jail: Don't allow substitution of valueless jail parameters.
PR: 256544
Reported by: cryptogranny at gmail.com

(cherry picked from commit 5bf6dca2c6dbf63d382e97905e205ded3e8525d2)

Git Hash: 75befde07bdf1e3059c8c5e8928a695e5e59d698
Git Author: jamie@FreeBSD.org

Fix test case header function name

This restores the expected behavior (skip) when running with non-root user

MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D30584

(cherry picked from commit 847b7d505490ae407a5c876e14e7788a4add7737)

Git Hash: bd1139898643dd54529c464e6ff66011d6388b3e
Git Author: sigsys@gmail.com

MFC jail: fix jail(8) synposis and usage message to match reality.

Reported by: yuri
PR: 254741
MFC after: 5 days

(cherry picked from commit 8c1d956ffa0355ece3b63ea8587938176f87f072)

Git Hash: 73b04801b3163417cff33b279f1bc42451f20009
Git Author: jamie@FreeBSD.org

MFC r360040: jail(8): improve manual and usage information
with more clear description for "jail -e" mode
to show that it does not take additional jail name argument.

Reported by: David Marec <david.marec@davenulle.org>

MFC r352263:

[jail] removal by jid doesn't trigger pre/post stop scripts

This commit fixes bug: command "jail -r" didn't trigger pre/post stop
commands (and others) defined in config file if jid is specified insted of
name. Also it adds basic tests for usr.sbin/jail to avoid regression.

Reviewed by: jamie, kevans, ray
Differential Revision: https://reviews.freebsd.org/D21328

MFC r352119-r352124, r352130

Stop linking to libl by specifying we do not need yywrap

MFC: r343164

Clarify error messages a bit.

X-Found-With: r343112
Reviewed by: eugen (implicitly, when r343112 analysis)

MFC r343112: jail(8): stop crashing with SIGSEGV inside run_command()
function while processing not entirely correct jail.conf(5) file
having something like "ip4.addr = 127.0.0.1;" and no "ip4 = ...;"
so extrap variable stays NULL.

Reported by: marck

MFC r340319: jail(8): introduce new command option -e to exhibit
a list of configured non-wildcard jails with their parameters,
no matter running or not.

The option -e takes separator argument that is used
to separate printed parameters. It will be used with following
additions to system periodic scripts to differentiate parts
of directory tree belonging jails as opposed to host's.

MFC r339409, r339420:

Add a new jail permission, allow.read_msgbuf. When true, jailed processes
can see the dmesg buffer (this is the current behavior). When false (the
new default), dmesg will be unavailable to jailed users, whether root or
not.

The security.bsd.unprivileged_read_msgbuf sysctl still works as before,
controlling system-wide whether non-root users can see the buffer.

PR: 211580
Submitted by: bz

MFC r337867:

Don't let clobber jailparam values when checking for modification of
init-only parameters.

PR: 230487
Submitted by: Jason Mader

MFC r326276:

various: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

No functional change intended.

MFC r316022,r316023:

Fix hexadecimal escape codes in jail.conf(5).

PR: 218154
Submitted by: Masahiro Konishi <mkonishi@sea.plala.or.jp>

MFC r310614: Don't assign rtjp twice.

MFC r302856:

Fix up the order in which jail creation processes are run, to preserve
the config file's order in the non-parallel-start case.

PR: 209112
Approved by: re (gjb)

Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.

Additional commits post-branch will follow.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

typo

Submitted by: Jimmy Olgeni

usr.sbin: minor spelling fixes on comments.

No functional change.

Clarify when happens when there is a "depend" parameter in jail.conf,
and how this affects the "jail_list" option in rc.conf.

Encapsulate SYSV IPC objects in jails. Define per-module parameters
sysvmsg, sysvsem, and sysvshm, with the following bahavior:

inherit: allow full access to the IPC primitives. This is the same as
the current setup with allow.sysvipc is on. Jails and the base system
can see (and moduly) each other's objects, which is generally considered
a bad thing (though may be useful in some circumstances).

disable: all no access, same as the current setup with allow.sysvipc off.

new: A jail may see use the IPC objects that it has created. It also
gets its own IPC key namespace, so different jails may have their own
objects using the same key value. The parent jail (or base system) can
see the jail's IPC objects, but not its keys.

PR: 48471
Submitted by: based on work by kikuchan98@gmail.com
MFC after: 5 days

Note the existence of module-specific jail paramters, starting with the
linux.* parameters when linux emulation is loaded.

MFC after: 5 days

Make jail(8) interpret escape codes in fstab the same as getfsent(3).

PR: 208663
MFC after: 3 days

Merge the projects/release-pkg branch to head.

This allows packaging the base system with pkg(8), including
but not limited to providing the ability to provide upstream
binary update possibilities for non-tier-1 architectures.

This merge is a requirement of the 11.0-RELEASE, and as such,
thank you to everyone that has tested the project branch.

Documentation in build(7) etc. is still somewhat sparse, but
updates to those parts will follow.

Sponsored by: The FreeBSD Foundation

Final pass through bogus svn:mergeinfo removal.

Note, paths part of 'contrib' were left alone for now.

Sponsored by: The FreeBSD Foundation

Upgrade our copies of clang, llvm, lldb and compiler-rt to 3.8.0
release.

Please note that from 3.5.0 onwards, clang, llvm and lldb require C++11
support to build; see UPDATING for more information.

Release notes for llvm and clang will soon be available here:
<http://llvm.org/releases/3.8.0/docs/ReleaseNotes.html>
<http://llvm.org/releases/3.8.0/tools/clang/docs/ReleaseNotes.html>

Thanks to Ed Maste, Roman Divacky, Davide Italiano and Antoine Brodin
for their help.

Relnotes: yes

DIRDEPS_BUILD: Regenerate without local dependencies.

These are no longer needed after the recent 'beforebuild: depend' changes
and hooking DIRDEPS_BUILD into a subset of FAST_DEPEND which supports
skipping 'make depend'.

Sponsored by: EMC / Isilon Storage Division

Remove man page references to rndassociates.com, which has been taken over
by a domain squatter.

Don't bother checking an ip[46].addr netmask/prefixlen. This is already
handled by ifconfig, and it was doing it wrong when the paramater included
extra ifconfig options.

PR: 205926
MFC after: 5 days

Clear errno before calling getpw*.

Update dependencies after r291406 added libelf to libkvm.

Unfortunately filemon/meta mode tracks all indirect dependencies here
since ld(1) is reading libelf when linking in libkvm. Churn would be
reduced if this was able to be limited to direct dependencies.

Sponsored by: EMC / Isilon Storage Division

Improve collation string and locales support

Merge collation support from Illumos and DragonflyBSD.

Locales are now generated with the new localedef(1) tool from CLDR POSIX files.
The generated files are now identified as "BSD 1.0" format.

The libc now only read "BSD 1.0" locales definitions, all other version will be
set to "C"
The localedef(1) tool has been imported from Illumos and modified to use tree(3)
instead of the CDDL avl(3)
A set of tool created by edwin@ and extended by marino@ for dragonfly has been
added to be able to generate locales and the Makefiles from the vanilla CLDR
unicode databases + a universal UTF-8 charmap (by marino@)
Update the locales to unicode v27
Given our regex(3) does not support multibyte (yet) it has been forced to always
use locale C
Remove now unused colldef(1) and mklocale(1)
Finish implementing the numeric BSD extension for ctypes
The number of supported locales has grown from 175 to 250 locales. Among the new
locales: 6 Arabic locales (AE EG JO MA QA SA), Different variations of spanish
locales.
Added new 3 components locales for mn_Cyrl_MN, sr_Cyrl_RS sr_Latn_RS,
zh_Hans_CN, zh_Hant_HK and zh_Hant_TW. Some aliases has been for 2 components
version when possible.

Thanks: Garrett D'Amore (Illumos) who made sure all his work was done under
BSD license!, Edwin Groothuis (edwin@) for the work he made on tools to be able
to generate locales definition usable in freebsd sources out of vanilla CLDR
definitions, John Marino (DragonflyBSD) who first merge the Illumos work into
Dragonfly and spent hours tracking down bugs.

Merge mpsutil(8) branch

mpsutil(8)/mprutil(8) are new utilities for managing LSI Fusion-MPT
2/3 controllers (mps(4) and mpr(4))

For now only informational commands have been implemented.

This utility has been written by scottl@ [1] and polished by myself[2]

Submitted by: scottl
Discussed with: scottl
Relnotes: yes
Sponsored by: Netflix [1]
Sponsored by: Gandi.net [2]

Fix a ton of speelling errors

arc lint is helpful

Reviewed By: allanjude, wblock, #manpages, chris@bsdjunk.com
Differential Revision: https://reviews.freebsd.org/D3337

Upgrade our copies of clang, llvm, lldb, compiler-rt and libc++ to 3.7.0
release.

Please note that from 3.5.0 onwards, clang, llvm and lldb require C++11
support to build; see UPDATING for more information.

Release notes for llvm and clang can be found here:
<http://llvm.org/releases/3.7.0/docs/ReleaseNotes.html>
<http://llvm.org/releases/3.7.0/tools/clang/docs/ReleaseNotes.html>

Thanks to Ed Maste, Andrew Turner and Antoine Brodin for their help.

Exp-run: antoine
Relnotes: yes

Fix transposed words in man page.

PR: 201752
Reviewed by: bcr
MFC after: 3 days
Sponsored by: Essen FreeBSD Hackathon

Add support to the jail framework to be able to mount linsysfs(5) and
linprocfs(5).

Differential Revision: D2846
Submitted by: Nikolai Lifanov <lifanov@mail.lifanov.com>
Reviewed by: jamie

Implement PF_IMMUTABLE flag and apply it to "name" and "jid" in
jail.conf parameters. This flag disallows redefinition of the parameter.

"name" and/or "jid" are automatically defined in jail.conf by using
the jail names at the front of jail parameter definitions. However,
one could override them by using a variable with the same name like
$name = "foo". This confused the parser and could end up with SIGSEGV.

Note that this change also affects a case when all of parameters are
defined in the command line arguments, not in jail.conf. Specifically,
"jail -c name=j1 name=j2" no longer works. This should be harmless.

PR: 196574
Reviewed by: jamie
Differential Revision: https://reviews.freebsd.org/D3017

Fix offset calculation in variable substitution
in jail.conf. The following did not work correctly:

A="A_${B}_C_${D}"
B="BBBBB"
D="DDDD_${E}_FFFFF"
E="EEEEE"

PR: 189139
Reviewed by: jamie
Differential Revision: https://reviews.freebsd.org/D3018

Add META_MODE support.

Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.

Still need to add real targets under targets/ to build packages.

Differential Revision: D2796
Reviewed by: brooks imp

Fix minor mdoc issues.

Fix typo in jail(8) man page

PR: 198790
Differential Revision: https://reviews.freebsd.org/D2111
Submitted by: Jimmy Olgeni
Approved by: wblock (mentor)
Sponsored by: ScaleEngine Inc.

Upgrade our copy of clang, llvm and lldb to 3.6.0 release.

Please note that from 3.5.0 onwards, clang/llvm/lldb require C++11
support to build; see UPDATING for more information.

Release notes for llvm and clang can be found here:
<http://llvm.org/releases/3.6.0/docs/ReleaseNotes.html>
<http://llvm.org/releases/3.6.0/tools/clang/docs/ReleaseNotes.html>

Thanks to Ed Maste for the lldb part of this upgrade.

Exp-run: antoine

Allow the kern.osrelease and kern.osreldate sysctl values to be set in a
jail's creation parameters. This allows the kernel version to be reliably
spoofed within the jail whether examined directly with sysctl or
indirectly with the uname -r and -K options.

The values can only be set at jail creation time, to eliminate the need
for any locking when accessing the values via sysctl.

The overridden values are inherited by nested jails (unless the config for
the nested jails also overrides the values).

There is no sanity or range checking, other than disallowing an empty
release string or a zero release date, by design. The system
administrator is trusted to set sane values. Setting values that are
newer than the actual running kernel will likely cause compatibility
problems.

Differential Revision: https://reviews.freebsd.org/D1948
Relnotes: yes

Add mount.procfs jail parameter, so procfs can be mounted when a prison's
root is in its fstab.

Also fix a typo while I'm at it.

PR: 197237 197066
MFC after: 3 days

Add allow.mount.fdescfs jail flag.

PR: 192951
Submitted by: ruben@verweg.com
MFC after: 3 days

Upgrade our copy of clang, llvm and lldb to 3.5.0 release.

Please note that this version now requires C++11 support to build; see
UPDATING for more information.

Release notes for llvm and clang can be found here:
<http://llvm.org/releases/3.5.0/docs/ReleaseNotes.html>
<http://llvm.org/releases/3.5.0/tools/clang/docs/ReleaseNotes.html>

Thanks to Ed Maste, Roman Divacky, Andrew Turner, Justin Hibbits and
Antoine Brodin for their invaluable help with this import.

Approved by: portmgr (antoine)
MFC after: 1 month

mdoc: sort SEE ALSO.

Setgid before running a command as a specified user. Previously only
initgroups(3) was called, what isn't quite enough. This brings jail(8)
in line with jexec(8), which was already doing the right thing.

PR: 195984
MFC after: 1 week

In preparation for using clang's -Wcast-qual:

Use __DECONST (instead of my own attempted re-invention) for the iov
parameters to jail_get/set(2). Similarly remove the decost-ish hack
from execvp's argv, except the __DECONST is only added at very end.

While I'm at it, remove an unused variable and fix a comment typo.

Convert usr.sbin to LIBADD
Reduce overlinking

Added support for extra ifconfig args to jail ip4.addr & ip6.addr params

This allows for CARP interfaces to be used in jails e.g.
ip4.addr = "em0|10.10.1.20/32 vhid 1 pass MyPass advskew 100"

Before this change using exec.prestart to configure a CARP address
would result in the wrong MAC being broadcast on startup as jail creates
IP aliases to support ip[4|6].addr before exec.prestart is executed.

PR: 191832
Reviewed by: jamie
MFC after: 1 week
X-MFC-With: r269340
Phabric: D528
Sponsored by: Multiplay

The month's name shall not be abbreviated.

Reword an awkward option description

PR: 191726
Reported by: yaneurabeya gmail.com
MFC after: 3 days

Bump .Dd, missed in r266206

Approved by: hrs (mentor, implicit)

Review pass through jail.8

Replace usage of "prison" with "jail", since that term has mostly dropped
out of use. Note once at the beginning that the "prison" term is equivalent,
but do not use it otherwise. [1]

Some grammar issues.

Some mdoc formatting fixes.

Consistently use \(em for em dashes, with spaces around it.

Avoid contractions.

Prefer ssh to telnet.

PR: docs/176832 [1]
Approved by: hrs (mentor)

Use src.opts.mk in preference to bsd.own.mk except where we need stuff
from the latter.

Line-wrapping tweak: make the sample jail command line fit in 80 characters.

MFC after: 3 days

Bump .Dd forgotten in r261832.

MFC after: 2 weeks

Add commas (,) to the list in the SEE ALSO section, to match most other
manuals.

MFC after: 2 weeks

Add cross references between rc.conf(5) and jail.conf(5).

MFC after: 2 weeks

Back out r261266 pending security buy-in.

r261266:
Add a jail parameter, allow.kmem, which lets jailed processes access
/dev/kmem and related devices (i.e. grants PRIV_IO and PRIV_KMEM_WRITE).
This in conjunction with changing the drm driver's permission check from
PRIV_DRIVER to PRIV_KMEM_WRITE will allow a jailed Xorg server.

Add a jail parameter, allow.kmem, which lets jailed processes access
/dev/kmem and related devices (i.e. grants PRIV_IO and PRIV_KMEM_WRITE).
This in conjunction with changing the drm driver's permission check from
PRIV_DRIVER to PRIV_KMEM_WRITE will allow a jailed Xorg server.

Submitted by: netchild
MFC after: 1 week

- Add mount.fdescfs parameter to jail(8). This is similar to
mount.devfs but mounts fdescfs. The mount happens just after
mount.devfs.

- rc.d/jail now displays whole error message from jail(8) when a jail
fails to start.

Approved by: re (gjb)

- Update rc.d/jail to use a jail(8) configuration file instead of
command line options. The "jail_<jname>_*" rc.conf(5) variables for
per-jail configuration are automatically converted to
/var/run/jail.<jname>.conf before the jail(8) utility is invoked.
This is transparently backward compatible.

- Fix a minor bug in jail(8) which prevented it from returning false
when jail -r failed.

Approved by: re (glebius)

Allow tmpfs be mounted inside jail.

Work around build breakages with GCC 4.2.

Reported by: tinderbox

Improve compatibility with recent flex from flex.sourceforge.net.

Add the Clang specific -Wmissing-variable-declarations to WARNS=6.

This compiler flag enforces that that people either mark variables
static or use an external declarations for the variable, similar to how
-Wmissing-prototypes works for functions.

Due to the fact that Yacc/Lex generate code that cannot trivially be
changed to not warn because of this (lots of yy* variables), add a
NO_WMISSING_VARIABLE_DECLARATIONS that can be used to turn off this
specific compiler warning.

Announced on: toolchain@

Reverse the order of some implicit commands (FS mounts and ifconfigs)
when stopping jails. This matters particularly for nested filesystem
mounts.

PR: kern/177325
Submitted by: Harald Schmalzbauer
MFC after: 3 days

Handle (ignore) when a process disappears before it can be tracked.

Move properly to the next parameter when jailparam_init fails
(i.e. on an unknown parameter), to avoid freeing bogus pointers.

Warn about filesystem-based attacks.

Partially roll back r239601 - keep parameter strings both length-delimited
and null-terminated at the same time, because they're later passed to
libjail as null-terminated. That means I also need to add a nul byte when
comma-combining array parameters.

MFC after: 6 days

Pre-separate IP addresses passed on the command line, so they can be
properly parsed for interface prefixes and netmask suffixes. This was
already done for the old-style (fixed) command line, but missed for
the new-style.

MFC after: 1 week

Remember that I'm using length-defined strings in parameters:

Remove a bogus null terminator when stripping the netmask from
IP addresses. This was causing later addresses in a comma-separated
string to disappear.

Use memcpy instead of strcpy. This could just cause Bad Things.

PR: 170832
MFC after: 1 week

o Restore -u <username> getopt(3) flag somehow killed in r234712.

PR: bin/169490
Submitted by: amdmi3
MFC after: 2 weeks

Minor spelling fixes.

When writing the jid via the -i flag, do it right when the jail is created,
before any commands run. /etc/rc.d/jail depends on this.

Don't try to set a null TERM environment.

Submitted by: Mateusz Guzik <mjguzik gmail.com>

Fixes to man8 groff mandoc style, usage mistakes, or typos.

PR: 168016
Submitted by: Nobuyuki Koganemaru
Approved by: gjb
MFC after: 3 days

Note that the new jail(8) will be appearing in 9.1.

Fix world after byacc import:
- old yacc(1) use to magicially append stdlib.h, while new one don't
- new yacc(1) do declare yyparse by itself, fix redundant declaration of
'yyparse'

Approved by: des (mentor)

Remove end of line whitespace.

General mdoc(7) and typo fixes.

PR: 167804
Submitted by: Nobuyuki Koganemaru (kogane!jp.freebsd.org)
MFC after: 3 days

mdoc: remove redundant Pp and end a display block with Ed.

Fix .Pp macro.

Add a meta-parameter IP__NULL to enum intparam, instead of mixing
enum values and zeroes. This keeps clang happy (and is just good form).

Submitted by: dim

Add YY_NO_INPUT so clang doesn't complain about "input" not being used.

Fix the dates and history as of the move to HEAD.

A new jail(8) with a configuration file, ultimately to replace the work
currently done by /etc/rc.d/jail.

MFC after: 3 months

Bump .Dd to reflect latest update

Reported by: bz
MFC after: 1 week

Add procfs to jail-mountable filesystems.

Reviewed by: jamie
MFC after: 1 week

mdoc(7) stype - start new sentences on new line

MFC after: 1 week

Analogous to r232059, add a parameter for the ZFS file system:

allow.mount.zfs:
allow mounting the zfs filesystem inside a jail

This way the permssions for mounting all current VFCF_JAIL filesystems
inside a jail are controlled wia allow.mount.* jail parameters.

Update sysctl descriptions.
Update jail(8) and zfs(8) manpages.

TODO: document the connection of allow.mount.* and VFCF_JAIL for kernel
developers

MFC after: 10 days

To improve control over the use of mount(8) inside a jail(8), introduce
a new jail parameter node with the following parameters:

allow.mount.devfs:
allow mounting the devfs filesystem inside a jail

allow.mount.nullfs:
allow mounting the nullfs filesystem inside a jail

Both parameters are disabled by default (equals the behavior before
devfs and nullfs in jails). Administrators have to explicitly allow
mounting devfs and nullfs for each jail. The value "-1" of the
devfs_ruleset parameter is removed in favor of the new allow setting.

Reviewed by: jamie
Suggested by: pjd
MFC after: 2 weeks

Add support for mounting devfs inside jails.

A new jail(8) option "devfs_ruleset" defines the ruleset enforcement for
mounting devfs inside jails. A value of -1 disables mounting devfs in
jails, a value of zero means no restrictions. Nested jails can only
have mounting devfs disabled or inherit parent's enforcement as jails are
not allowed to view or manipulate devfs(8) rules.

Utilizes new functions introduced in r231265.

Reviewed by: jamie
MFC after: 1 month

Try resolving jail path with realpath(3).

jail(8) does a chdir(2) to the given path argument. Kernel evaluates the
jail path from the new cwd and not from the original cwd, which leads to
undesired behavior if given a relative path.

Reviewed by: jamie
MFC after: 2 weeks

Always disable mount and unmount for jails with enforce_statfs==2.
A working statfs(2) is required for umount(8) in jail.

Reviewed by: pjd, kib
Approved by: re (kib)
MFC after: 2 weeks

Revert my last change to this file, as BETA1 is not announced yet.

Pointed out by: kib
Pointy hat to: me
Approved by: re (kib, implicit)

Add a section to the jail chapter that explains why it is not
recommended to allow root users in the jail to access the host system.

PR: docs/156853
Submitted by: crees
Patch by: crees
Approved by: re (kib) for BETA1

Document the potential for jail escape.

Submitted by: Vedad KAJTAZ (vedad % kajtaz net)
PR: 142341
Reviewed by: bz, rwatson
Rewording by: rwatson
Approved by: re (kensmith)
MFC after: 3 days

Check for IPv4 or IPv6 to be available by the kernel to not
provoke errors trying to query options not available.
Make it possible to compile out INET or INET6 only parts.

Reviewed by: jamie
Sponsored by: The FreeBSD Foundation
Sponsored by: iXsystems
MFC after: 10 days

Revert r221655:

Various people voiced their concerns about these changes.
Until this is resolved, we should use the old version.

Jails have a problem in that if the jail directory is world-readable,
an attacker with root access to the jail can create a setuid binary for
their own use in the host environment (if they also have this access),
thus breaking root in the host.

This exploit is impossible if the jail's files are not world-readable.
Add instructions to the man page on how to create a jail with the
correct permissions set.

PR: docs/156853
Submitted by: Chris Rees (utisoft at gmail dot com)
Reviewed by: cperciva (security parts)
MFC after: 9 days

mdoc: drop redundant .Pp and .LP calls

They have no effect when coming in pairs, or before .Bl/.Bd

Back out r210975, which changed documentation to match the now backed-out
r210974.

Note that a jail without a command parameter will be persistent,
instead of explicitly requiring one of "command" or "persist".

MFC after: 3 days

Spelling fixes.

Change the current working directory to be inside the jail created by
the jail(8) command. [10:04]

Fix a one-NUL-byte buffer overflow in libopie. [10:05]

Correctly sanity-check a buffer length in nfs mount. [10:06]

Approved by: so (cperciva)
Approved by: re (kensmith)
Security: FreeBSD-SA-10:04.jail
Security: FreeBSD-SA-10:05.opie
Security: FreeBSD-SA-10:06.nfsclient

mdoc: consistently spell our email addresses <foo@FreeBSD.org>

Reviewed by: ru

- fix typo

Make 'make manlint' happy. No actual visible change.

Add ip4.saddrsel/ip4.nosaddrsel (and equivalent for ip6) to control
whether to use source address selection (default) or the primary
jail address for unbound outgoing connections.

This is intended to be used by people upgrading from single-IP
jails to multi-IP jails but not having to change firewall rules,
application ACLs, ... but to force their connections (unless
otherwise changed) to the primry jail IP they had been used for
years, as well as for people prefering to implement similar policies.

Note that for IPv6, if configured incorrectly, this might lead to
scope violations, which single-IPv6 jails could as well, as by the
design of jails. [1]

Reviewed by: jamie, hrs (ipv6 part)
Pointed out by: hrs [1]
MFC After: 2 weeks
Asked for by: Jase Thew (bazerka beardz.net)

The last big commit: let usr.sbin/ use WARNS=6 by default.

- New style of jail(8) usage requires "-c" argument to create a jail.

Reviewed by: jamie

Don't forget to increment the man page date.

Reported by: bz

Fix a typo in the jail(8) manpage.

Submitted by: Jille Timmermans <jille quis cx>
MFC after: 1 week

Handle kernels that don't have IPv6 by not sending an "ip6.addr"
parameter unless a (numeric) IPv6 address is given. Even the default
binaries built with -DINET6 will work with IPv6-less kernels. With an
eye to the future, similarly handle the possibility of an IPv4-less kernel.

Approved by: re (kib), bz (mentor)

Some jail parameters (in particular, "ip4" and "ip6" for IP address
restrictions) were found to be inadequately described by a boolean.
Define a new parameter type with three values (disable, new, inherit)
to handle these and future cases.

Approved by: re (kib), bz (mentor)
Discussed with: rwatson

Fix a typo in the examples.

Approved by: re (kib), bz (mentor)

Add libjail, a (somewhat) simpler interface to the jail_set and jail_get
system calls and the security.jail.param sysctls.

Approved by: bz (mentor)

Add a limit for child jails via the "children.cur" and "children.max"
parameters. This replaces the simple "allow.jails" permission.

Approved by: bz (mentor)

Remove obsolete comment describing how the command line is
no longer parsed.

Approved by: bz (mentor)

In preparation for raising NGROUPS and NGROUPS_MAX, change base
system callers of getgroups(), getgrouplist(), and setgroups() to
allocate buffers dynamically. Specifically, allocate a buffer of size
sysconf(_SC_NGROUPS_MAX)+1 (+2 in a few cases to allow for overflow).

This (or similar gymnastics) is required for the code to actually follow
the POSIX.1-2008 specification where {NGROUPS_MAX} may differ at runtime
and where getgroups may return {NGROUPS_MAX}+1 results on systems like
FreeBSD which include the primary group.

In id(1), don't pointlessly add the primary group to the list of all
groups, it is always the first result from getgroups(). In principle
the old code was more portable, but this was only done in one of the two
places where getgroups() was called to the overall effect was pointless.

Document the actual POSIX requirements in the getgroups(2) and
setgroups(2) manpages. We do not yet support a dynamic NGROUPS, but we
may in the future.

MFC after: 2 weeks

In the old-style jail command line, explicitly set parameters from the
security.jail.* sysctls since jail_set(2) doesn't do it implicitly.

Approved by: bz (mentor)

Fix grammar.

Submitted by: richardtoohey at paradise dot net dot nz on -doc

Place hostnames and similar information fully under the prison system.
The system hostname is now stored in prison0, and the global variable
"hostname" has been removed, as has the hostname_mtx mutex. Jails may
have their own host information, or they may inherit it from the
parent/system. The proper way to read the hostname is via
getcredhostname(), which will copy either the hostname associated with
the passed cred, or the system hostname if you pass NULL. The system
hostname can still be accessed directly (and without locking) at
prison0.pr_host, but that should be avoided where possible.

The "similar information" referred to is domainname, hostid, and
hostuuid, which have also become prison parameters and had their
associated global variables removed.

Approved by: bz (mentor)

Fix some inaccuracies in the extensible parameter addition.

Approved by: bz (mentor)

Add support for the arbitrary named jail parameters used by jail_set(2)
and jail_get(2). Jail(8) can now create jails using a "name=value"
format instead of just specifying a limited set of fixed parameters; it
can also modify parameters of existing jails. Jls(8) can display all
parameters of jails, or a specified set of parameters. The available
parameters are gathered from the kernel, and not hard-coded into these
programs.

Small patches on killall(1) and jexec(8) to support jail names with
jail_get(2).

Approved by: bz (mentor)

With the permission of phk@ change the license on remaining jail code
to a 2 clause BSD license.

Approved by: phk
Approved by: bz (mentor)

New sentence starts on a new line.

MFC after: 2 week

Update the description of the '-h' option wrt to primary addresses
per address family and add a reference to the ip-addresses option.

MFC after: 1 week

s,unmount 8,umount 8, it is unmount(2) which I did not mean.

Submitted by: pluknet@gmail.com
MFC after: 1 week

o Sort .Xr.

Add a short section talking about jails and file systems; mention the
mountand jail-aware file systems as well as quota.

PR: kern/68192
Reviewed by: simon
MFC after: 2 weeks

MFp4:
Bring in updated jail support from bz_jail branch.

This enhances the current jail implementation to permit multiple
addresses per jail. In addtion to IPv4, IPv6 is supported as well.
Due to updated checks it is even possible to have jails without
an IP address at all, which basically gives one a chroot with
restricted process view, no networking,..

SCTP support was updated and supports IPv6 in jails as well.

Cpuset support permits jails to be bound to specific processor
sets after creation.

Jails can have an unrestricted (no duplicate protection, etc.) name
in addition to the hostname. The jail name cannot be changed from
within a jail and is considered to be used for management purposes
or as audit-token in the future.

DDB 'show jails' command was added to aid debugging.

Proper compat support permits 32bit jail binaries to be used on 64bit
systems to manage jails. Also backward compatibility was preserved where
possible: for jail v1 syscalls, as well as with user space management
utilities.

Both jail as well as prison version were updated for the new features.
A gap was intentionally left as the intermediate versions had been
used by various patches floating around the last years.

Bump __FreeBSD_version for the afore mentioned and in kernel changes.

Special thanks to:
- Pawel Jakub Dawidek (pjd) for his multi-IPv4 patches
and Olivier Houchard (cognet) for initial single-IPv6 patches.
- Jeff Roberson (jeff) and Randall Stewart (rrs) for their
help, ideas and review on cpuset and SCTP support.
- Robert Watson (rwatson) for lots and lots of help, discussions,
suggestions and review of most of the patch at various stages.
- John Baldwin (jhb) for his help.
- Simon L. Nielsen (simon) as early adopter testing changes
on cluster machines as well as all the testers and people
who provided feedback the last months on freebsd-jail and
other channels.
- My employer, CK Software GmbH, for the support so I could work on this.

Reviewed by: (see above)
MFC after: 3 months (this is just so that I get the mail)
X-MFC Before: 7.2-RELEASE if possible

Bump date.

Add security.jail.mount_allowed sysctl, which allows to mount and
unmount jail-friendly file systems from within a jail.
Precisely it grants PRIV_VFS_MOUNT, PRIV_VFS_UNMOUNT and
PRIV_VFS_MOUNT_NONUSER privileges for a jailed super-user.
It is turned off by default.

A jail-friendly file system is a file system which driver registers
itself with VFCF_JAIL flag via VFS_SET(9) API.
The lsvfs(1) command can be used to see which file systems are
jail-friendly ones.

There currently no jail-friendly file systems, ZFS will be the first one.
In the future we may consider marking file systems like nullfs as
jail-friendly.

Reviewed by: rwatson

Change mount_devfs reference to "mount -t devfs".

Reminded by: ru

Markup fixes.

Use IP addresses out of "TEST-NET" (for use in documentation and
example code) [RFC3330].

Reviewed by: simon

Revert 1.73, since mounting devfs without a devfs ruleset inside a
jail is a very bad idea security wise.

Approved by: trhodes (jcamou mentor)
No response: jcamou

Mention ruleset #4 (devfsrules_jail) in jail's man page.

MFC after: 3

correct strtol(3) usage and style(9)

Reviewed by: maxim
MFC after: 2 weeks

o Style(9) the previous commit a bit.

Add the -s option to set jail's securelevel. This is useful for jails run with non-root privileges.

PR: bin/80242
MFC after: 2 weeks

Use .Vt for struct xprison
Suggested by: keramida

document security.jail.list sysctl in jail(8)

PR: docs/96807
MFC after: 3

o Document security.jail.jailed sysctl.

PR: docs/94711
Submitted by: Andreas Kohn
MFC after: 2 weeks

o Do not mangle current session user login name with jail -u|-U.

PR: bin/94730
Submitted by: Frank Behrens
MFC after: 1 month

Do `mount_devfs' when starting a jail.

PR: docs/86044
Noticed by: Dan Langille <dan@langille.org>
Reviewed by: Jose Biskofski <jbiskofski@grmims.com>
Approved by: trhodes (mentor)

Add [-J jid_file] option to write out a JidFile, similar to a PidFile,
containing the jailid, path, hostname, ip and the command used to start
the jail.

PR: misc/89883
Submitted by: L. Jason Godsey <lannygodsey -at- yahoo.com>
Reviewed by: phk
MFC after: 1 week

Note that the jail setup example is meant to be fed to sh(1), not csh(1).

PR: docs/87351
Submitted by: "Eli K. Breen" <bsd@unixforge.net>
Approved by: simon, brooks
MFC after: 3 days

Add some more info about jail startup and shutdown.

Submitted by: Jeremie Le Hen <jeremie@le-hen.org>
MFC after: 3 days

Move DNS configuration before sendmail configuration, because
newaliases(1) may hang without proper DNS configuration.

Approved by: brueffer

Mention that it is possible to have jails
started at boot time if specified in
/etc/rc.conf.

PR: docs/81040
Submitted by: matteo
Approved by: trhodes (mentor)
MFC after: 1 week

Markup fixes.

Approved by: re (blanket)

Update manual page after sysctl rename.

Corrected by: brueffer

Document 'jid' keyword for ps(1) and '-j' option for pgrep(1)/pkill(1).

Remove symblic link kernel->dev/null creation. We don't need it in 5.x/6.x
world (there is no /kernel file anymore).

Reminded by: Isaac Levy presentation

Fix spelling errors.

Approved by: brueffer (mentor)

Added the convenience "distribution" target which calls the
target of the same name from src/etc/Makefile with a proper
environment, suitable to be used during upgrades and cross-
builds.

Add a new sysctl, "security.jail.chflags_allowed", which controls the
behaviour of chflags within a jail. If set to 0 (the default), then a
jailed root user is treated as an unprivileged user; if set to 1, then
a jailed root user is treated the same as an unjailed root user.

This is necessary to allow "make installworld" to work inside a jail,
since it attempts to manipulate the system immutable flag on certain
files.

Discussed with: csjp, rwatson
MFC after: 2 weeks

Fixed punctuation in xrefs.

Scheduled mdoc(7) sweep.

Initialize lcap and pwd to NULL. This allows a WARNS=6 clean build,
hence bump it to 6.

Note that the last commit message was not quite accurate. While the
assumption exists in the code, it's not possible to have an
uninitialized p there because if lflag is set when username is NULL
then execution would be terminated earlier.

The code path in main() dealing with lflag assumes that p was
initialized with NULL, while it is not. So let's initialize
it.

Pass an array of gid_t rather than an array of int to getgroups().

PR: 56646

o Add -l option to jail(8) similar to su(1): before running jail'ed
program under specific user's credentials, clean the environment and
set only a few variables.

PR: bin/70024
Submitted by: demon
MFC after: 1 month

Mechanically kill hard sentence breaks.

Prepare jail(8) utility for new functionality which will limit
seeing status of mounted file system for jailed processes.
Pass full path of jail's root directory to the kernel. mount(8) utility is
doing the same thing already.

Markup nits.

Sentences should not start with conjunctions. Change "Because"
to "Since".

Pointed out by: Ceri

Add a warning note to security.jail.allow_raw_sockets
about the risks of enabling raw sockets in prisons.

Because raw sockets can be used to configure and interact
with various network subsystems, extra caution should be
used where privileged access to jails is given out to
untrusted parties. As such, by default this option is disabled.

A few others and I are currently auditing the kernel
source code to ensure that the use of raw sockets by
privledged prison users is safe.

Approved by: bmilekic (mentor)

o Implement -U flag: run command as user which exists only in jail.
o getpwnam(3) returns NULL and does not set errno when the user does
not exist. Bail out with "no such user" instead of "Unknown error: 0".

PR: bin/67262
Submitted by: demon (-U flag)
MFC after: 3 weeks

Typos and nits.

Document security.jail.getfsstatroot_only sysctl.

Obtained from: rwatson's commit log
Approved by: rwatson

mdoc(7) cleanup for the last commit to this file.

OK'ed by: bmilekic

Ammend jail(8) man page to explain new sysctl for raw-sockets
inside jails, Christian's last submission.

Submitted by: Christian S.J. Peron <maneo@bsdpro.com>

Correct typo.

A variety of content cleanups:

(1) Document the notion of using jail(8) to run "virtual servers" or
just to constrain specific applications. If only running specific
applications, some configuration steps are unnecessary (such as
editing rc.conf).

(2) Add some more subsection headers to break up the bigger chunks of
text.

(3) Clarify the problems associated with applications binding all IP
addresses in the host, and attempt to be more specific about
potential application problems. Document how to force sshd to
bind the the right socket.

(4) Suggest that in a jailed application scenario, you might want to
have the host syslogd listen on the socket in the jail, rather
than running syslogd in the jail.

(5) Catch another reference to /stand/sysinstall.

Approved by: re (bmah implicitly)

No need to copy sysinstall into a jail with -CURRENT, since in
-CURRENT, we have /usr/sbin/sysinstall.

Approved by: re (bmah implicitly)

- Add a note that there are two MIB variables that have per-jail
settings.

Reviewed by: rwatson
Approved by: blackend (mentor)

add FBSDID

When pointing users at mount_devfs to populate the /dev of a jail,
tell them that they also need to use devfs rules to prevent
inappropriate devices from appearing in the jail; add an Xref. In
earlier versions of this man page, the user was instructed to use
sh MAKEDEV jail, which only created a minimal set of device nodes.

Force output of jail ID (if necessary) before excuting the command,
otherwise redirection of stdout to a file using block buffering will
not complete in time.

o Add jls(8) for listing active jails.
o Add jexec(8) to execute a command in an existing jail.
o Add -j option for killall(1) to kill all processes in a specified
jail.
o Add -i option to jail(8) to output jail ID of newly created jail.

Free login_cap(3) resources after usage.

Submitted by: demon

o Fix error messages formatting, style.

Prodded by: bde
Reviewed by: bde

o Add -u <username> flag to jail(8): set user context before exec.

PR: bin/44320
Submitted by: Mike Matsnev <mike@po.cs.msu.su>
Reviewed by: -current
MFC after: 6 weeks

portmap_enable -> rpcbind_enable.

Spotted by: Andrew Khlebutin <andreyh@perm.ru>

Remove traces of MAKEDEV & add xref to mount_devfs(8).
DEVFS is now mandatory in CURRENT.

PR: docs/48095
Submitted by: Grzegorz Czaplinski <G.Czaplinski@prioris.mini.pw.edu.pl>

Fix example, we do not need NO_MAKEDEV_RUN any more.

XXX: this example should be updated with a good example of devfs(8) rules.

The .Nm utility

Fix IP address typo.

PR: 38313
Submitted by: Jeff Ito <jeffi@rcn.com>

Usage style sweep: spell "usage" with a small 'u'.
Also change one case of blatant __progname abuse (several more remain)
This commit does not touch anything in src/{contrib,crypto,gnu}/.

- Attempt to help declutter kern. sysctl by moving security out from
beneath it.

Reviewed by: rwatson

mdoc(7) police: ispell rev. 1.32.

mdoc(7) police: tidy up previous delta.

Add some wisdom to the jail setup instructions.

mdoc(7) police overhaul.

- Update the sysctl mibs in order to reflect the recent kern_jail.c
changes.

Approved by: rwatson
Reviewed by: rwatson

syslogd can now be configured to bind to a specific address.

This is not jail(2), or anything else suitable to be referenced with .Fn.

Perform a major cleanup of the usr.sbin Makefiles.
These are not perfectly in agreement with each other style-wise, but they
are orders of orders of magnitude more consistent style-wise than before.

Remove whitespace at EOL.

mdoc(7) police: removed HISTORY info from the .Os call.

mdoc(7) police: sort xrefs.

Set WARNS=2 on programs that compile cleanly with it; add $FreeBSD$
where necessary.

Submitted by: Mike Barcroft <mike@q9media.com>

Add missing includes and sort includes.

Include missing header files which define functions for which gcc has
builtints (e.g., exit, strcmp).

Correct cross-reference:
portmap.8 --> rpcbind.8

Submitted by: .Xr testing script

Change NO_MAKEDEV to a finer granularity method:
NO_MAKEDEV_INSTALL and NO_MAKEDEV_RUN. The former implying the latter.
The names imply what they do. The last commit by DES based on a PR defeated
the original idea behind NO_MAKEDEV, which was not to run MAKEDEV, but to do
the installation of MAKEDEV. This should satisfy both parties on the MAKEDEV
challenge.
Reflect this in the documentation.

- Backout botched attempt to introduce MANSECT feature.
- MAN[1-9] -> MAN.

Set the default manual section for usr.sbin/ to 8.

o Replace part-wise instructions for building world for jail(8) with
a simple make world; while this does a bit more work, it means that
jail(8) doesn't have to be kept in sync with /usr/src/Makefile{,.inc1}
which is a moving target. MFC candidate.

Submitted by: FUJISHIMA Satsuki <sf@FreeBSD.org>
Reviewed by: phk
Also pointed out by: Phil Kernick <Phil@Kernick.org>

mdoc(7) police: split punctuation characters + misc fixes.

mdoc(7) police: removed history info from the .Os FreeBSD call.

mdoc(7) police: use the new features of the Nm macro.

Use Fx macro wherever possible.

Whitespace only: Correct poor line-breaking introduced in rev 1.17,
which was limited to correcting mark-up.

Correct mark-up used in rev 1.16, as discussed with its contributor:

* Use a sub-section (Ss) instead of a section (Sh) for
"Sysctl MIB Entries".

* Use a tagged list (Bl, El and It) instead of sub-sections (Ss) for
the actual MIB entries.

* Mark paths up as such (Pa).

* Mark defined values up as such (Dv).

o Document various sysctl's available for managing services available
within jail()

Typo: "is unreliably by default" to "is unreliable by default".

PR: 19411
Submitted by: Benno Rice <benno@netizen.com.au>

Some minor mdoc style and spelling fixes.

Remove single-space hard sentence breaks. These degrade the quality
of the typeset output, tend to make diffs harder to read and provide
bad examples for new-comers to mdoc.

- As jail(8) has been almost completely rewritten, prepend another copyright/
BSD-style license, as an add-on to phk's beerware license. Please fedex
some beer to phk.

- Add a ``make depend'' line to the jail-building, which fixes openssl,
among other things. Suggested by: kris

- Add ``newaliases'' to the list of things to do when setting up a new
jail, so that the jailed sendmail doesn't complain.

- Correct references to ``kern.jail.set_hostname_allowed'' which now read
``jail.set_hostname_allowed''.

- Add a reference to sysctl.conf where the sysctl can easily be set in
a persistent way.

- Add a list of cross references to the man page.

- Fix a formatting nit or two.

Fix up a few documentation nits in jail(8), as well as improve the
instructions so as to reduce warnings during jail startup, etc.
Add a somewhat bolder warning recommending the use of
kern.jail.set_hostname to limit jail renamining.

Modified jail.8 to correct a typo (inetd_flas vs. inetd_flags), and add
a comment to the effect that I'm responsible for the additional
documentation, et al, so that phk gets fewer messages about my errors.

Add Robert Watson's much extended documentation including that of the
kern.jail.set_hostname_allowed sysctl MIB.

Submitted by: rwatson

Clean up the jail(8) documentation so that it suggests building a jail
userland in a safer way. Using the NO_MAKEDEV argument in make
distribution prevents the creation of a number of unsafe device nodes
in the jailed /dev, including disk devices, and more. This depends
on an earlier commit to /etc/Makefile to provide the NO_MAKEDEV
support.

Approved by: jkh

Properly manify this manpage.

A procfs mount is no longer needed for a jail.

Add a version number field to the jail(2) argument so that future changes
can be handled intelligently.

WARNING: you will need to reinstall #includes and recompile jail(8).

$Id$ -> $FreeBSD$

Add example of how to create a jail.

Various cosmetics.

Submitted by: Rudolf Cejka <cejkar@dcse.fee.vutbr.cz>
Reviewed by: phk

Fix various bogons.

Submitted by: Rudolf Cejka <cejkar@dcse.fee.vutbr.cz>
Reviewed by: phk

This Implements the mumbled about "Jail" feature.

This is a seriously beefed up chroot kind of thing. The process
is jailed along the same lines as a chroot does it, but with
additional tough restrictions imposed on what the superuser can do.

For all I know, it is safe to hand over the root bit inside a
prison to the customer living in that prison, this is what
it was developed for in fact: "real virtual servers".

Each prison has an ip number associated with it, which all IP
communications will be coerced to use and each prison has its own
hostname.

Needless to say, you need more RAM this way, but the advantage is
that each customer can run their own particular version of apache
and not stomp on the toes of their neighbors.

It generally does what one would expect, but setting up a jail
still takes a little knowledge.

A few notes:

I have no scripts for setting up a jail, don't ask me for them.

The IP number should be an alias on one of the interfaces.

mount a /proc in each jail, it will make ps more useable.

/proc/<pid>/status tells the hostname of the prison for
jailed processes.

Quotas are only sensible if you have a mountpoint per prison.

There are no privisions for stopping resource-hogging.

Some "#ifdef INET" and similar may be missing (send patches!)

If somebody wants to take it from here and develop it into
more of a "virtual machine" they should be most welcome!

Tools, comments, patches & documentation most welcome.

Have fun...

Sponsored by: http://www.rndassociates.com/
Run for almost a year by: http://www.servetheweb.com/