALLOW_DYING, PF_INTERNAL | PF_BOOL },
64 {"command", IP_COMMAND, PF_INTERNAL },
65 {"depend", IP_DEPEND, PF_INTERNAL },
66 {"exec.clean", IP_EXEC_CLEAN, PF_INTERNAL | PF_BOOL },
67 {"exec.consolelog", IP_EXEC_CONSOLELOG, PF_INTERNAL },
68 {"exec.fib", IP_EXEC_FIB, PF_INTERNAL | PF_INT },
69 {"exec.jail_user", IP_EXEC_JAIL_USER, PF_INTERNAL },
70 {"exec.noclean", IP_EXEC_CLEAN, PF_INTERNAL | PF_BOOL },
71 {"exec.nosystem_jail_user",IP_EXEC_SYSTEM_JAIL_USER,PF_INTERNAL | PF_BOOL },
72 {"exec.poststart", IP_EXEC_POSTSTART, PF_INTERNAL },
73 {"exec.poststop", IP_EXEC_POSTSTOP, PF_INTERNAL },
74 {"exec.prestart", IP_EXEC_PRESTART, PF_INTERNAL },
75 {"exec.prestop", IP_EXEC_PRESTOP, PF_INTERNAL },
76 {"exec.start", IP_EXEC_START, PF_INTERNAL },
77 {"exec.stop", IP_EXEC_STOP, PF_INTERNAL },
78 {"exec.system_jail_user", IP_EXEC_SYSTEM_JAIL_USER, PF_INTERNAL | PF_BOOL },
79 {"exec.system_user", IP_EXEC_SYSTEM_USER, PF_INTERNAL },
80 {"exec.timeout", IP_EXEC_TIMEOUT, PF_INTERNAL | PF_INT },
81 {"host.hostname", KP_HOSTNAME, 0 },
82 {"interface", IP_INTERFACE, PF_INTERNAL },
83 {"ip4.addr", KP_IP4_ADDR, 0 },
| 59 [IP_ALLOW_DYING] = {"allow.dying", PF_INTERNAL | PF_BOOL},
60 [IP_COMMAND] = {"command", PF_INTERNAL},
61 [IP_DEPEND] = {"depend", PF_INTERNAL},
62 [IP_EXEC_CLEAN] = {"exec.clean", PF_INTERNAL | PF_BOOL},
63 [IP_EXEC_CONSOLELOG] = {"exec.consolelog", PF_INTERNAL},
64 [IP_EXEC_FIB] = {"exec.fib", PF_INTERNAL | PF_INT},
65 [IP_EXEC_JAIL_USER] = {"exec.jail_user", PF_INTERNAL},
66 [IP_EXEC_POSTSTART] = {"exec.poststart", PF_INTERNAL},
67 [IP_EXEC_POSTSTOP] = {"exec.poststop", PF_INTERNAL},
68 [IP_EXEC_PRESTART] = {"exec.prestart", PF_INTERNAL},
69 [IP_EXEC_PRESTOP] = {"exec.prestop", PF_INTERNAL},
70 [IP_EXEC_START] = {"exec.start", PF_INTERNAL},
71 [IP_EXEC_STOP] = {"exec.stop", PF_INTERNAL},
72 [IP_EXEC_SYSTEM_JAIL_USER]= {"exec.system_jail_user",
73 PF_INTERNAL | PF_BOOL},
74 [IP_EXEC_SYSTEM_USER] = {"exec.system_user", PF_INTERNAL},
75 [IP_EXEC_TIMEOUT] = {"exec.timeout", PF_INTERNAL | PF_INT},
76 [IP_INTERFACE] = {"interface", PF_INTERNAL},
77 [IP_IP_HOSTNAME] = {"ip_hostname", PF_INTERNAL | PF_BOOL},
78 [IP_MOUNT] = {"mount", PF_INTERNAL},
79 [IP_MOUNT_DEVFS] = {"mount.devfs", PF_INTERNAL | PF_BOOL},
80 [IP_MOUNT_DEVFS_RULESET]= {"mount.devfs.ruleset", PF_INTERNAL},
81 [IP_MOUNT_FSTAB] = {"mount.fstab", PF_INTERNAL},
82 [IP_STOP_TIMEOUT] = {"stop.timeout", PF_INTERNAL | PF_INT},
83 [IP_VNET_INTERFACE] = {"vnet.interface", PF_INTERNAL},
84 [IP__IP4_IFADDR] = {"ip4.addr", PF_INTERNAL | PF_CONV},
|
84#ifdef INET6
| 85#ifdef INET6
|
85 {"ip6.addr", KP_IP6_ADDR, 0 },
| 86 [IP__IP6_IFADDR] = {"ip6.addr", PF_INTERNAL | PF_CONV},
|
86#endif
| 87#endif
|
87 {"ip_hostname", IP_IP_HOSTNAME, PF_INTERNAL | PF_BOOL },
88 {"jid", KP_JID, PF_INT },
89 {"mount", IP_MOUNT, PF_INTERNAL },
90 {"mount.devfs", IP_MOUNT_DEVFS, PF_INTERNAL | PF_BOOL },
91 {"mount.devfs.ruleset", IP_MOUNT_DEVFS_RULESET, PF_INTERNAL },
92 {"mount.fstab", IP_MOUNT_FSTAB, PF_INTERNAL },
93 {"mount.nodevfs", IP_MOUNT_DEVFS, PF_INTERNAL | PF_BOOL },
94 {"name", KP_NAME, 0 },
95 {"noip_hostname", IP_IP_HOSTNAME, PF_INTERNAL | PF_BOOL },
96 {"nopersist", KP_PERSIST, PF_BOOL },
97 {"path", KP_PATH, 0 },
98 {"persist", KP_PERSIST, PF_BOOL },
99 {"stop.timeout", IP_STOP_TIMEOUT, PF_INTERNAL | PF_INT },
100 {"vnet", KP_VNET, 0 },
101 {"vnet.interface", IP_VNET_INTERFACE, PF_INTERNAL },
| 88 [KP_ALLOW_CHFLAGS] = {"allow.chflags", 0},
89 [KP_ALLOW_MOUNT] = {"allow.mount", 0},
90 [KP_ALLOW_RAW_SOCKETS] = {"allow.raw_sockets", 0},
91 [KP_ALLOW_SET_HOSTNAME]= {"allow.set_hostname", 0},
92 [KP_ALLOW_SOCKET_AF] = {"allow.socket_af", 0},
93 [KP_ALLOW_SYSVIPC] = {"allow.sysvipc", 0},
94 [KP_ENFORCE_STATFS] = {"enforce_statfs", 0},
95 [KP_HOST_HOSTNAME] = {"host.hostname", 0},
96 [KP_IP4_ADDR] = {"ip4.addr", 0},
97#ifdef INET6
98 [KP_IP6_ADDR] = {"ip6.addr", 0},
99#endif
100 [KP_JID] = {"jid", 0},
101 [KP_NAME] = {"name", 0},
102 [KP_PATH] = {"path", 0},
103 [KP_PERSIST] = {"persist", 0},
104 [KP_SECURELEVEL] = {"securelevel", 0},
105 [KP_VNET] = {"vnet", 0},
|
102};
103
104/*
105 * Parse the jail configuration file.
106 */
107void
108load_config(void)
109{
110 struct cfjails wild;
111 struct cfparams opp;
112 struct cfjail *j, *tj, *wj;
113 struct cfparam *p, *vp, *tp;
114 struct cfstring *s, *vs, *ns;
115 struct cfvar *v;
116 char *ep;
117 size_t varoff;
118 int did_self, jseq, pgen;
119
120 if (!strcmp(cfname, "-")) {
121 cfname = "STDIN";
122 yyin = stdin;
123 } else {
124 yyin = fopen(cfname, "r");
125 if (!yyin)
126 err(1, "%s", cfname);
127 }
128 if (yyparse() || yynerrs)
129 exit(1);
130
131 /* Separate the wildcard jails out from the actual jails. */
132 jseq = 0;
133 TAILQ_INIT(&wild);
134 TAILQ_FOREACH_SAFE(j, &cfjails, tq, tj) {
135 j->seq = ++jseq;
136 if (wild_jail_name(j->name))
137 requeue(j, &wild);
138 }
139
140 TAILQ_FOREACH(j, &cfjails, tq) {
141 /* Set aside the jail's parameters. */
142 TAILQ_INIT(&opp);
143 TAILQ_CONCAT(&opp, &j->params, tq);
144 /*
145 * The jail name implies its "name" or "jid" parameter,
146 * though they may also be explicitly set later on.
147 */
148 add_param(j, NULL,
| 106};
107
108/*
109 * Parse the jail configuration file.
110 */
111void
112load_config(void)
113{
114 struct cfjails wild;
115 struct cfparams opp;
116 struct cfjail *j, *tj, *wj;
117 struct cfparam *p, *vp, *tp;
118 struct cfstring *s, *vs, *ns;
119 struct cfvar *v;
120 char *ep;
121 size_t varoff;
122 int did_self, jseq, pgen;
123
124 if (!strcmp(cfname, "-")) {
125 cfname = "STDIN";
126 yyin = stdin;
127 } else {
128 yyin = fopen(cfname, "r");
129 if (!yyin)
130 err(1, "%s", cfname);
131 }
132 if (yyparse() || yynerrs)
133 exit(1);
134
135 /* Separate the wildcard jails out from the actual jails. */
136 jseq = 0;
137 TAILQ_INIT(&wild);
138 TAILQ_FOREACH_SAFE(j, &cfjails, tq, tj) {
139 j->seq = ++jseq;
140 if (wild_jail_name(j->name))
141 requeue(j, &wild);
142 }
143
144 TAILQ_FOREACH(j, &cfjails, tq) {
145 /* Set aside the jail's parameters. */
146 TAILQ_INIT(&opp);
147 TAILQ_CONCAT(&opp, &j->params, tq);
148 /*
149 * The jail name implies its "name" or "jid" parameter,
150 * though they may also be explicitly set later on.
151 */
152 add_param(j, NULL,
|
149 strtol(j->name, &ep, 10) && !*ep ? "jid" : "name",
| 153 strtol(j->name, &ep, 10) && !*ep ? KP_JID : KP_NAME,
|
150 j->name);
151 /*
152 * Collect parameters for the jail, global parameters/variables,
153 * and any matching wildcard jails.
154 */
155 did_self = 0;
156 TAILQ_FOREACH(wj, &wild, tq) {
157 if (j->seq < wj->seq && !did_self) {
158 TAILQ_FOREACH(p, &opp, tq)
| 154 j->name);
155 /*
156 * Collect parameters for the jail, global parameters/variables,
157 * and any matching wildcard jails.
158 */
159 did_self = 0;
160 TAILQ_FOREACH(wj, &wild, tq) {
161 if (j->seq < wj->seq && !did_self) {
162 TAILQ_FOREACH(p, &opp, tq)
|
159 add_param(j, p, NULL, NULL);
| 163 add_param(j, p, 0, NULL);
|
160 did_self = 1;
161 }
162 if (wild_jail_match(j->name, wj->name))
163 TAILQ_FOREACH(p, &wj->params, tq)
| 164 did_self = 1;
165 }
166 if (wild_jail_match(j->name, wj->name))
167 TAILQ_FOREACH(p, &wj->params, tq)
|
164 add_param(j, p, NULL, NULL);
| 168 add_param(j, p, 0, NULL);
|
165 }
166 if (!did_self)
167 TAILQ_FOREACH(p, &opp, tq)
| 169 }
170 if (!did_self)
171 TAILQ_FOREACH(p, &opp, tq)
|
168 add_param(j, p, NULL, NULL);
| 172 add_param(j, p, 0, NULL);
|
169
170 /* Resolve any variable substitutions. */
171 pgen = 0;
172 TAILQ_FOREACH(p, &j->params, tq) {
173 p->gen = ++pgen;
174 find_vars:
175 STAILQ_FOREACH(s, &p->val, tq) {
176 varoff = 0;
177 while ((v = STAILQ_FIRST(&s->vars))) {
178 TAILQ_FOREACH(vp, &j->params, tq)
179 if (!strcmp(vp->name, v->name))
180 break;
181 if (!vp) {
182 jail_warnx(j,
183 "%s: variable \"%s\" not found",
184 p->name, v->name);
185 bad_var:
186 j->flags |= JF_FAILED;
187 TAILQ_FOREACH(vp, &j->params, tq)
188 if (vp->gen == pgen)
189 vp->flags |= PF_BAD;
190 goto free_var;
191 }
192 if (vp->flags & PF_BAD)
193 goto bad_var;
194 if (vp->gen == pgen) {
195 jail_warnx(j, "%s: variable loop",
196 v->name);
197 goto bad_var;
198 }
199 STAILQ_FOREACH(vs, &vp->val, tq)
200 if (!STAILQ_EMPTY(&vs->vars)) {
201 vp->gen = pgen;
202 TAILQ_REMOVE(&j->params, vp,
203 tq);
204 TAILQ_INSERT_BEFORE(p, vp, tq);
205 p = vp;
206 goto find_vars;
207 }
208 vs = STAILQ_FIRST(&vp->val);
209 if (STAILQ_NEXT(vs, tq) != NULL &&
210 (s->s[0] != '\0' ||
211 STAILQ_NEXT(v, tq))) {
212 jail_warnx(j, "%s: array cannot be "
213 "substituted inline",
214 p->name);
215 goto bad_var;
216 }
217 s->s = erealloc(s->s, s->len + vs->len + 1);
218 memmove(s->s + v->pos + varoff + vs->len,
219 s->s + v->pos + varoff,
220 s->len - (v->pos + varoff) + 1);
221 memcpy(s->s + v->pos + varoff, vs->s, vs->len);
222 varoff += vs->len;
223 s->len += vs->len;
224 while ((vs = STAILQ_NEXT(vs, tq))) {
225 ns = emalloc(sizeof(struct cfstring));
226 ns->s = estrdup(vs->s);
227 ns->len = vs->len;
228 STAILQ_INIT(&ns->vars);
229 STAILQ_INSERT_AFTER(&p->val, s, ns, tq);
230 s = ns;
231 }
232 free_var:
233 free(v->name);
234 STAILQ_REMOVE_HEAD(&s->vars, tq);
235 free(v);
236 }
237 }
238 }
239
240 /* Free the jail's original parameter list and any variables. */
241 while ((p = TAILQ_FIRST(&opp)))
242 free_param(&opp, p);
243 TAILQ_FOREACH_SAFE(p, &j->params, tq, tp)
244 if (p->flags & PF_VAR)
245 free_param(&j->params, p);
246 }
247 while ((wj = TAILQ_FIRST(&wild))) {
248 free(wj->name);
249 while ((p = TAILQ_FIRST(&wj->params)))
250 free_param(&wj->params, p);
251 TAILQ_REMOVE(&wild, wj, tq);
252 }
253}
254
255/*
256 * Create a new jail record.
257 */
258struct cfjail *
259add_jail(void)
260{
261 struct cfjail *j;
262
263 j = emalloc(sizeof(struct cfjail));
264 memset(j, 0, sizeof(struct cfjail));
265 TAILQ_INIT(&j->params);
266 STAILQ_INIT(&j->dep[DEP_FROM]);
267 STAILQ_INIT(&j->dep[DEP_TO]);
268 j->queue = &cfjails;
269 TAILQ_INSERT_TAIL(&cfjails, j, tq);
270 return j;
271}
272
273/*
274 * Add a parameter to a jail.
275 */
276void
| 173
174 /* Resolve any variable substitutions. */
175 pgen = 0;
176 TAILQ_FOREACH(p, &j->params, tq) {
177 p->gen = ++pgen;
178 find_vars:
179 STAILQ_FOREACH(s, &p->val, tq) {
180 varoff = 0;
181 while ((v = STAILQ_FIRST(&s->vars))) {
182 TAILQ_FOREACH(vp, &j->params, tq)
183 if (!strcmp(vp->name, v->name))
184 break;
185 if (!vp) {
186 jail_warnx(j,
187 "%s: variable \"%s\" not found",
188 p->name, v->name);
189 bad_var:
190 j->flags |= JF_FAILED;
191 TAILQ_FOREACH(vp, &j->params, tq)
192 if (vp->gen == pgen)
193 vp->flags |= PF_BAD;
194 goto free_var;
195 }
196 if (vp->flags & PF_BAD)
197 goto bad_var;
198 if (vp->gen == pgen) {
199 jail_warnx(j, "%s: variable loop",
200 v->name);
201 goto bad_var;
202 }
203 STAILQ_FOREACH(vs, &vp->val, tq)
204 if (!STAILQ_EMPTY(&vs->vars)) {
205 vp->gen = pgen;
206 TAILQ_REMOVE(&j->params, vp,
207 tq);
208 TAILQ_INSERT_BEFORE(p, vp, tq);
209 p = vp;
210 goto find_vars;
211 }
212 vs = STAILQ_FIRST(&vp->val);
213 if (STAILQ_NEXT(vs, tq) != NULL &&
214 (s->s[0] != '\0' ||
215 STAILQ_NEXT(v, tq))) {
216 jail_warnx(j, "%s: array cannot be "
217 "substituted inline",
218 p->name);
219 goto bad_var;
220 }
221 s->s = erealloc(s->s, s->len + vs->len + 1);
222 memmove(s->s + v->pos + varoff + vs->len,
223 s->s + v->pos + varoff,
224 s->len - (v->pos + varoff) + 1);
225 memcpy(s->s + v->pos + varoff, vs->s, vs->len);
226 varoff += vs->len;
227 s->len += vs->len;
228 while ((vs = STAILQ_NEXT(vs, tq))) {
229 ns = emalloc(sizeof(struct cfstring));
230 ns->s = estrdup(vs->s);
231 ns->len = vs->len;
232 STAILQ_INIT(&ns->vars);
233 STAILQ_INSERT_AFTER(&p->val, s, ns, tq);
234 s = ns;
235 }
236 free_var:
237 free(v->name);
238 STAILQ_REMOVE_HEAD(&s->vars, tq);
239 free(v);
240 }
241 }
242 }
243
244 /* Free the jail's original parameter list and any variables. */
245 while ((p = TAILQ_FIRST(&opp)))
246 free_param(&opp, p);
247 TAILQ_FOREACH_SAFE(p, &j->params, tq, tp)
248 if (p->flags & PF_VAR)
249 free_param(&j->params, p);
250 }
251 while ((wj = TAILQ_FIRST(&wild))) {
252 free(wj->name);
253 while ((p = TAILQ_FIRST(&wj->params)))
254 free_param(&wj->params, p);
255 TAILQ_REMOVE(&wild, wj, tq);
256 }
257}
258
259/*
260 * Create a new jail record.
261 */
262struct cfjail *
263add_jail(void)
264{
265 struct cfjail *j;
266
267 j = emalloc(sizeof(struct cfjail));
268 memset(j, 0, sizeof(struct cfjail));
269 TAILQ_INIT(&j->params);
270 STAILQ_INIT(&j->dep[DEP_FROM]);
271 STAILQ_INIT(&j->dep[DEP_TO]);
272 j->queue = &cfjails;
273 TAILQ_INSERT_TAIL(&cfjails, j, tq);
274 return j;
275}
276
277/*
278 * Add a parameter to a jail.
279 */
280void
|
277add_param(struct cfjail *j, const struct cfparam *p, const char *name,
| 281add_param(struct cfjail *j, const struct cfparam *p, enum intparam ipnum,
|
278 const char *value)
279{
280 struct cfstrings nss;
281 struct cfparam *dp, *np;
282 struct cfstring *s, *ns;
283 struct cfvar *v, *nv;
| 282 const char *value)
283{
284 struct cfstrings nss;
285 struct cfparam *dp, *np;
286 struct cfstring *s, *ns;
287 struct cfvar *v, *nv;
|
| 288 struct ipspec *ips;
289 const char *name;
290 char *cs, *tname;
|
284 unsigned flags;
285
286 if (j == NULL) {
287 /* Create a single anonymous jail if one doesn't yet exist. */
288 j = TAILQ_LAST(&cfjails, cfjails);
289 if (j == NULL)
290 j = add_jail();
291 }
292 STAILQ_INIT(&nss);
293 if (p != NULL) {
294 name = p->name;
295 flags = p->flags;
296 /*
297 * Make a copy of the parameter's string list,
298 * which may be freed if it's overridden later.
299 */
300 STAILQ_FOREACH(s, &p->val, tq) {
301 ns = emalloc(sizeof(struct cfstring));
302 ns->s = estrdup(s->s);
303 ns->len = s->len;
304 STAILQ_INIT(&ns->vars);
305 STAILQ_FOREACH(v, &s->vars, tq) {
306 nv = emalloc(sizeof(struct cfvar));
307 nv->name = strdup(v->name);
308 nv->pos = v->pos;
309 STAILQ_INSERT_TAIL(&ns->vars, nv, tq);
310 }
311 STAILQ_INSERT_TAIL(&nss, ns, tq);
312 }
313 } else {
314 flags = PF_APPEND;
| 291 unsigned flags;
292
293 if (j == NULL) {
294 /* Create a single anonymous jail if one doesn't yet exist. */
295 j = TAILQ_LAST(&cfjails, cfjails);
296 if (j == NULL)
297 j = add_jail();
298 }
299 STAILQ_INIT(&nss);
300 if (p != NULL) {
301 name = p->name;
302 flags = p->flags;
303 /*
304 * Make a copy of the parameter's string list,
305 * which may be freed if it's overridden later.
306 */
307 STAILQ_FOREACH(s, &p->val, tq) {
308 ns = emalloc(sizeof(struct cfstring));
309 ns->s = estrdup(s->s);
310 ns->len = s->len;
311 STAILQ_INIT(&ns->vars);
312 STAILQ_FOREACH(v, &s->vars, tq) {
313 nv = emalloc(sizeof(struct cfvar));
314 nv->name = strdup(v->name);
315 nv->pos = v->pos;
316 STAILQ_INSERT_TAIL(&ns->vars, nv, tq);
317 }
318 STAILQ_INSERT_TAIL(&nss, ns, tq);
319 }
320 } else {
321 flags = PF_APPEND;
|
| 322 if (ipnum != 0) {
323 name = intparams[ipnum].name;
324 flags |= intparams[ipnum].flags;
325 } else if ((cs = strchr(value, '='))) {
326 tname = alloca(cs - value + 1);
327 strlcpy(tname, value, cs - value + 1);
328 name = tname;
329 value = cs + 1;
330 } else {
331 name = value;
332 value = NULL;
333 }
|
315 if (value != NULL) {
316 ns = emalloc(sizeof(struct cfstring));
317 ns->s = estrdup(value);
318 ns->len = strlen(value);
319 STAILQ_INIT(&ns->vars);
320 STAILQ_INSERT_TAIL(&nss, ns, tq);
321 }
322 }
323
324 /* See if this parameter has already been added. */
| 334 if (value != NULL) {
335 ns = emalloc(sizeof(struct cfstring));
336 ns->s = estrdup(value);
337 ns->len = strlen(value);
338 STAILQ_INIT(&ns->vars);
339 STAILQ_INSERT_TAIL(&nss, ns, tq);
340 }
341 }
342
343 /* See if this parameter has already been added. */
|
325 TAILQ_FOREACH(dp, &j->params, tq) {
326 if (equalopts(dp->name, name)) {
327 /* Found it - append or replace. */
328 if (strcmp(dp->name, name)) {
329 free(dp->name);
330 dp->name = estrdup(name);
331 }
332 if (!(flags & PF_APPEND) || STAILQ_EMPTY(&nss))
333 free_param_strings(dp);
334 STAILQ_CONCAT(&dp->val, &nss);
335 dp->flags |= flags;
336 break;
| 344 if (ipnum != 0)
345 dp = j->intparams[ipnum];
346 else
347 TAILQ_FOREACH(dp, &j->params, tq)
348 if (!(dp->flags & PF_CONV) && equalopts(dp->name, name))
349 break;
350 if (dp != NULL) {
351 /* Found it - append or replace. */
352 if (strcmp(dp->name, name)) {
353 free(dp->name);
354 dp->name = estrdup(name);
|
337 }
| 355 }
|
338 }
339 if (dp == NULL) {
| 356 if (!(flags & PF_APPEND) || STAILQ_EMPTY(&nss))
357 free_param_strings(dp);
358 STAILQ_CONCAT(&dp->val, &nss);
359 dp->flags |= flags;
360 } else {
|
340 /* Not found - add it. */
341 np = emalloc(sizeof(struct cfparam));
342 np->name = estrdup(name);
343 STAILQ_INIT(&np->val);
344 STAILQ_CONCAT(&np->val, &nss);
345 np->flags = flags;
346 np->gen = 0;
347 TAILQ_INSERT_TAIL(&j->params, np, tq);
| 361 /* Not found - add it. */
362 np = emalloc(sizeof(struct cfparam));
363 np->name = estrdup(name);
364 STAILQ_INIT(&np->val);
365 STAILQ_CONCAT(&np->val, &nss);
366 np->flags = flags;
367 np->gen = 0;
368 TAILQ_INSERT_TAIL(&j->params, np, tq);
|
| 369 if (ipnum != 0)
370 j->intparams[ipnum] = np;
371 else
372 for (ipnum = 1; ipnum < IP_NPARAM; ipnum++)
373 if (!(intparams[ipnum].flags & PF_CONV) &&
374 equalopts(name, intparams[ipnum].name)) {
375 j->intparams[ipnum] = np;
376 np->flags |= intparams[ipnum].flags;
377 break;
378 }
|
348 }
349}
350
351/*
| 379 }
380}
381
382/*
|
352 * Find internal or known parameters.
353 */
354void
355find_intparams(void)
356{
357 struct cfjail *j;
358 struct cfparam *p;
359 struct ipspec *ip;
360
361 TAILQ_FOREACH(j, &cfjails, tq) {
362 TAILQ_FOREACH(p, &j->params, tq) {
363 ip = bsearch(p->name, intparams,
364 sizeof(intparams) / sizeof(intparams[0]),
365 sizeof(struct ipspec), cmp_intparam);
366 if (ip != NULL) {
367 j->intparams[ip->ipnum] = p;
368 p->flags |= ip->flags;
369 }
370 }
371 }
372}
373
374/*
| |
375 * Check syntax of internal parameters.
376 */
377int
378check_intparams(struct cfjail *j)
379{
380 struct cfparam *p;
381 const char *val;
382 char *ep;
383 int error;
384
385 error = 0;
386 TAILQ_FOREACH(p, &j->params, tq) {
387 if (!STAILQ_EMPTY(&p->val) &&
388 (p->flags & (PF_BOOL | PF_INT))) {
389 val = STAILQ_LAST(&p->val, cfstring, tq)->s;
390 if (p->flags & PF_BOOL) {
391 if (strcasecmp(val, "false") &&
392 strcasecmp(val, "true") &&
393 ((void)strtol(val, &ep, 10), *ep)) {
394 jail_warnx(j,
395 "%s: unknown boolean value \"%s\"",
396 p->name, val);
397 error = -1;
398 }
399 } else {
400 (void)strtol(val, &ep, 10);
401 if (ep == val || *ep) {
402 jail_warnx(j,
403 "%s: non-integer value \"%s\"",
404 p->name, val);
405 error = -1;
406 }
407 }
408 }
409 }
410 return error;
411}
412
413/*
414 * Return if a boolean parameter exists and is true.
415 */
416int
417bool_param(const struct cfparam *p)
418{
419 const char *cs;
420
421 if (p == NULL)
422 return 0;
423 cs = strrchr(p->name, '.');
424 return !strncmp(cs ? cs + 1 : p->name, "no", 2) ^
425 (STAILQ_EMPTY(&p->val) ||
426 !strcasecmp(STAILQ_LAST(&p->val, cfstring, tq)->s, "true") ||
427 (strtol(STAILQ_LAST(&p->val, cfstring, tq)->s, NULL, 10)));
428}
429
430/*
431 * Set an integer if a parameter if it exists.
432 */
433int
434int_param(const struct cfparam *p, int *ip)
435{
436 if (p == NULL || STAILQ_EMPTY(&p->val))
437 return 0;
438 *ip = strtol(STAILQ_LAST(&p->val, cfstring, tq)->s, NULL, 10);
439 return 1;
440}
441
442/*
443 * Return the string value of a scalar parameter if it exists.
444 */
445const char *
446string_param(const struct cfparam *p)
447{
448 return (p && !STAILQ_EMPTY(&p->val)
449 ? STAILQ_LAST(&p->val, cfstring, tq)->s : NULL);
450}
451
452/*
453 * Look up extra IP addresses from the hostname and save interface and netmask.
454 */
455int
456ip_params(struct cfjail *j)
457{
458 struct in_addr addr4;
459 struct addrinfo hints, *ai0, *ai;
| 383 * Check syntax of internal parameters.
384 */
385int
386check_intparams(struct cfjail *j)
387{
388 struct cfparam *p;
389 const char *val;
390 char *ep;
391 int error;
392
393 error = 0;
394 TAILQ_FOREACH(p, &j->params, tq) {
395 if (!STAILQ_EMPTY(&p->val) &&
396 (p->flags & (PF_BOOL | PF_INT))) {
397 val = STAILQ_LAST(&p->val, cfstring, tq)->s;
398 if (p->flags & PF_BOOL) {
399 if (strcasecmp(val, "false") &&
400 strcasecmp(val, "true") &&
401 ((void)strtol(val, &ep, 10), *ep)) {
402 jail_warnx(j,
403 "%s: unknown boolean value \"%s\"",
404 p->name, val);
405 error = -1;
406 }
407 } else {
408 (void)strtol(val, &ep, 10);
409 if (ep == val || *ep) {
410 jail_warnx(j,
411 "%s: non-integer value \"%s\"",
412 p->name, val);
413 error = -1;
414 }
415 }
416 }
417 }
418 return error;
419}
420
421/*
422 * Return if a boolean parameter exists and is true.
423 */
424int
425bool_param(const struct cfparam *p)
426{
427 const char *cs;
428
429 if (p == NULL)
430 return 0;
431 cs = strrchr(p->name, '.');
432 return !strncmp(cs ? cs + 1 : p->name, "no", 2) ^
433 (STAILQ_EMPTY(&p->val) ||
434 !strcasecmp(STAILQ_LAST(&p->val, cfstring, tq)->s, "true") ||
435 (strtol(STAILQ_LAST(&p->val, cfstring, tq)->s, NULL, 10)));
436}
437
438/*
439 * Set an integer if a parameter if it exists.
440 */
441int
442int_param(const struct cfparam *p, int *ip)
443{
444 if (p == NULL || STAILQ_EMPTY(&p->val))
445 return 0;
446 *ip = strtol(STAILQ_LAST(&p->val, cfstring, tq)->s, NULL, 10);
447 return 1;
448}
449
450/*
451 * Return the string value of a scalar parameter if it exists.
452 */
453const char *
454string_param(const struct cfparam *p)
455{
456 return (p && !STAILQ_EMPTY(&p->val)
457 ? STAILQ_LAST(&p->val, cfstring, tq)->s : NULL);
458}
459
460/*
461 * Look up extra IP addresses from the hostname and save interface and netmask.
462 */
463int
464ip_params(struct cfjail *j)
465{
466 struct in_addr addr4;
467 struct addrinfo hints, *ai0, *ai;
|
460 struct cfparam *np;
| |
461 struct cfstring *s, *ns;
462 char *cs, *ep;
463 const char *hostname;
464 size_t size;
465 int error, ip4ok, defif, prefix;
466 int mib[4];
467 char avalue4[INET_ADDRSTRLEN];
468#ifdef INET6
469 struct in6_addr addr6;
470 int ip6ok, isip6;
471 char avalue6[INET6_ADDRSTRLEN];
472#endif
473
474 error = 0;
475 /*
476 * The ip_hostname parameter looks up the hostname, and adds parameters
477 * for any IP addresses it finds.
478 */
479 if (bool_param(j->intparams[IP_IP_HOSTNAME]) &&
| 468 struct cfstring *s, *ns;
469 char *cs, *ep;
470 const char *hostname;
471 size_t size;
472 int error, ip4ok, defif, prefix;
473 int mib[4];
474 char avalue4[INET_ADDRSTRLEN];
475#ifdef INET6
476 struct in6_addr addr6;
477 int ip6ok, isip6;
478 char avalue6[INET6_ADDRSTRLEN];
479#endif
480
481 error = 0;
482 /*
483 * The ip_hostname parameter looks up the hostname, and adds parameters
484 * for any IP addresses it finds.
485 */
486 if (bool_param(j->intparams[IP_IP_HOSTNAME]) &&
|
480 (hostname = string_param(j->intparams[KP_HOSTNAME]))) {
| 487 (hostname = string_param(j->intparams[KP_HOST_HOSTNAME]))) {
|
481 j->intparams[IP_IP_HOSTNAME] = NULL;
482 /*
483 * Silently ignore unsupported address families from
484 * DNS lookups.
485 */
486 size = 4;
487 ip4ok = sysctlnametomib("security.jail.param.ip4", mib, &size)
488 == 0;
489#ifdef INET6
490 size = 4;
491 ip6ok = sysctlnametomib("security.jail.param.ip6", mib, &size)
492 == 0;
493#endif
494 if (ip4ok
495#ifdef INET6
496 || ip6ok
497#endif
498 ) {
499 /* Look up the hostname (or get the address) */
500 memset(&hints, 0, sizeof(hints));
501 hints.ai_socktype = SOCK_STREAM;
502 hints.ai_family =
503#ifdef INET6
504 ip6ok ? (ip4ok ? PF_UNSPEC : PF_INET6) :
505#endif
506 PF_INET;
507 error = getaddrinfo(hostname, NULL, &hints, &ai0);
508 if (error != 0) {
509 jail_warnx(j, "host.hostname %s: %s", hostname,
510 gai_strerror(error));
511 error = -1;
512 } else {
513 /*
514 * Convert the addresses to ASCII so jailparam
515 * can convert them back. Errors are not
516 * expected here.
517 */
518 for (ai = ai0; ai; ai = ai->ai_next)
519 switch (ai->ai_family) {
520 case AF_INET:
521 memcpy(&addr4,
522 &((struct sockaddr_in *)
523 (void *)ai->ai_addr)->
524 sin_addr, sizeof(addr4));
525 if (inet_ntop(AF_INET,
526 &addr4, avalue4,
527 INET_ADDRSTRLEN) == NULL)
528 err(1, "inet_ntop");
| 488 j->intparams[IP_IP_HOSTNAME] = NULL;
489 /*
490 * Silently ignore unsupported address families from
491 * DNS lookups.
492 */
493 size = 4;
494 ip4ok = sysctlnametomib("security.jail.param.ip4", mib, &size)
495 == 0;
496#ifdef INET6
497 size = 4;
498 ip6ok = sysctlnametomib("security.jail.param.ip6", mib, &size)
499 == 0;
500#endif
501 if (ip4ok
502#ifdef INET6
503 || ip6ok
504#endif
505 ) {
506 /* Look up the hostname (or get the address) */
507 memset(&hints, 0, sizeof(hints));
508 hints.ai_socktype = SOCK_STREAM;
509 hints.ai_family =
510#ifdef INET6
511 ip6ok ? (ip4ok ? PF_UNSPEC : PF_INET6) :
512#endif
513 PF_INET;
514 error = getaddrinfo(hostname, NULL, &hints, &ai0);
515 if (error != 0) {
516 jail_warnx(j, "host.hostname %s: %s", hostname,
517 gai_strerror(error));
518 error = -1;
519 } else {
520 /*
521 * Convert the addresses to ASCII so jailparam
522 * can convert them back. Errors are not
523 * expected here.
524 */
525 for (ai = ai0; ai; ai = ai->ai_next)
526 switch (ai->ai_family) {
527 case AF_INET:
528 memcpy(&addr4,
529 &((struct sockaddr_in *)
530 (void *)ai->ai_addr)->
531 sin_addr, sizeof(addr4));
532 if (inet_ntop(AF_INET,
533 &addr4, avalue4,
534 INET_ADDRSTRLEN) == NULL)
535 err(1, "inet_ntop");
|
529 add_param(j, NULL, "ip4.addr",
| 536 add_param(j, NULL, KP_IP4_ADDR,
|
530 avalue4);
531 break;
532#ifdef INET6
533 case AF_INET6:
534 memcpy(&addr6,
535 &((struct sockaddr_in6 *)
536 (void *)ai->ai_addr)->
537 sin6_addr, sizeof(addr6));
538 if (inet_ntop(AF_INET6,
539 &addr6, avalue6,
540 INET6_ADDRSTRLEN) == NULL)
541 err(1, "inet_ntop");
| 537 avalue4);
538 break;
539#ifdef INET6
540 case AF_INET6:
541 memcpy(&addr6,
542 &((struct sockaddr_in6 *)
543 (void *)ai->ai_addr)->
544 sin6_addr, sizeof(addr6));
545 if (inet_ntop(AF_INET6,
546 &addr6, avalue6,
547 INET6_ADDRSTRLEN) == NULL)
548 err(1, "inet_ntop");
|
542 add_param(j, NULL, "ip6.addr",
| 549 add_param(j, NULL, KP_IP6_ADDR,
|
543 avalue6);
544 break;
545#endif
546 }
547 freeaddrinfo(ai0);
548 }
549 }
550 }
551 /*
552 * IP addresses may include an interface to set that address on,
553 * and a netmask/suffix for that address.
554 */
555 defif = string_param(j->intparams[IP_INTERFACE]) != NULL;
556#ifdef INET6
557 for (isip6 = 0; isip6 <= 1; isip6++)
558#else
559#define isip6 0
560 do
561#endif
562 {
563 if (j->intparams[KP_IP4_ADDR + isip6] == NULL)
564 continue;
| 550 avalue6);
551 break;
552#endif
553 }
554 freeaddrinfo(ai0);
555 }
556 }
557 }
558 /*
559 * IP addresses may include an interface to set that address on,
560 * and a netmask/suffix for that address.
561 */
562 defif = string_param(j->intparams[IP_INTERFACE]) != NULL;
563#ifdef INET6
564 for (isip6 = 0; isip6 <= 1; isip6++)
565#else
566#define isip6 0
567 do
568#endif
569 {
570 if (j->intparams[KP_IP4_ADDR + isip6] == NULL)
571 continue;
|
565 np = j->intparams[IP__IP4_IFADDR + isip6];
| |
566 STAILQ_FOREACH(s, &j->intparams[KP_IP4_ADDR + isip6]->val, tq) {
567 cs = strchr(s->s, '|');
| 572 STAILQ_FOREACH(s, &j->intparams[KP_IP4_ADDR + isip6]->val, tq) {
573 cs = strchr(s->s, '|');
|
568 if (cs || defif) {
569 if (np == NULL) {
570 np = j->intparams[IP__IP4_IFADDR +
571 isip6] =
572 emalloc(sizeof(struct cfparam));
573 np->name = estrdup(j->intparams
574 [KP_IP4_ADDR + isip6]->name);
575 STAILQ_INIT(&np->val);
576 np->flags = PF_INTERNAL;
577 }
578 ns = emalloc(sizeof(struct cfstring));
579 ns->s = estrdup(s->s);
580 ns->len = s->len;
581 STAILQ_INIT(&ns->vars);
582 STAILQ_INSERT_TAIL(&np->val, ns, tq);
583 if (cs != NULL) {
584 strcpy(s->s, cs + 1);
585 s->len -= cs - s->s + 1;
586 }
| 574 if (cs || defif)
575 add_param(j, NULL, IP__IP4_IFADDR + isip6,
576 s->s);
577 if (cs) {
578 strcpy(s->s, cs + 1);
579 s->len -= cs + 1 - s->s;
|
587 }
588 if ((cs = strchr(s->s, '/'))) {
589 prefix = strtol(cs + 1, &ep, 10);
590 if (!isip6 && *ep == '.'
591 ? inet_pton(AF_INET, cs + 1, &addr4) != 1
592 : *ep || prefix < 0 || prefix >
593 (isip6 ? 128 : 32)) {
594 jail_warnx(j, isip6
595 ? "ip6.addr: bad prefixlen \"%s\""
596 : "ip4.addr: bad netmask \"%s\"",
597 cs);
598 error = -1;
599 }
600 *cs = '\0';
601 s->len = cs - s->s + 1;
602 }
603 }
604 }
605#ifndef INET6
606 while (0);
607#endif
608 return error;
609}
610
611/*
612 * Import parameters into libjail's binary jailparam format.
613 */
614int
615import_params(struct cfjail *j)
616{
617 struct cfparam *p;
618 struct cfstring *s, *ts;
619 struct jailparam *jp;
620 char *value, *cs;
621 size_t vallen;
622 int error;
623
624 error = 0;
625 j->njp = 0;
626 TAILQ_FOREACH(p, &j->params, tq)
627 if (!(p->flags & PF_INTERNAL))
628 j->njp++;
629 j->jp = jp = emalloc(j->njp * sizeof(struct jailparam));
630 TAILQ_FOREACH(p, &j->params, tq) {
631 if (p->flags & PF_INTERNAL)
632 continue;
633 if (jailparam_init(jp, p->name) < 0) {
634 error = -1;
635 jail_warnx(j, "%s", jail_errmsg);
636 continue;
637 }
638 if (STAILQ_EMPTY(&p->val))
639 value = NULL;
640 else if (!jp->jp_elemlen ||
641 !STAILQ_NEXT(STAILQ_FIRST(&p->val), tq)) {
642 /*
643 * Scalar parameters silently discard multiple (array)
644 * values, keeping only the last value added. This
645 * lets values added from the command line append to
646 * arrays wthout pre-checking the type.
647 */
648 value = STAILQ_LAST(&p->val, cfstring, tq)->s;
649 } else {
650 /*
651 * Convert arrays into comma-separated strings, which
652 * jailparam_import will then convert back into arrays.
653 */
654 vallen = 0;
655 STAILQ_FOREACH(s, &p->val, tq)
656 vallen += s->len + 1;
657 value = alloca(vallen);
658 cs = value;
659 STAILQ_FOREACH_SAFE(s, &p->val, tq, ts) {
660 strcpy(cs, s->s);
661 if (ts != NULL) {
662 cs += s->len + 1;
663 cs[-1] = ',';
664 }
665 }
666 }
667 if (jailparam_import(jp, value) < 0) {
668 error = -1;
669 jail_warnx(j, "%s", jail_errmsg);
670 }
671 jp++;
672 }
673 if (error) {
674 jailparam_free(j->jp, j->njp);
675 free(j->jp);
676 j->jp = NULL;
677 failed(j);
678 }
679 return error;
680}
681
682/*
683 * Check if options are equal (with or without the "no" prefix).
684 */
685int
686equalopts(const char *opt1, const char *opt2)
687{
688 char *p;
689
690 /* "opt" vs. "opt" or "noopt" vs. "noopt" */
691 if (strcmp(opt1, opt2) == 0)
692 return (1);
693 /* "noopt" vs. "opt" */
694 if (strncmp(opt1, "no", 2) == 0 && strcmp(opt1 + 2, opt2) == 0)
695 return (1);
696 /* "opt" vs. "noopt" */
697 if (strncmp(opt2, "no", 2) == 0 && strcmp(opt1, opt2 + 2) == 0)
698 return (1);
699 while ((p = strchr(opt1, '.')) != NULL &&
700 !strncmp(opt1, opt2, ++p - opt1)) {
701 opt2 += p - opt1;
702 opt1 = p;
703 /* "foo.noopt" vs. "foo.opt" */
704 if (strncmp(opt1, "no", 2) == 0 && strcmp(opt1 + 2, opt2) == 0)
705 return (1);
706 /* "foo.opt" vs. "foo.noopt" */
707 if (strncmp(opt2, "no", 2) == 0 && strcmp(opt1, opt2 + 2) == 0)
708 return (1);
709 }
710 return (0);
711}
712
713/*
714 * See if a jail name matches a wildcard.
715 */
716int
717wild_jail_match(const char *jname, const char *wname)
718{
719 const char *jc, *jd, *wc, *wd;
720
721 /*
722 * A non-final "*" component in the wild name matches a single jail
723 * component, and a final "*" matches one or more jail components.
724 */
725 for (jc = jname, wc = wname;
726 (jd = strchr(jc, '.')) && (wd = strchr(wc, '.'));
727 jc = jd + 1, wc = wd + 1)
728 if (strncmp(jc, wc, jd - jc + 1) && strncmp(wc, "*.", 2))
729 return 0;
730 return (!strcmp(jc, wc) || !strcmp(wc, "*"));
731}
732
733/*
734 * Return if a jail name is a wildcard.
735 */
736int
737wild_jail_name(const char *wname)
738{
739 const char *wc;
740
741 for (wc = strchr(wname, '*'); wc; wc = strchr(wc + 1, '*'))
742 if ((wc == wname || wc[-1] == '.') &&
743 (wc[1] == '\0' || wc[1] == '.'))
744 return 1;
745 return 0;
746}
747
748/*
| 580 }
581 if ((cs = strchr(s->s, '/'))) {
582 prefix = strtol(cs + 1, &ep, 10);
583 if (!isip6 && *ep == '.'
584 ? inet_pton(AF_INET, cs + 1, &addr4) != 1
585 : *ep || prefix < 0 || prefix >
586 (isip6 ? 128 : 32)) {
587 jail_warnx(j, isip6
588 ? "ip6.addr: bad prefixlen \"%s\""
589 : "ip4.addr: bad netmask \"%s\"",
590 cs);
591 error = -1;
592 }
593 *cs = '\0';
594 s->len = cs - s->s + 1;
595 }
596 }
597 }
598#ifndef INET6
599 while (0);
600#endif
601 return error;
602}
603
604/*
605 * Import parameters into libjail's binary jailparam format.
606 */
607int
608import_params(struct cfjail *j)
609{
610 struct cfparam *p;
611 struct cfstring *s, *ts;
612 struct jailparam *jp;
613 char *value, *cs;
614 size_t vallen;
615 int error;
616
617 error = 0;
618 j->njp = 0;
619 TAILQ_FOREACH(p, &j->params, tq)
620 if (!(p->flags & PF_INTERNAL))
621 j->njp++;
622 j->jp = jp = emalloc(j->njp * sizeof(struct jailparam));
623 TAILQ_FOREACH(p, &j->params, tq) {
624 if (p->flags & PF_INTERNAL)
625 continue;
626 if (jailparam_init(jp, p->name) < 0) {
627 error = -1;
628 jail_warnx(j, "%s", jail_errmsg);
629 continue;
630 }
631 if (STAILQ_EMPTY(&p->val))
632 value = NULL;
633 else if (!jp->jp_elemlen ||
634 !STAILQ_NEXT(STAILQ_FIRST(&p->val), tq)) {
635 /*
636 * Scalar parameters silently discard multiple (array)
637 * values, keeping only the last value added. This
638 * lets values added from the command line append to
639 * arrays wthout pre-checking the type.
640 */
641 value = STAILQ_LAST(&p->val, cfstring, tq)->s;
642 } else {
643 /*
644 * Convert arrays into comma-separated strings, which
645 * jailparam_import will then convert back into arrays.
646 */
647 vallen = 0;
648 STAILQ_FOREACH(s, &p->val, tq)
649 vallen += s->len + 1;
650 value = alloca(vallen);
651 cs = value;
652 STAILQ_FOREACH_SAFE(s, &p->val, tq, ts) {
653 strcpy(cs, s->s);
654 if (ts != NULL) {
655 cs += s->len + 1;
656 cs[-1] = ',';
657 }
658 }
659 }
660 if (jailparam_import(jp, value) < 0) {
661 error = -1;
662 jail_warnx(j, "%s", jail_errmsg);
663 }
664 jp++;
665 }
666 if (error) {
667 jailparam_free(j->jp, j->njp);
668 free(j->jp);
669 j->jp = NULL;
670 failed(j);
671 }
672 return error;
673}
674
675/*
676 * Check if options are equal (with or without the "no" prefix).
677 */
678int
679equalopts(const char *opt1, const char *opt2)
680{
681 char *p;
682
683 /* "opt" vs. "opt" or "noopt" vs. "noopt" */
684 if (strcmp(opt1, opt2) == 0)
685 return (1);
686 /* "noopt" vs. "opt" */
687 if (strncmp(opt1, "no", 2) == 0 && strcmp(opt1 + 2, opt2) == 0)
688 return (1);
689 /* "opt" vs. "noopt" */
690 if (strncmp(opt2, "no", 2) == 0 && strcmp(opt1, opt2 + 2) == 0)
691 return (1);
692 while ((p = strchr(opt1, '.')) != NULL &&
693 !strncmp(opt1, opt2, ++p - opt1)) {
694 opt2 += p - opt1;
695 opt1 = p;
696 /* "foo.noopt" vs. "foo.opt" */
697 if (strncmp(opt1, "no", 2) == 0 && strcmp(opt1 + 2, opt2) == 0)
698 return (1);
699 /* "foo.opt" vs. "foo.noopt" */
700 if (strncmp(opt2, "no", 2) == 0 && strcmp(opt1, opt2 + 2) == 0)
701 return (1);
702 }
703 return (0);
704}
705
706/*
707 * See if a jail name matches a wildcard.
708 */
709int
710wild_jail_match(const char *jname, const char *wname)
711{
712 const char *jc, *jd, *wc, *wd;
713
714 /*
715 * A non-final "*" component in the wild name matches a single jail
716 * component, and a final "*" matches one or more jail components.
717 */
718 for (jc = jname, wc = wname;
719 (jd = strchr(jc, '.')) && (wd = strchr(wc, '.'));
720 jc = jd + 1, wc = wd + 1)
721 if (strncmp(jc, wc, jd - jc + 1) && strncmp(wc, "*.", 2))
722 return 0;
723 return (!strcmp(jc, wc) || !strcmp(wc, "*"));
724}
725
726/*
727 * Return if a jail name is a wildcard.
728 */
729int
730wild_jail_name(const char *wname)
731{
732 const char *wc;
733
734 for (wc = strchr(wname, '*'); wc; wc = strchr(wc + 1, '*'))
735 if ((wc == wname || wc[-1] == '.') &&
736 (wc[1] == '\0' || wc[1] == '.'))
737 return 1;
738 return 0;
739}
740
741/*
|
749 * Compare strings and intparams for bsearch.
750 */
751
752static int
753cmp_intparam(const void *a, const void *b)
754{
755 return strcmp((const char *)a, ((const struct ipspec *)b)->name);
756}
757
758/*
| |
759 * Free a parameter record and all its strings and variables.
760 */
761static void
762free_param(struct cfparams *pp, struct cfparam *p)
763{
764 free(p->name);
765 free_param_strings(p);
766 TAILQ_REMOVE(pp, p, tq);
767 free(p);
768}
769
770static void
771free_param_strings(struct cfparam *p)
772{
773 struct cfstring *s;
774 struct cfvar *v;
775
776 while ((s = STAILQ_FIRST(&p->val))) {
777 free(s->s);
778 while ((v = STAILQ_FIRST(&s->vars))) {
779 free(v->name);
780 STAILQ_REMOVE_HEAD(&s->vars, tq);
781 free(v);
782 }
783 STAILQ_REMOVE_HEAD(&p->val, tq);
784 free(s);
785 }
786}
| 742 * Free a parameter record and all its strings and variables.
743 */
744static void
745free_param(struct cfparams *pp, struct cfparam *p)
746{
747 free(p->name);
748 free_param_strings(p);
749 TAILQ_REMOVE(pp, p, tq);
750 free(p);
751}
752
753static void
754free_param_strings(struct cfparam *p)
755{
756 struct cfstring *s;
757 struct cfvar *v;
758
759 while ((s = STAILQ_FIRST(&p->val))) {
760 free(s->s);
761 while ((v = STAILQ_FIRST(&s->vars))) {
762 free(v->name);
763 STAILQ_REMOVE_HEAD(&s->vars, tq);
764 free(v);
765 }
766 STAILQ_REMOVE_HEAD(&p->val, tq);
767 free(s);
768 }
769}
|