Deleted Added
sdiff udiff text old ( 302408 ) new ( 302954 )
full compact
command.c (302408) command.c (302954)
1/*-
2 * Copyright (c) 2011 James Gritton
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27#include <sys/cdefs.h>
1/*-
2 * Copyright (c) 2011 James Gritton
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 */
26
27#include <sys/cdefs.h>
28__FBSDID("$FreeBSD: stable/11/usr.sbin/jail/command.c 298562 2016-04-25 03:24:48Z jamie $");
28__FBSDID("$FreeBSD: stable/11/usr.sbin/jail/command.c 302954 2016-07-17 14:06:17Z jamie $");
29
30#include <sys/types.h>
31#include <sys/event.h>
32#include <sys/mount.h>
33#include <sys/stat.h>
34#include <sys/sysctl.h>
35#include <sys/user.h>
36#include <sys/wait.h>
37
38#include <err.h>
39#include <errno.h>
40#include <fcntl.h>
41#include <kvm.h>
42#include <login_cap.h>
43#include <paths.h>
44#include <pwd.h>
45#include <signal.h>
46#include <stdio.h>
47#include <stdlib.h>
48#include <string.h>
49#include <unistd.h>
50#include <vis.h>
51
52#include "jailp.h"
53
54#define DEFAULT_STOP_TIMEOUT 10
55#define PHASH_SIZE 256
56
57LIST_HEAD(phhead, phash);
58
59struct phash {
60 LIST_ENTRY(phash) le;
61 struct cfjail *j;
62 pid_t pid;
63};
64
65int paralimit = -1;
66
67extern char **environ;
68
69static int run_command(struct cfjail *j);
70static int add_proc(struct cfjail *j, pid_t pid);
71static void clear_procs(struct cfjail *j);
72static struct cfjail *find_proc(pid_t pid);
73static int term_procs(struct cfjail *j);
74static int get_user_info(struct cfjail *j, const char *username,
75 const struct passwd **pwdp, login_cap_t **lcapp);
76static int check_path(struct cfjail *j, const char *pname, const char *path,
77 int isfile, const char *umount_type);
78
79static struct cfjails sleeping = TAILQ_HEAD_INITIALIZER(sleeping);
80static struct cfjails runnable = TAILQ_HEAD_INITIALIZER(runnable);
81static struct cfstring dummystring = { .len = 1 };
82static struct phhead phash[PHASH_SIZE];
83static int kq;
84
85/*
86 * Run the next command associated with a jail.
87 */
88int
89next_command(struct cfjail *j)
90{
91 enum intparam comparam;
92 int create_failed, stopping;
93
94 if (paralimit == 0) {
29
30#include <sys/types.h>
31#include <sys/event.h>
32#include <sys/mount.h>
33#include <sys/stat.h>
34#include <sys/sysctl.h>
35#include <sys/user.h>
36#include <sys/wait.h>
37
38#include <err.h>
39#include <errno.h>
40#include <fcntl.h>
41#include <kvm.h>
42#include <login_cap.h>
43#include <paths.h>
44#include <pwd.h>
45#include <signal.h>
46#include <stdio.h>
47#include <stdlib.h>
48#include <string.h>
49#include <unistd.h>
50#include <vis.h>
51
52#include "jailp.h"
53
54#define DEFAULT_STOP_TIMEOUT 10
55#define PHASH_SIZE 256
56
57LIST_HEAD(phhead, phash);
58
59struct phash {
60 LIST_ENTRY(phash) le;
61 struct cfjail *j;
62 pid_t pid;
63};
64
65int paralimit = -1;
66
67extern char **environ;
68
69static int run_command(struct cfjail *j);
70static int add_proc(struct cfjail *j, pid_t pid);
71static void clear_procs(struct cfjail *j);
72static struct cfjail *find_proc(pid_t pid);
73static int term_procs(struct cfjail *j);
74static int get_user_info(struct cfjail *j, const char *username,
75 const struct passwd **pwdp, login_cap_t **lcapp);
76static int check_path(struct cfjail *j, const char *pname, const char *path,
77 int isfile, const char *umount_type);
78
79static struct cfjails sleeping = TAILQ_HEAD_INITIALIZER(sleeping);
80static struct cfjails runnable = TAILQ_HEAD_INITIALIZER(runnable);
81static struct cfstring dummystring = { .len = 1 };
82static struct phhead phash[PHASH_SIZE];
83static int kq;
84
85/*
86 * Run the next command associated with a jail.
87 */
88int
89next_command(struct cfjail *j)
90{
91 enum intparam comparam;
92 int create_failed, stopping;
93
94 if (paralimit == 0) {
95 requeue(j, &runnable);
95 if (j->flags & JF_FROM_RUNQ)
96 requeue_head(j, &runnable);
97 else
98 requeue(j, &runnable);
96 return 1;
97 }
99 return 1;
100 }
101 j->flags &= ~JF_FROM_RUNQ;
98 create_failed = (j->flags & (JF_STOP | JF_FAILED)) == JF_FAILED;
99 stopping = (j->flags & JF_STOP) != 0;
100 comparam = *j->comparam;
101 for (;;) {
102 if (j->comstring == NULL) {
103 j->comparam += create_failed ? -1 : 1;
104 switch ((comparam = *j->comparam)) {
105 case IP__NULL:
106 return 0;
107 case IP_MOUNT_DEVFS:
108 if (!bool_param(j->intparams[IP_MOUNT_DEVFS]))
109 continue;
110 j->comstring = &dummystring;
111 break;
112 case IP_MOUNT_FDESCFS:
113 if (!bool_param(j->intparams[IP_MOUNT_FDESCFS]))
114 continue;
115 j->comstring = &dummystring;
116 break;
117 case IP_MOUNT_PROCFS:
118 if (!bool_param(j->intparams[IP_MOUNT_PROCFS]))
119 continue;
120 j->comstring = &dummystring;
121 break;
122 case IP__OP:
123 case IP_STOP_TIMEOUT:
124 j->comstring = &dummystring;
125 break;
126 default:
127 if (j->intparams[comparam] == NULL)
128 continue;
129 j->comstring = create_failed || (stopping &&
130 (j->intparams[comparam]->flags & PF_REV))
131 ? TAILQ_LAST(&j->intparams[comparam]->val,
132 cfstrings)
133 : TAILQ_FIRST(&j->intparams[comparam]->val);
134 }
135 } else {
136 j->comstring = j->comstring == &dummystring ? NULL :
137 create_failed || (stopping &&
138 (j->intparams[comparam]->flags & PF_REV))
139 ? TAILQ_PREV(j->comstring, cfstrings, tq)
140 : TAILQ_NEXT(j->comstring, tq);
141 }
142 if (j->comstring == NULL || j->comstring->len == 0 ||
143 (create_failed && (comparam == IP_EXEC_PRESTART ||
144 comparam == IP_EXEC_START || comparam == IP_COMMAND ||
145 comparam == IP_EXEC_POSTSTART)))
146 continue;
147 switch (run_command(j)) {
148 case -1:
149 failed(j);
150 /* FALLTHROUGH */
151 case 1:
152 return 1;
153 }
154 }
155}
156
157/*
158 * Check command exit status
159 */
160int
161finish_command(struct cfjail *j)
162{
102 create_failed = (j->flags & (JF_STOP | JF_FAILED)) == JF_FAILED;
103 stopping = (j->flags & JF_STOP) != 0;
104 comparam = *j->comparam;
105 for (;;) {
106 if (j->comstring == NULL) {
107 j->comparam += create_failed ? -1 : 1;
108 switch ((comparam = *j->comparam)) {
109 case IP__NULL:
110 return 0;
111 case IP_MOUNT_DEVFS:
112 if (!bool_param(j->intparams[IP_MOUNT_DEVFS]))
113 continue;
114 j->comstring = &dummystring;
115 break;
116 case IP_MOUNT_FDESCFS:
117 if (!bool_param(j->intparams[IP_MOUNT_FDESCFS]))
118 continue;
119 j->comstring = &dummystring;
120 break;
121 case IP_MOUNT_PROCFS:
122 if (!bool_param(j->intparams[IP_MOUNT_PROCFS]))
123 continue;
124 j->comstring = &dummystring;
125 break;
126 case IP__OP:
127 case IP_STOP_TIMEOUT:
128 j->comstring = &dummystring;
129 break;
130 default:
131 if (j->intparams[comparam] == NULL)
132 continue;
133 j->comstring = create_failed || (stopping &&
134 (j->intparams[comparam]->flags & PF_REV))
135 ? TAILQ_LAST(&j->intparams[comparam]->val,
136 cfstrings)
137 : TAILQ_FIRST(&j->intparams[comparam]->val);
138 }
139 } else {
140 j->comstring = j->comstring == &dummystring ? NULL :
141 create_failed || (stopping &&
142 (j->intparams[comparam]->flags & PF_REV))
143 ? TAILQ_PREV(j->comstring, cfstrings, tq)
144 : TAILQ_NEXT(j->comstring, tq);
145 }
146 if (j->comstring == NULL || j->comstring->len == 0 ||
147 (create_failed && (comparam == IP_EXEC_PRESTART ||
148 comparam == IP_EXEC_START || comparam == IP_COMMAND ||
149 comparam == IP_EXEC_POSTSTART)))
150 continue;
151 switch (run_command(j)) {
152 case -1:
153 failed(j);
154 /* FALLTHROUGH */
155 case 1:
156 return 1;
157 }
158 }
159}
160
161/*
162 * Check command exit status
163 */
164int
165finish_command(struct cfjail *j)
166{
167 struct cfjail *rj;
163 int error;
164
165 if (!(j->flags & JF_SLEEPQ))
166 return 0;
167 j->flags &= ~JF_SLEEPQ;
168 int error;
169
170 if (!(j->flags & JF_SLEEPQ))
171 return 0;
172 j->flags &= ~JF_SLEEPQ;
168 if (*j->comparam == IP_STOP_TIMEOUT)
169 {
173 if (*j->comparam == IP_STOP_TIMEOUT) {
170 j->flags &= ~JF_TIMEOUT;
171 j->pstatus = 0;
172 return 0;
173 }
174 paralimit++;
174 j->flags &= ~JF_TIMEOUT;
175 j->pstatus = 0;
176 return 0;
177 }
178 paralimit++;
175 if (!TAILQ_EMPTY(&runnable))
176 requeue(TAILQ_FIRST(&runnable), &ready);
179 if (!TAILQ_EMPTY(&runnable)) {
180 rj = TAILQ_FIRST(&runnable);
181 rj->flags |= JF_FROM_RUNQ;
182 requeue(rj, &ready);
183 }
177 error = 0;
178 if (j->flags & JF_TIMEOUT) {
179 j->flags &= ~JF_TIMEOUT;
180 if (*j->comparam != IP_STOP_TIMEOUT) {
181 jail_warnx(j, "%s: timed out", j->comline);
182 failed(j);
183 error = -1;
184 } else if (verbose > 0)
185 jail_note(j, "timed out\n");
186 } else if (j->pstatus != 0) {
187 if (WIFSIGNALED(j->pstatus))
188 jail_warnx(j, "%s: exited on signal %d",
189 j->comline, WTERMSIG(j->pstatus));
190 else
191 jail_warnx(j, "%s: failed", j->comline);
192 j->pstatus = 0;
193 failed(j);
194 error = -1;
195 }
196 free(j->comline);
197 j->comline = NULL;
198 return error;
199}
200
201/*
202 * Check for finished processes or timeouts.
203 */
204struct cfjail *
205next_proc(int nonblock)
206{
207 struct kevent ke;
208 struct timespec ts;
209 struct timespec *tsp;
210 struct cfjail *j;
211
212 if (!TAILQ_EMPTY(&sleeping)) {
213 again:
214 tsp = NULL;
215 if ((j = TAILQ_FIRST(&sleeping)) && j->timeout.tv_sec) {
216 clock_gettime(CLOCK_REALTIME, &ts);
217 ts.tv_sec = j->timeout.tv_sec - ts.tv_sec;
218 ts.tv_nsec = j->timeout.tv_nsec - ts.tv_nsec;
219 if (ts.tv_nsec < 0) {
220 ts.tv_sec--;
221 ts.tv_nsec += 1000000000;
222 }
223 if (ts.tv_sec < 0 ||
224 (ts.tv_sec == 0 && ts.tv_nsec == 0)) {
225 j->flags |= JF_TIMEOUT;
226 clear_procs(j);
227 return j;
228 }
229 tsp = &ts;
230 }
231 if (nonblock) {
232 ts.tv_sec = 0;
233 ts.tv_nsec = 0;
234 tsp = &ts;
235 }
236 switch (kevent(kq, NULL, 0, &ke, 1, tsp)) {
237 case -1:
238 if (errno != EINTR)
239 err(1, "kevent");
240 goto again;
241 case 0:
242 if (!nonblock) {
243 j = TAILQ_FIRST(&sleeping);
244 j->flags |= JF_TIMEOUT;
245 clear_procs(j);
246 return j;
247 }
248 break;
249 case 1:
250 (void)waitpid(ke.ident, NULL, WNOHANG);
251 if ((j = find_proc(ke.ident))) {
252 j->pstatus = ke.data;
253 return j;
254 }
255 goto again;
256 }
257 }
258 return NULL;
259}
260
261/*
184 error = 0;
185 if (j->flags & JF_TIMEOUT) {
186 j->flags &= ~JF_TIMEOUT;
187 if (*j->comparam != IP_STOP_TIMEOUT) {
188 jail_warnx(j, "%s: timed out", j->comline);
189 failed(j);
190 error = -1;
191 } else if (verbose > 0)
192 jail_note(j, "timed out\n");
193 } else if (j->pstatus != 0) {
194 if (WIFSIGNALED(j->pstatus))
195 jail_warnx(j, "%s: exited on signal %d",
196 j->comline, WTERMSIG(j->pstatus));
197 else
198 jail_warnx(j, "%s: failed", j->comline);
199 j->pstatus = 0;
200 failed(j);
201 error = -1;
202 }
203 free(j->comline);
204 j->comline = NULL;
205 return error;
206}
207
208/*
209 * Check for finished processes or timeouts.
210 */
211struct cfjail *
212next_proc(int nonblock)
213{
214 struct kevent ke;
215 struct timespec ts;
216 struct timespec *tsp;
217 struct cfjail *j;
218
219 if (!TAILQ_EMPTY(&sleeping)) {
220 again:
221 tsp = NULL;
222 if ((j = TAILQ_FIRST(&sleeping)) && j->timeout.tv_sec) {
223 clock_gettime(CLOCK_REALTIME, &ts);
224 ts.tv_sec = j->timeout.tv_sec - ts.tv_sec;
225 ts.tv_nsec = j->timeout.tv_nsec - ts.tv_nsec;
226 if (ts.tv_nsec < 0) {
227 ts.tv_sec--;
228 ts.tv_nsec += 1000000000;
229 }
230 if (ts.tv_sec < 0 ||
231 (ts.tv_sec == 0 && ts.tv_nsec == 0)) {
232 j->flags |= JF_TIMEOUT;
233 clear_procs(j);
234 return j;
235 }
236 tsp = &ts;
237 }
238 if (nonblock) {
239 ts.tv_sec = 0;
240 ts.tv_nsec = 0;
241 tsp = &ts;
242 }
243 switch (kevent(kq, NULL, 0, &ke, 1, tsp)) {
244 case -1:
245 if (errno != EINTR)
246 err(1, "kevent");
247 goto again;
248 case 0:
249 if (!nonblock) {
250 j = TAILQ_FIRST(&sleeping);
251 j->flags |= JF_TIMEOUT;
252 clear_procs(j);
253 return j;
254 }
255 break;
256 case 1:
257 (void)waitpid(ke.ident, NULL, WNOHANG);
258 if ((j = find_proc(ke.ident))) {
259 j->pstatus = ke.data;
260 return j;
261 }
262 goto again;
263 }
264 }
265 return NULL;
266}
267
268/*
262 * Run a single command for a jail, possible inside the jail.
269 * Run a single command for a jail, possibly inside the jail.
263 */
264static int
265run_command(struct cfjail *j)
266{
267 const struct passwd *pwd;
268 const struct cfstring *comstring, *s;
269 login_cap_t *lcap;
270 const char **argv;
271 char *acs, *cs, *comcs, *devpath;
272 const char *jidstr, *conslog, *path, *ruleset, *term, *username;
273 enum intparam comparam;
274 size_t comlen;
275 pid_t pid;
276 int argc, bg, clean, consfd, down, fib, i, injail, sjuser, timeout;
277#if defined(INET) || defined(INET6)
278 char *addr, *extrap, *p, *val;
279#endif
280
281 static char *cleanenv;
282
283 /* Perform some operations that aren't actually commands */
284 comparam = *j->comparam;
285 down = j->flags & (JF_STOP | JF_FAILED);
286 switch (comparam) {
287 case IP_STOP_TIMEOUT:
288 return term_procs(j);
289
290 case IP__OP:
291 if (down) {
292 if (jail_remove(j->jid) < 0 && errno == EPERM) {
293 jail_warnx(j, "jail_remove: %s",
294 strerror(errno));
295 return -1;
296 }
297 if (verbose > 0 || (verbose == 0 && (j->flags & JF_STOP
298 ? note_remove : j->name != NULL)))
299 jail_note(j, "removed\n");
300 j->jid = -1;
301 if (j->flags & JF_STOP)
302 dep_done(j, DF_LIGHT);
303 else
304 j->flags &= ~JF_PERSIST;
305 } else {
306 if (create_jail(j) < 0)
307 return -1;
308 if (iflag)
309 printf("%d\n", j->jid);
310 if (verbose >= 0 && (j->name || verbose > 0))
311 jail_note(j, "created\n");
312 dep_done(j, DF_LIGHT);
313 }
314 return 0;
315
316 default: ;
317 }
318 /*
319 * Collect exec arguments. Internal commands for network and
320 * mounting build their own argument lists.
321 */
322 comstring = j->comstring;
323 bg = 0;
324 switch (comparam) {
325#ifdef INET
326 case IP__IP4_IFADDR:
327 argc = 0;
328 val = alloca(strlen(comstring->s) + 1);
329 strcpy(val, comstring->s);
330 cs = val;
331 extrap = NULL;
332 while ((p = strchr(cs, ' ')) != NULL && strlen(p) > 1) {
333 if (extrap == NULL) {
334 *p = '\0';
335 extrap = p + 1;
336 }
337 cs = p + 1;
338 argc++;
339 }
340
341 argv = alloca((8 + argc) * sizeof(char *));
342 argv[0] = _PATH_IFCONFIG;
343 if ((cs = strchr(val, '|'))) {
344 argv[1] = acs = alloca(cs - val + 1);
345 strlcpy(acs, val, cs - val + 1);
346 addr = cs + 1;
347 } else {
348 argv[1] = string_param(j->intparams[IP_INTERFACE]);
349 addr = val;
350 }
351 argv[2] = "inet";
352 if (!(cs = strchr(addr, '/'))) {
353 argv[3] = addr;
354 argv[4] = "netmask";
355 argv[5] = "255.255.255.255";
356 argc = 6;
357 } else if (strchr(cs + 1, '.')) {
358 argv[3] = acs = alloca(cs - addr + 1);
359 strlcpy(acs, addr, cs - addr + 1);
360 argv[4] = "netmask";
361 argv[5] = cs + 1;
362 argc = 6;
363 } else {
364 argv[3] = addr;
365 argc = 4;
366 }
367
368 if (!down) {
369 for (cs = strtok(extrap, " "); cs;
370 cs = strtok(NULL, " ")) {
371 size_t len = strlen(cs) + 1;
372 argv[argc++] = acs = alloca(len);
373 strlcpy(acs, cs, len);
374 }
375 }
376
377 argv[argc] = down ? "-alias" : "alias";
378 argv[argc + 1] = NULL;
379 break;
380#endif
381
382#ifdef INET6
383 case IP__IP6_IFADDR:
384 argc = 0;
385 val = alloca(strlen(comstring->s) + 1);
386 strcpy(val, comstring->s);
387 cs = val;
388 extrap = NULL;
389 while ((p = strchr(cs, ' ')) != NULL && strlen(p) > 1) {
390 if (extrap == NULL) {
391 *p = '\0';
392 extrap = p + 1;
393 }
394 cs = p + 1;
395 argc++;
396 }
397
398 argv = alloca((8 + argc) * sizeof(char *));
399 argv[0] = _PATH_IFCONFIG;
400 if ((cs = strchr(val, '|'))) {
401 argv[1] = acs = alloca(cs - val + 1);
402 strlcpy(acs, val, cs - val + 1);
403 addr = cs + 1;
404 } else {
405 argv[1] = string_param(j->intparams[IP_INTERFACE]);
406 addr = val;
407 }
408 argv[2] = "inet6";
409 argv[3] = addr;
410 if (!(cs = strchr(addr, '/'))) {
411 argv[4] = "prefixlen";
412 argv[5] = "128";
413 argc = 6;
414 } else
415 argc = 4;
416
417 if (!down) {
418 for (cs = strtok(extrap, " "); cs;
419 cs = strtok(NULL, " ")) {
420 size_t len = strlen(cs) + 1;
421 argv[argc++] = acs = alloca(len);
422 strlcpy(acs, cs, len);
423 }
424 }
425
426 argv[argc] = down ? "-alias" : "alias";
427 argv[argc + 1] = NULL;
428 break;
429#endif
430
431 case IP_VNET_INTERFACE:
432 argv = alloca(5 * sizeof(char *));
433 argv[0] = _PATH_IFCONFIG;
434 argv[1] = comstring->s;
435 argv[2] = down ? "-vnet" : "vnet";
436 jidstr = string_param(j->intparams[KP_JID]);
437 argv[3] = jidstr ? jidstr : string_param(j->intparams[KP_NAME]);
438 argv[4] = NULL;
439 break;
440
441 case IP_MOUNT:
442 case IP__MOUNT_FROM_FSTAB:
443 argv = alloca(8 * sizeof(char *));
444 comcs = alloca(comstring->len + 1);
445 strcpy(comcs, comstring->s);
446 argc = 0;
447 for (cs = strtok(comcs, " \t\f\v\r\n"); cs && argc < 4;
448 cs = strtok(NULL, " \t\f\v\r\n")) {
449 if (argc <= 1 && strunvis(cs, cs) < 0) {
450 jail_warnx(j, "%s: %s: fstab parse error",
451 j->intparams[comparam]->name, comstring->s);
452 return -1;
453 }
454 argv[argc++] = cs;
455 }
456 if (argc == 0)
457 return 0;
458 if (argc < 3) {
459 jail_warnx(j, "%s: %s: missing information",
460 j->intparams[comparam]->name, comstring->s);
461 return -1;
462 }
463 if (check_path(j, j->intparams[comparam]->name, argv[1], 0,
464 down ? argv[2] : NULL) < 0)
465 return -1;
466 if (down) {
467 argv[4] = NULL;
468 argv[3] = argv[1];
469 argv[0] = "/sbin/umount";
470 } else {
471 if (argc == 4) {
472 argv[7] = NULL;
473 argv[6] = argv[1];
474 argv[5] = argv[0];
475 argv[4] = argv[3];
476 argv[3] = "-o";
477 } else {
478 argv[5] = NULL;
479 argv[4] = argv[1];
480 argv[3] = argv[0];
481 }
482 argv[0] = _PATH_MOUNT;
483 }
484 argv[1] = "-t";
485 break;
486
487 case IP_MOUNT_DEVFS:
488 argv = alloca(7 * sizeof(char *));
489 path = string_param(j->intparams[KP_PATH]);
490 if (path == NULL) {
491 jail_warnx(j, "mount.devfs: no path");
492 return -1;
493 }
494 devpath = alloca(strlen(path) + 5);
495 sprintf(devpath, "%s/dev", path);
496 if (check_path(j, "mount.devfs", devpath, 0,
497 down ? "devfs" : NULL) < 0)
498 return -1;
499 if (down) {
500 argv[0] = "/sbin/umount";
501 argv[1] = devpath;
502 argv[2] = NULL;
503 } else {
504 argv[0] = _PATH_MOUNT;
505 argv[1] = "-t";
506 argv[2] = "devfs";
507 ruleset = string_param(j->intparams[KP_DEVFS_RULESET]);
508 if (!ruleset)
509 ruleset = "4"; /* devfsrules_jail */
510 argv[3] = acs = alloca(11 + strlen(ruleset));
511 sprintf(acs, "-oruleset=%s", ruleset);
512 argv[4] = ".";
513 argv[5] = devpath;
514 argv[6] = NULL;
515 }
516 break;
517
518 case IP_MOUNT_FDESCFS:
519 argv = alloca(7 * sizeof(char *));
520 path = string_param(j->intparams[KP_PATH]);
521 if (path == NULL) {
522 jail_warnx(j, "mount.fdescfs: no path");
523 return -1;
524 }
525 devpath = alloca(strlen(path) + 8);
526 sprintf(devpath, "%s/dev/fd", path);
527 if (check_path(j, "mount.fdescfs", devpath, 0,
528 down ? "fdescfs" : NULL) < 0)
529 return -1;
530 if (down) {
531 argv[0] = "/sbin/umount";
532 argv[1] = devpath;
533 argv[2] = NULL;
534 } else {
535 argv[0] = _PATH_MOUNT;
536 argv[1] = "-t";
537 argv[2] = "fdescfs";
538 argv[3] = ".";
539 argv[4] = devpath;
540 argv[5] = NULL;
541 }
542 break;
543
544 case IP_MOUNT_PROCFS:
545 argv = alloca(7 * sizeof(char *));
546 path = string_param(j->intparams[KP_PATH]);
547 if (path == NULL) {
548 jail_warnx(j, "mount.procfs: no path");
549 return -1;
550 }
551 devpath = alloca(strlen(path) + 6);
552 sprintf(devpath, "%s/proc", path);
553 if (check_path(j, "mount.procfs", devpath, 0,
554 down ? "procfs" : NULL) < 0)
555 return -1;
556 if (down) {
557 argv[0] = "/sbin/umount";
558 argv[1] = devpath;
559 argv[2] = NULL;
560 } else {
561 argv[0] = _PATH_MOUNT;
562 argv[1] = "-t";
563 argv[2] = "procfs";
564 argv[3] = ".";
565 argv[4] = devpath;
566 argv[5] = NULL;
567 }
568 break;
569
570 case IP_COMMAND:
571 if (j->name != NULL)
572 goto default_command;
573 argc = 0;
574 TAILQ_FOREACH(s, &j->intparams[IP_COMMAND]->val, tq)
575 argc++;
576 argv = alloca((argc + 1) * sizeof(char *));
577 argc = 0;
578 TAILQ_FOREACH(s, &j->intparams[IP_COMMAND]->val, tq)
579 argv[argc++] = s->s;
580 argv[argc] = NULL;
581 j->comstring = &dummystring;
582 break;
583
584 default:
585 default_command:
586 if ((cs = strpbrk(comstring->s, "!\"$&'()*;<>?[\\]`{|}~")) &&
587 !(cs[0] == '&' && cs[1] == '\0')) {
588 argv = alloca(4 * sizeof(char *));
589 argv[0] = _PATH_BSHELL;
590 argv[1] = "-c";
591 argv[2] = comstring->s;
592 argv[3] = NULL;
593 } else {
594 if (cs) {
595 *cs = 0;
596 bg = 1;
597 }
598 comcs = alloca(comstring->len + 1);
599 strcpy(comcs, comstring->s);
600 argc = 0;
601 for (cs = strtok(comcs, " \t\f\v\r\n"); cs;
602 cs = strtok(NULL, " \t\f\v\r\n"))
603 argc++;
604 argv = alloca((argc + 1) * sizeof(char *));
605 strcpy(comcs, comstring->s);
606 argc = 0;
607 for (cs = strtok(comcs, " \t\f\v\r\n"); cs;
608 cs = strtok(NULL, " \t\f\v\r\n"))
609 argv[argc++] = cs;
610 argv[argc] = NULL;
611 }
612 }
613 if (argv[0] == NULL)
614 return 0;
615
616 if (int_param(j->intparams[IP_EXEC_TIMEOUT], &timeout) &&
617 timeout != 0) {
618 clock_gettime(CLOCK_REALTIME, &j->timeout);
619 j->timeout.tv_sec += timeout;
620 } else
621 j->timeout.tv_sec = 0;
622
623 injail = comparam == IP_EXEC_START || comparam == IP_COMMAND ||
624 comparam == IP_EXEC_STOP;
625 clean = bool_param(j->intparams[IP_EXEC_CLEAN]);
626 username = string_param(j->intparams[injail
627 ? IP_EXEC_JAIL_USER : IP_EXEC_SYSTEM_USER]);
628 sjuser = bool_param(j->intparams[IP_EXEC_SYSTEM_JAIL_USER]);
629
630 consfd = 0;
631 if (injail &&
632 (conslog = string_param(j->intparams[IP_EXEC_CONSOLELOG]))) {
633 if (check_path(j, "exec.consolelog", conslog, 1, NULL) < 0)
634 return -1;
635 consfd =
636 open(conslog, O_WRONLY | O_CREAT | O_APPEND, DEFFILEMODE);
637 if (consfd < 0) {
638 jail_warnx(j, "open %s: %s", conslog, strerror(errno));
639 return -1;
640 }
641 }
642
643 comlen = 0;
644 for (i = 0; argv[i]; i++)
645 comlen += strlen(argv[i]) + 1;
646 j->comline = cs = emalloc(comlen);
647 for (i = 0; argv[i]; i++) {
648 strcpy(cs, argv[i]);
649 if (argv[i + 1]) {
650 cs += strlen(argv[i]) + 1;
651 cs[-1] = ' ';
652 }
653 }
654 if (verbose > 0)
655 jail_note(j, "run command%s%s%s: %s\n",
656 injail ? " in jail" : "", username ? " as " : "",
657 username ? username : "", j->comline);
658
659 pid = fork();
660 if (pid < 0)
661 err(1, "fork");
662 if (pid > 0) {
663 if (bg || !add_proc(j, pid)) {
664 free(j->comline);
665 j->comline = NULL;
666 return 0;
667 } else {
668 paralimit--;
669 return 1;
670 }
671 }
672 if (bg)
673 setsid();
674
675 /* Set up the environment and run the command */
676 pwd = NULL;
677 lcap = NULL;
678 if ((clean || username) && injail && sjuser &&
679 get_user_info(j, username, &pwd, &lcap) < 0)
680 exit(1);
681 if (injail) {
682 /* jail_attach won't chdir along with its chroot. */
683 path = string_param(j->intparams[KP_PATH]);
684 if (path && chdir(path) < 0) {
685 jail_warnx(j, "chdir %s: %s", path, strerror(errno));
686 exit(1);
687 }
688 if (int_param(j->intparams[IP_EXEC_FIB], &fib) &&
689 setfib(fib) < 0) {
690 jail_warnx(j, "setfib: %s", strerror(errno));
691 exit(1);
692 }
693 if (jail_attach(j->jid) < 0) {
694 jail_warnx(j, "jail_attach: %s", strerror(errno));
695 exit(1);
696 }
697 }
698 if (clean || username) {
699 if (!(injail && sjuser) &&
700 get_user_info(j, username, &pwd, &lcap) < 0)
701 exit(1);
702 if (clean) {
703 term = getenv("TERM");
704 environ = &cleanenv;
705 setenv("PATH", "/bin:/usr/bin", 0);
706 if (term != NULL)
707 setenv("TERM", term, 1);
708 }
709 if (setgid(pwd->pw_gid) < 0) {
710 jail_warnx(j, "setgid %d: %s", pwd->pw_gid,
711 strerror(errno));
712 exit(1);
713 }
714 if (setusercontext(lcap, pwd, pwd->pw_uid, username
715 ? LOGIN_SETALL & ~LOGIN_SETGROUP & ~LOGIN_SETLOGIN
716 : LOGIN_SETPATH | LOGIN_SETENV) < 0) {
717 jail_warnx(j, "setusercontext %s: %s", pwd->pw_name,
718 strerror(errno));
719 exit(1);
720 }
721 login_close(lcap);
722 setenv("USER", pwd->pw_name, 1);
723 setenv("HOME", pwd->pw_dir, 1);
724 setenv("SHELL",
725 *pwd->pw_shell ? pwd->pw_shell : _PATH_BSHELL, 1);
726 if (clean && chdir(pwd->pw_dir) < 0) {
727 jail_warnx(j, "chdir %s: %s",
728 pwd->pw_dir, strerror(errno));
729 exit(1);
730 }
731 endpwent();
732 }
733
734 if (consfd != 0 && (dup2(consfd, 1) < 0 || dup2(consfd, 2) < 0)) {
735 jail_warnx(j, "exec.consolelog: %s", strerror(errno));
736 exit(1);
737 }
738 closefrom(3);
739 execvp(argv[0], __DECONST(char *const*, argv));
740 jail_warnx(j, "exec %s: %s", argv[0], strerror(errno));
741 exit(1);
742}
743
744/*
745 * Add a process to the hash, tied to a jail.
746 */
747static int
748add_proc(struct cfjail *j, pid_t pid)
749{
750 struct kevent ke;
751 struct cfjail *tj;
752 struct phash *ph;
753
754 if (!kq && (kq = kqueue()) < 0)
755 err(1, "kqueue");
756 EV_SET(&ke, pid, EVFILT_PROC, EV_ADD, NOTE_EXIT, 0, NULL);
757 if (kevent(kq, &ke, 1, NULL, 0, NULL) < 0) {
758 if (errno == ESRCH)
759 return 0;
760 err(1, "kevent");
761 }
762 ph = emalloc(sizeof(struct phash));
763 ph->j = j;
764 ph->pid = pid;
765 LIST_INSERT_HEAD(&phash[pid % PHASH_SIZE], ph, le);
766 j->nprocs++;
767 j->flags |= JF_SLEEPQ;
768 if (j->timeout.tv_sec == 0)
769 requeue(j, &sleeping);
770 else {
771 /* File the jail in the sleep queue according to its timeout. */
772 TAILQ_REMOVE(j->queue, j, tq);
773 TAILQ_FOREACH(tj, &sleeping, tq) {
774 if (!tj->timeout.tv_sec ||
775 j->timeout.tv_sec < tj->timeout.tv_sec ||
776 (j->timeout.tv_sec == tj->timeout.tv_sec &&
777 j->timeout.tv_nsec <= tj->timeout.tv_nsec)) {
778 TAILQ_INSERT_BEFORE(tj, j, tq);
779 break;
780 }
781 }
782 if (tj == NULL)
783 TAILQ_INSERT_TAIL(&sleeping, j, tq);
784 j->queue = &sleeping;
785 }
786 return 1;
787}
788
789/*
790 * Remove any processes from the hash that correspond to a jail.
791 */
792static void
793clear_procs(struct cfjail *j)
794{
795 struct kevent ke;
796 struct phash *ph, *tph;
797 int i;
798
799 j->nprocs = 0;
800 for (i = 0; i < PHASH_SIZE; i++)
801 LIST_FOREACH_SAFE(ph, &phash[i], le, tph)
802 if (ph->j == j) {
803 EV_SET(&ke, ph->pid, EVFILT_PROC, EV_DELETE,
804 NOTE_EXIT, 0, NULL);
805 (void)kevent(kq, &ke, 1, NULL, 0, NULL);
806 LIST_REMOVE(ph, le);
807 free(ph);
808 }
809}
810
811/*
812 * Find the jail that corresponds to an exited process.
813 */
814static struct cfjail *
815find_proc(pid_t pid)
816{
817 struct cfjail *j;
818 struct phash *ph;
819
820 LIST_FOREACH(ph, &phash[pid % PHASH_SIZE], le)
821 if (ph->pid == pid) {
822 j = ph->j;
823 LIST_REMOVE(ph, le);
824 free(ph);
825 return --j->nprocs ? NULL : j;
826 }
827 return NULL;
828}
829
830/*
831 * Send SIGTERM to all processes in a jail and wait for them to die.
832 */
833static int
834term_procs(struct cfjail *j)
835{
836 struct kinfo_proc *ki;
837 int i, noted, pcnt, timeout;
838
839 static kvm_t *kd;
840
841 if (!int_param(j->intparams[IP_STOP_TIMEOUT], &timeout))
842 timeout = DEFAULT_STOP_TIMEOUT;
843 else if (timeout == 0)
844 return 0;
845
846 if (kd == NULL) {
847 kd = kvm_open(NULL, NULL, NULL, O_RDONLY, NULL);
848 if (kd == NULL)
849 return 0;
850 }
851
852 ki = kvm_getprocs(kd, KERN_PROC_PROC, 0, &pcnt);
853 if (ki == NULL)
854 return 0;
855 noted = 0;
856 for (i = 0; i < pcnt; i++)
857 if (ki[i].ki_jid == j->jid &&
858 kill(ki[i].ki_pid, SIGTERM) == 0) {
859 (void)add_proc(j, ki[i].ki_pid);
860 if (verbose > 0) {
861 if (!noted) {
862 noted = 1;
863 jail_note(j, "sent SIGTERM to:");
864 }
865 printf(" %d", ki[i].ki_pid);
866 }
867 }
868 if (noted)
869 printf("\n");
870 if (j->nprocs > 0) {
871 clock_gettime(CLOCK_REALTIME, &j->timeout);
872 j->timeout.tv_sec += timeout;
873 return 1;
874 }
875 return 0;
876}
877
878/*
879 * Look up a user in the passwd and login.conf files.
880 */
881static int
882get_user_info(struct cfjail *j, const char *username,
883 const struct passwd **pwdp, login_cap_t **lcapp)
884{
885 const struct passwd *pwd;
886
887 errno = 0;
888 *pwdp = pwd = username ? getpwnam(username) : getpwuid(getuid());
889 if (pwd == NULL) {
890 if (errno)
891 jail_warnx(j, "getpwnam%s%s: %s", username ? " " : "",
892 username ? username : "", strerror(errno));
893 else if (username)
894 jail_warnx(j, "%s: no such user", username);
895 else
896 jail_warnx(j, "unknown uid %d", getuid());
897 return -1;
898 }
899 *lcapp = login_getpwclass(pwd);
900 if (*lcapp == NULL) {
901 jail_warnx(j, "getpwclass %s: %s", pwd->pw_name,
902 strerror(errno));
903 return -1;
904 }
905 /* Set the groups while the group file is still available */
906 if (initgroups(pwd->pw_name, pwd->pw_gid) < 0) {
907 jail_warnx(j, "initgroups %s: %s", pwd->pw_name,
908 strerror(errno));
909 return -1;
910 }
911 return 0;
912}
913
914/*
915 * Make sure a mount or consolelog path is a valid absolute pathname
916 * with no symlinks.
917 */
918static int
919check_path(struct cfjail *j, const char *pname, const char *path, int isfile,
920 const char *umount_type)
921{
922 struct stat st, mpst;
923 struct statfs stfs;
924 char *tpath, *p;
925 const char *jailpath;
926 size_t jplen;
927
928 if (path[0] != '/') {
929 jail_warnx(j, "%s: %s: not an absolute pathname",
930 pname, path);
931 return -1;
932 }
933 /*
934 * Only check for symlinks in components below the jail's path,
935 * since that's where the security risk lies.
936 */
937 jailpath = string_param(j->intparams[KP_PATH]);
938 if (jailpath == NULL)
939 jailpath = "";
940 jplen = strlen(jailpath);
941 if (!strncmp(path, jailpath, jplen) && path[jplen] == '/') {
942 tpath = alloca(strlen(path) + 1);
943 strcpy(tpath, path);
944 for (p = tpath + jplen; p != NULL; ) {
945 p = strchr(p + 1, '/');
946 if (p)
947 *p = '\0';
948 if (lstat(tpath, &st) < 0) {
949 if (errno == ENOENT && isfile && !p)
950 break;
951 jail_warnx(j, "%s: %s: %s", pname, tpath,
952 strerror(errno));
953 return -1;
954 }
955 if (S_ISLNK(st.st_mode)) {
956 jail_warnx(j, "%s: %s is a symbolic link",
957 pname, tpath);
958 return -1;
959 }
960 if (p)
961 *p = '/';
962 }
963 }
964 if (umount_type != NULL) {
965 if (stat(path, &st) < 0 || statfs(path, &stfs) < 0) {
966 jail_warnx(j, "%s: %s: %s", pname, path,
967 strerror(errno));
968 return -1;
969 }
970 if (stat(stfs.f_mntonname, &mpst) < 0) {
971 jail_warnx(j, "%s: %s: %s", pname, stfs.f_mntonname,
972 strerror(errno));
973 return -1;
974 }
975 if (st.st_ino != mpst.st_ino) {
976 jail_warnx(j, "%s: %s: not a mount point",
977 pname, path);
978 return -1;
979 }
980 if (strcmp(stfs.f_fstypename, umount_type)) {
981 jail_warnx(j, "%s: %s: not a %s mount",
982 pname, path, umount_type);
983 return -1;
984 }
985 }
986 return 0;
987}
270 */
271static int
272run_command(struct cfjail *j)
273{
274 const struct passwd *pwd;
275 const struct cfstring *comstring, *s;
276 login_cap_t *lcap;
277 const char **argv;
278 char *acs, *cs, *comcs, *devpath;
279 const char *jidstr, *conslog, *path, *ruleset, *term, *username;
280 enum intparam comparam;
281 size_t comlen;
282 pid_t pid;
283 int argc, bg, clean, consfd, down, fib, i, injail, sjuser, timeout;
284#if defined(INET) || defined(INET6)
285 char *addr, *extrap, *p, *val;
286#endif
287
288 static char *cleanenv;
289
290 /* Perform some operations that aren't actually commands */
291 comparam = *j->comparam;
292 down = j->flags & (JF_STOP | JF_FAILED);
293 switch (comparam) {
294 case IP_STOP_TIMEOUT:
295 return term_procs(j);
296
297 case IP__OP:
298 if (down) {
299 if (jail_remove(j->jid) < 0 && errno == EPERM) {
300 jail_warnx(j, "jail_remove: %s",
301 strerror(errno));
302 return -1;
303 }
304 if (verbose > 0 || (verbose == 0 && (j->flags & JF_STOP
305 ? note_remove : j->name != NULL)))
306 jail_note(j, "removed\n");
307 j->jid = -1;
308 if (j->flags & JF_STOP)
309 dep_done(j, DF_LIGHT);
310 else
311 j->flags &= ~JF_PERSIST;
312 } else {
313 if (create_jail(j) < 0)
314 return -1;
315 if (iflag)
316 printf("%d\n", j->jid);
317 if (verbose >= 0 && (j->name || verbose > 0))
318 jail_note(j, "created\n");
319 dep_done(j, DF_LIGHT);
320 }
321 return 0;
322
323 default: ;
324 }
325 /*
326 * Collect exec arguments. Internal commands for network and
327 * mounting build their own argument lists.
328 */
329 comstring = j->comstring;
330 bg = 0;
331 switch (comparam) {
332#ifdef INET
333 case IP__IP4_IFADDR:
334 argc = 0;
335 val = alloca(strlen(comstring->s) + 1);
336 strcpy(val, comstring->s);
337 cs = val;
338 extrap = NULL;
339 while ((p = strchr(cs, ' ')) != NULL && strlen(p) > 1) {
340 if (extrap == NULL) {
341 *p = '\0';
342 extrap = p + 1;
343 }
344 cs = p + 1;
345 argc++;
346 }
347
348 argv = alloca((8 + argc) * sizeof(char *));
349 argv[0] = _PATH_IFCONFIG;
350 if ((cs = strchr(val, '|'))) {
351 argv[1] = acs = alloca(cs - val + 1);
352 strlcpy(acs, val, cs - val + 1);
353 addr = cs + 1;
354 } else {
355 argv[1] = string_param(j->intparams[IP_INTERFACE]);
356 addr = val;
357 }
358 argv[2] = "inet";
359 if (!(cs = strchr(addr, '/'))) {
360 argv[3] = addr;
361 argv[4] = "netmask";
362 argv[5] = "255.255.255.255";
363 argc = 6;
364 } else if (strchr(cs + 1, '.')) {
365 argv[3] = acs = alloca(cs - addr + 1);
366 strlcpy(acs, addr, cs - addr + 1);
367 argv[4] = "netmask";
368 argv[5] = cs + 1;
369 argc = 6;
370 } else {
371 argv[3] = addr;
372 argc = 4;
373 }
374
375 if (!down) {
376 for (cs = strtok(extrap, " "); cs;
377 cs = strtok(NULL, " ")) {
378 size_t len = strlen(cs) + 1;
379 argv[argc++] = acs = alloca(len);
380 strlcpy(acs, cs, len);
381 }
382 }
383
384 argv[argc] = down ? "-alias" : "alias";
385 argv[argc + 1] = NULL;
386 break;
387#endif
388
389#ifdef INET6
390 case IP__IP6_IFADDR:
391 argc = 0;
392 val = alloca(strlen(comstring->s) + 1);
393 strcpy(val, comstring->s);
394 cs = val;
395 extrap = NULL;
396 while ((p = strchr(cs, ' ')) != NULL && strlen(p) > 1) {
397 if (extrap == NULL) {
398 *p = '\0';
399 extrap = p + 1;
400 }
401 cs = p + 1;
402 argc++;
403 }
404
405 argv = alloca((8 + argc) * sizeof(char *));
406 argv[0] = _PATH_IFCONFIG;
407 if ((cs = strchr(val, '|'))) {
408 argv[1] = acs = alloca(cs - val + 1);
409 strlcpy(acs, val, cs - val + 1);
410 addr = cs + 1;
411 } else {
412 argv[1] = string_param(j->intparams[IP_INTERFACE]);
413 addr = val;
414 }
415 argv[2] = "inet6";
416 argv[3] = addr;
417 if (!(cs = strchr(addr, '/'))) {
418 argv[4] = "prefixlen";
419 argv[5] = "128";
420 argc = 6;
421 } else
422 argc = 4;
423
424 if (!down) {
425 for (cs = strtok(extrap, " "); cs;
426 cs = strtok(NULL, " ")) {
427 size_t len = strlen(cs) + 1;
428 argv[argc++] = acs = alloca(len);
429 strlcpy(acs, cs, len);
430 }
431 }
432
433 argv[argc] = down ? "-alias" : "alias";
434 argv[argc + 1] = NULL;
435 break;
436#endif
437
438 case IP_VNET_INTERFACE:
439 argv = alloca(5 * sizeof(char *));
440 argv[0] = _PATH_IFCONFIG;
441 argv[1] = comstring->s;
442 argv[2] = down ? "-vnet" : "vnet";
443 jidstr = string_param(j->intparams[KP_JID]);
444 argv[3] = jidstr ? jidstr : string_param(j->intparams[KP_NAME]);
445 argv[4] = NULL;
446 break;
447
448 case IP_MOUNT:
449 case IP__MOUNT_FROM_FSTAB:
450 argv = alloca(8 * sizeof(char *));
451 comcs = alloca(comstring->len + 1);
452 strcpy(comcs, comstring->s);
453 argc = 0;
454 for (cs = strtok(comcs, " \t\f\v\r\n"); cs && argc < 4;
455 cs = strtok(NULL, " \t\f\v\r\n")) {
456 if (argc <= 1 && strunvis(cs, cs) < 0) {
457 jail_warnx(j, "%s: %s: fstab parse error",
458 j->intparams[comparam]->name, comstring->s);
459 return -1;
460 }
461 argv[argc++] = cs;
462 }
463 if (argc == 0)
464 return 0;
465 if (argc < 3) {
466 jail_warnx(j, "%s: %s: missing information",
467 j->intparams[comparam]->name, comstring->s);
468 return -1;
469 }
470 if (check_path(j, j->intparams[comparam]->name, argv[1], 0,
471 down ? argv[2] : NULL) < 0)
472 return -1;
473 if (down) {
474 argv[4] = NULL;
475 argv[3] = argv[1];
476 argv[0] = "/sbin/umount";
477 } else {
478 if (argc == 4) {
479 argv[7] = NULL;
480 argv[6] = argv[1];
481 argv[5] = argv[0];
482 argv[4] = argv[3];
483 argv[3] = "-o";
484 } else {
485 argv[5] = NULL;
486 argv[4] = argv[1];
487 argv[3] = argv[0];
488 }
489 argv[0] = _PATH_MOUNT;
490 }
491 argv[1] = "-t";
492 break;
493
494 case IP_MOUNT_DEVFS:
495 argv = alloca(7 * sizeof(char *));
496 path = string_param(j->intparams[KP_PATH]);
497 if (path == NULL) {
498 jail_warnx(j, "mount.devfs: no path");
499 return -1;
500 }
501 devpath = alloca(strlen(path) + 5);
502 sprintf(devpath, "%s/dev", path);
503 if (check_path(j, "mount.devfs", devpath, 0,
504 down ? "devfs" : NULL) < 0)
505 return -1;
506 if (down) {
507 argv[0] = "/sbin/umount";
508 argv[1] = devpath;
509 argv[2] = NULL;
510 } else {
511 argv[0] = _PATH_MOUNT;
512 argv[1] = "-t";
513 argv[2] = "devfs";
514 ruleset = string_param(j->intparams[KP_DEVFS_RULESET]);
515 if (!ruleset)
516 ruleset = "4"; /* devfsrules_jail */
517 argv[3] = acs = alloca(11 + strlen(ruleset));
518 sprintf(acs, "-oruleset=%s", ruleset);
519 argv[4] = ".";
520 argv[5] = devpath;
521 argv[6] = NULL;
522 }
523 break;
524
525 case IP_MOUNT_FDESCFS:
526 argv = alloca(7 * sizeof(char *));
527 path = string_param(j->intparams[KP_PATH]);
528 if (path == NULL) {
529 jail_warnx(j, "mount.fdescfs: no path");
530 return -1;
531 }
532 devpath = alloca(strlen(path) + 8);
533 sprintf(devpath, "%s/dev/fd", path);
534 if (check_path(j, "mount.fdescfs", devpath, 0,
535 down ? "fdescfs" : NULL) < 0)
536 return -1;
537 if (down) {
538 argv[0] = "/sbin/umount";
539 argv[1] = devpath;
540 argv[2] = NULL;
541 } else {
542 argv[0] = _PATH_MOUNT;
543 argv[1] = "-t";
544 argv[2] = "fdescfs";
545 argv[3] = ".";
546 argv[4] = devpath;
547 argv[5] = NULL;
548 }
549 break;
550
551 case IP_MOUNT_PROCFS:
552 argv = alloca(7 * sizeof(char *));
553 path = string_param(j->intparams[KP_PATH]);
554 if (path == NULL) {
555 jail_warnx(j, "mount.procfs: no path");
556 return -1;
557 }
558 devpath = alloca(strlen(path) + 6);
559 sprintf(devpath, "%s/proc", path);
560 if (check_path(j, "mount.procfs", devpath, 0,
561 down ? "procfs" : NULL) < 0)
562 return -1;
563 if (down) {
564 argv[0] = "/sbin/umount";
565 argv[1] = devpath;
566 argv[2] = NULL;
567 } else {
568 argv[0] = _PATH_MOUNT;
569 argv[1] = "-t";
570 argv[2] = "procfs";
571 argv[3] = ".";
572 argv[4] = devpath;
573 argv[5] = NULL;
574 }
575 break;
576
577 case IP_COMMAND:
578 if (j->name != NULL)
579 goto default_command;
580 argc = 0;
581 TAILQ_FOREACH(s, &j->intparams[IP_COMMAND]->val, tq)
582 argc++;
583 argv = alloca((argc + 1) * sizeof(char *));
584 argc = 0;
585 TAILQ_FOREACH(s, &j->intparams[IP_COMMAND]->val, tq)
586 argv[argc++] = s->s;
587 argv[argc] = NULL;
588 j->comstring = &dummystring;
589 break;
590
591 default:
592 default_command:
593 if ((cs = strpbrk(comstring->s, "!\"$&'()*;<>?[\\]`{|}~")) &&
594 !(cs[0] == '&' && cs[1] == '\0')) {
595 argv = alloca(4 * sizeof(char *));
596 argv[0] = _PATH_BSHELL;
597 argv[1] = "-c";
598 argv[2] = comstring->s;
599 argv[3] = NULL;
600 } else {
601 if (cs) {
602 *cs = 0;
603 bg = 1;
604 }
605 comcs = alloca(comstring->len + 1);
606 strcpy(comcs, comstring->s);
607 argc = 0;
608 for (cs = strtok(comcs, " \t\f\v\r\n"); cs;
609 cs = strtok(NULL, " \t\f\v\r\n"))
610 argc++;
611 argv = alloca((argc + 1) * sizeof(char *));
612 strcpy(comcs, comstring->s);
613 argc = 0;
614 for (cs = strtok(comcs, " \t\f\v\r\n"); cs;
615 cs = strtok(NULL, " \t\f\v\r\n"))
616 argv[argc++] = cs;
617 argv[argc] = NULL;
618 }
619 }
620 if (argv[0] == NULL)
621 return 0;
622
623 if (int_param(j->intparams[IP_EXEC_TIMEOUT], &timeout) &&
624 timeout != 0) {
625 clock_gettime(CLOCK_REALTIME, &j->timeout);
626 j->timeout.tv_sec += timeout;
627 } else
628 j->timeout.tv_sec = 0;
629
630 injail = comparam == IP_EXEC_START || comparam == IP_COMMAND ||
631 comparam == IP_EXEC_STOP;
632 clean = bool_param(j->intparams[IP_EXEC_CLEAN]);
633 username = string_param(j->intparams[injail
634 ? IP_EXEC_JAIL_USER : IP_EXEC_SYSTEM_USER]);
635 sjuser = bool_param(j->intparams[IP_EXEC_SYSTEM_JAIL_USER]);
636
637 consfd = 0;
638 if (injail &&
639 (conslog = string_param(j->intparams[IP_EXEC_CONSOLELOG]))) {
640 if (check_path(j, "exec.consolelog", conslog, 1, NULL) < 0)
641 return -1;
642 consfd =
643 open(conslog, O_WRONLY | O_CREAT | O_APPEND, DEFFILEMODE);
644 if (consfd < 0) {
645 jail_warnx(j, "open %s: %s", conslog, strerror(errno));
646 return -1;
647 }
648 }
649
650 comlen = 0;
651 for (i = 0; argv[i]; i++)
652 comlen += strlen(argv[i]) + 1;
653 j->comline = cs = emalloc(comlen);
654 for (i = 0; argv[i]; i++) {
655 strcpy(cs, argv[i]);
656 if (argv[i + 1]) {
657 cs += strlen(argv[i]) + 1;
658 cs[-1] = ' ';
659 }
660 }
661 if (verbose > 0)
662 jail_note(j, "run command%s%s%s: %s\n",
663 injail ? " in jail" : "", username ? " as " : "",
664 username ? username : "", j->comline);
665
666 pid = fork();
667 if (pid < 0)
668 err(1, "fork");
669 if (pid > 0) {
670 if (bg || !add_proc(j, pid)) {
671 free(j->comline);
672 j->comline = NULL;
673 return 0;
674 } else {
675 paralimit--;
676 return 1;
677 }
678 }
679 if (bg)
680 setsid();
681
682 /* Set up the environment and run the command */
683 pwd = NULL;
684 lcap = NULL;
685 if ((clean || username) && injail && sjuser &&
686 get_user_info(j, username, &pwd, &lcap) < 0)
687 exit(1);
688 if (injail) {
689 /* jail_attach won't chdir along with its chroot. */
690 path = string_param(j->intparams[KP_PATH]);
691 if (path && chdir(path) < 0) {
692 jail_warnx(j, "chdir %s: %s", path, strerror(errno));
693 exit(1);
694 }
695 if (int_param(j->intparams[IP_EXEC_FIB], &fib) &&
696 setfib(fib) < 0) {
697 jail_warnx(j, "setfib: %s", strerror(errno));
698 exit(1);
699 }
700 if (jail_attach(j->jid) < 0) {
701 jail_warnx(j, "jail_attach: %s", strerror(errno));
702 exit(1);
703 }
704 }
705 if (clean || username) {
706 if (!(injail && sjuser) &&
707 get_user_info(j, username, &pwd, &lcap) < 0)
708 exit(1);
709 if (clean) {
710 term = getenv("TERM");
711 environ = &cleanenv;
712 setenv("PATH", "/bin:/usr/bin", 0);
713 if (term != NULL)
714 setenv("TERM", term, 1);
715 }
716 if (setgid(pwd->pw_gid) < 0) {
717 jail_warnx(j, "setgid %d: %s", pwd->pw_gid,
718 strerror(errno));
719 exit(1);
720 }
721 if (setusercontext(lcap, pwd, pwd->pw_uid, username
722 ? LOGIN_SETALL & ~LOGIN_SETGROUP & ~LOGIN_SETLOGIN
723 : LOGIN_SETPATH | LOGIN_SETENV) < 0) {
724 jail_warnx(j, "setusercontext %s: %s", pwd->pw_name,
725 strerror(errno));
726 exit(1);
727 }
728 login_close(lcap);
729 setenv("USER", pwd->pw_name, 1);
730 setenv("HOME", pwd->pw_dir, 1);
731 setenv("SHELL",
732 *pwd->pw_shell ? pwd->pw_shell : _PATH_BSHELL, 1);
733 if (clean && chdir(pwd->pw_dir) < 0) {
734 jail_warnx(j, "chdir %s: %s",
735 pwd->pw_dir, strerror(errno));
736 exit(1);
737 }
738 endpwent();
739 }
740
741 if (consfd != 0 && (dup2(consfd, 1) < 0 || dup2(consfd, 2) < 0)) {
742 jail_warnx(j, "exec.consolelog: %s", strerror(errno));
743 exit(1);
744 }
745 closefrom(3);
746 execvp(argv[0], __DECONST(char *const*, argv));
747 jail_warnx(j, "exec %s: %s", argv[0], strerror(errno));
748 exit(1);
749}
750
751/*
752 * Add a process to the hash, tied to a jail.
753 */
754static int
755add_proc(struct cfjail *j, pid_t pid)
756{
757 struct kevent ke;
758 struct cfjail *tj;
759 struct phash *ph;
760
761 if (!kq && (kq = kqueue()) < 0)
762 err(1, "kqueue");
763 EV_SET(&ke, pid, EVFILT_PROC, EV_ADD, NOTE_EXIT, 0, NULL);
764 if (kevent(kq, &ke, 1, NULL, 0, NULL) < 0) {
765 if (errno == ESRCH)
766 return 0;
767 err(1, "kevent");
768 }
769 ph = emalloc(sizeof(struct phash));
770 ph->j = j;
771 ph->pid = pid;
772 LIST_INSERT_HEAD(&phash[pid % PHASH_SIZE], ph, le);
773 j->nprocs++;
774 j->flags |= JF_SLEEPQ;
775 if (j->timeout.tv_sec == 0)
776 requeue(j, &sleeping);
777 else {
778 /* File the jail in the sleep queue according to its timeout. */
779 TAILQ_REMOVE(j->queue, j, tq);
780 TAILQ_FOREACH(tj, &sleeping, tq) {
781 if (!tj->timeout.tv_sec ||
782 j->timeout.tv_sec < tj->timeout.tv_sec ||
783 (j->timeout.tv_sec == tj->timeout.tv_sec &&
784 j->timeout.tv_nsec <= tj->timeout.tv_nsec)) {
785 TAILQ_INSERT_BEFORE(tj, j, tq);
786 break;
787 }
788 }
789 if (tj == NULL)
790 TAILQ_INSERT_TAIL(&sleeping, j, tq);
791 j->queue = &sleeping;
792 }
793 return 1;
794}
795
796/*
797 * Remove any processes from the hash that correspond to a jail.
798 */
799static void
800clear_procs(struct cfjail *j)
801{
802 struct kevent ke;
803 struct phash *ph, *tph;
804 int i;
805
806 j->nprocs = 0;
807 for (i = 0; i < PHASH_SIZE; i++)
808 LIST_FOREACH_SAFE(ph, &phash[i], le, tph)
809 if (ph->j == j) {
810 EV_SET(&ke, ph->pid, EVFILT_PROC, EV_DELETE,
811 NOTE_EXIT, 0, NULL);
812 (void)kevent(kq, &ke, 1, NULL, 0, NULL);
813 LIST_REMOVE(ph, le);
814 free(ph);
815 }
816}
817
818/*
819 * Find the jail that corresponds to an exited process.
820 */
821static struct cfjail *
822find_proc(pid_t pid)
823{
824 struct cfjail *j;
825 struct phash *ph;
826
827 LIST_FOREACH(ph, &phash[pid % PHASH_SIZE], le)
828 if (ph->pid == pid) {
829 j = ph->j;
830 LIST_REMOVE(ph, le);
831 free(ph);
832 return --j->nprocs ? NULL : j;
833 }
834 return NULL;
835}
836
837/*
838 * Send SIGTERM to all processes in a jail and wait for them to die.
839 */
840static int
841term_procs(struct cfjail *j)
842{
843 struct kinfo_proc *ki;
844 int i, noted, pcnt, timeout;
845
846 static kvm_t *kd;
847
848 if (!int_param(j->intparams[IP_STOP_TIMEOUT], &timeout))
849 timeout = DEFAULT_STOP_TIMEOUT;
850 else if (timeout == 0)
851 return 0;
852
853 if (kd == NULL) {
854 kd = kvm_open(NULL, NULL, NULL, O_RDONLY, NULL);
855 if (kd == NULL)
856 return 0;
857 }
858
859 ki = kvm_getprocs(kd, KERN_PROC_PROC, 0, &pcnt);
860 if (ki == NULL)
861 return 0;
862 noted = 0;
863 for (i = 0; i < pcnt; i++)
864 if (ki[i].ki_jid == j->jid &&
865 kill(ki[i].ki_pid, SIGTERM) == 0) {
866 (void)add_proc(j, ki[i].ki_pid);
867 if (verbose > 0) {
868 if (!noted) {
869 noted = 1;
870 jail_note(j, "sent SIGTERM to:");
871 }
872 printf(" %d", ki[i].ki_pid);
873 }
874 }
875 if (noted)
876 printf("\n");
877 if (j->nprocs > 0) {
878 clock_gettime(CLOCK_REALTIME, &j->timeout);
879 j->timeout.tv_sec += timeout;
880 return 1;
881 }
882 return 0;
883}
884
885/*
886 * Look up a user in the passwd and login.conf files.
887 */
888static int
889get_user_info(struct cfjail *j, const char *username,
890 const struct passwd **pwdp, login_cap_t **lcapp)
891{
892 const struct passwd *pwd;
893
894 errno = 0;
895 *pwdp = pwd = username ? getpwnam(username) : getpwuid(getuid());
896 if (pwd == NULL) {
897 if (errno)
898 jail_warnx(j, "getpwnam%s%s: %s", username ? " " : "",
899 username ? username : "", strerror(errno));
900 else if (username)
901 jail_warnx(j, "%s: no such user", username);
902 else
903 jail_warnx(j, "unknown uid %d", getuid());
904 return -1;
905 }
906 *lcapp = login_getpwclass(pwd);
907 if (*lcapp == NULL) {
908 jail_warnx(j, "getpwclass %s: %s", pwd->pw_name,
909 strerror(errno));
910 return -1;
911 }
912 /* Set the groups while the group file is still available */
913 if (initgroups(pwd->pw_name, pwd->pw_gid) < 0) {
914 jail_warnx(j, "initgroups %s: %s", pwd->pw_name,
915 strerror(errno));
916 return -1;
917 }
918 return 0;
919}
920
921/*
922 * Make sure a mount or consolelog path is a valid absolute pathname
923 * with no symlinks.
924 */
925static int
926check_path(struct cfjail *j, const char *pname, const char *path, int isfile,
927 const char *umount_type)
928{
929 struct stat st, mpst;
930 struct statfs stfs;
931 char *tpath, *p;
932 const char *jailpath;
933 size_t jplen;
934
935 if (path[0] != '/') {
936 jail_warnx(j, "%s: %s: not an absolute pathname",
937 pname, path);
938 return -1;
939 }
940 /*
941 * Only check for symlinks in components below the jail's path,
942 * since that's where the security risk lies.
943 */
944 jailpath = string_param(j->intparams[KP_PATH]);
945 if (jailpath == NULL)
946 jailpath = "";
947 jplen = strlen(jailpath);
948 if (!strncmp(path, jailpath, jplen) && path[jplen] == '/') {
949 tpath = alloca(strlen(path) + 1);
950 strcpy(tpath, path);
951 for (p = tpath + jplen; p != NULL; ) {
952 p = strchr(p + 1, '/');
953 if (p)
954 *p = '\0';
955 if (lstat(tpath, &st) < 0) {
956 if (errno == ENOENT && isfile && !p)
957 break;
958 jail_warnx(j, "%s: %s: %s", pname, tpath,
959 strerror(errno));
960 return -1;
961 }
962 if (S_ISLNK(st.st_mode)) {
963 jail_warnx(j, "%s: %s is a symbolic link",
964 pname, tpath);
965 return -1;
966 }
967 if (p)
968 *p = '/';
969 }
970 }
971 if (umount_type != NULL) {
972 if (stat(path, &st) < 0 || statfs(path, &stfs) < 0) {
973 jail_warnx(j, "%s: %s: %s", pname, path,
974 strerror(errno));
975 return -1;
976 }
977 if (stat(stfs.f_mntonname, &mpst) < 0) {
978 jail_warnx(j, "%s: %s: %s", pname, stfs.f_mntonname,
979 strerror(errno));
980 return -1;
981 }
982 if (st.st_ino != mpst.st_ino) {
983 jail_warnx(j, "%s: %s: not a mount point",
984 pname, path);
985 return -1;
986 }
987 if (strcmp(stfs.f_fstypename, umount_type)) {
988 jail_warnx(j, "%s: %s: not a %s mount",
989 pname, path, umount_type);
990 return -1;
991 }
992 }
993 return 0;
994}