jail revision 123344
1#!/bin/sh 2# 3# $FreeBSD: head/etc/rc.d/jail 123344 2003-12-09 08:51:11Z mtm $ 4# 5 6# PROVIDE: jail 7# REQUIRE: LOGIN 8# BEFORE: securelevel 9# KEYWORD: FreeBSD shutdown 10 11. /etc/rc.subr 12 13name="jail" 14rcvar=`set_rcvar` 15start_cmd="jail_start" 16stop_cmd="jail_stop" 17 18# init_variables _j 19# Initialize the various jail variables for jail _j. 20# 21init_variables() 22{ 23 _j="$1" 24 25 if [ -z "$_j" ]; then 26 warn "init_variables: you must specify a jail" 27 return 28 fi 29 30 eval jail_rootdir=\"\$jail_${_j}_rootdir\" 31 jail_devdir="${jail_rootdir}/dev" 32 jail_fdescdir="${jail_devdir}/fd" 33 jail_procdir="${jail_rootdir}/proc" 34 eval jail_hostname=\"\$jail_${_j}_hostname\" 35 eval jail_ip=\"\$jail_${_j}_ip\" 36 eval jail_exec=\"\$jail_${_j}_exec\" 37 [ -z "${jail_exec}" ] && jail_exec="/bin/sh /etc/rc" 38 39 # The default jail ruleset will be used by rc.subr if none is specified. 40 eval jail_ruleset=\"\$jail_${_j}_devfs_ruleset\" 41 eval jail_devfs=\"\$jail_${_j}_devfs_enable\" 42 [ -z "${jail_devfs}" ] && jail_devfs="NO" 43 eval jail_fdescfs=\"\$jail_${_j}_fdescfs_enable\" 44 [ -z "${jail_fdescfs}" ] && jail_fdescfs="NO" 45 eval jail_procfs=\"\$jail_${_j}_procfs_enable\" 46 [ -z "${jail_procfs}" ] && jail_procfs="NO" 47 48 # Debuggin aid 49 # 50 debug "$_j devfs enable: $jail_devfs" 51 debug "$_j fdescfs enable: $jail_fdescfs" 52 debug "$_j procfs enable: $jail_procfs" 53 debug "$_j hostname: $jail_hostname" 54 debug "$_j ip: $jail_ip" 55 debug "$_j root: $jail_rootdir" 56 debug "$_j devdir: $jail_devdir" 57 debug "$_j fdescdir: $jail_fdescdir" 58 debug "$_j procdir: $jail_procdir" 59 debug "$_j ruleset: $jail_ruleset" 60} 61 62jail_start() 63{ 64 echo -n 'Configuring jails:' 65 echo -n ' set_hostname_allowed=' 66 if checkyesno jail_set_hostname_allow ; then 67 echo -n 'YES' 68 ${SYSCTL_W} 1>/dev/null security.jail.set_hostname_allowed=1 69 else 70 echo -n 'NO' 71 ${SYSCTL_W} 1>/dev/null security.jail.set_hostname_allowed=0 72 fi 73 74 echo -n ' unixiproute_only=' 75 if checkyesno jail_socket_unixiproute_only ; then 76 echo -n 'YES' 77 ${SYSCTL_W} 1>/dev/null security.jail.socket_unixiproute_only=1 78 else 79 echo -n 'NO' 80 ${SYSCTL_W} 1>/dev/null security.jail.socket_unixiproute_only=0 81 fi 82 83 echo -n ' sysvipc_allow=' 84 if checkyesno jail_sysvipc_allow ; then 85 echo -n 'YES' 86 ${SYSCTL_W} 1>/dev/null security.jail.sysvipc_allowed=1 87 else 88 echo -n 'NO' 89 ${SYSCTL_W} 1>/dev/null security.jail.sysvipc_allowed=0 90 fi 91 echo '.' 92 93 echo -n 'Starting Jails:' 94 for _jail in ${jail_list} 95 do 96 init_variables $_jail 97 if checkyesno jail_devfs; then 98 info "Mounting devfs on ${jail_devdir}" 99 devfs_mount_jail "${jail_devdir}" ${jail_ruleset} 100 101 # Transitional symlink for old binaries 102 if [ ! -L ${jail_devdir}/log ]; then 103 __pwd="`pwd`" 104 cd "${jail_devdir}" 105 ln -sf ../var/run/log log 106 cd "$__pwd" 107 fi 108 109 # XXX - It seems symlinks don't work when there 110 # is a devfs(5) device of the same name. 111 # Jail console output 112 # __pwd="`pwd`" 113 # cd "${jail_devdir}" 114 # ln -sf ../var/log/console console 115 # cd "$__pwd" 116 fi 117 if checkyesno jail_fdescfs; then 118 info "Mounting fdescfs on ${jail_fdescdir}" 119 mount -t fdescfs fdesc "${jail_fdescdir}" 120 fi 121 if checkyesno jail_procfs; then 122 info "Mounting procfs onto ${jail_procdir}" 123 if [ -d ${jail_procdir} ] ; then 124 mount -t procfs proc "${jail_procdir}" 125 fi 126 fi 127 jail 1>${jail_rootdir}/var/log/console.log 2>&1 \ 128 ${jail_rootdir} ${jail_hostname} ${jail_ip} ${jail_exec} 129 [ "$?" -eq 0 ] && echo -n " $jail_hostname" 130 done 131 echo '.' 132} 133 134jail_stop() 135{ 136 echo 'Stopping all jails.' 137 if checkyesno jail_stop_jailer; then 138 rc_pid=$(ps aux | grep "jailer" | awk '$8 ~ /.*J/ {print $2};') 139 else 140 rc_pid=$(ps aux | awk '$8 ~ /.*J/ {print $2};') 141 fi 142 if [ -n "${rc_pid}" ]; then 143 kill -TERM $rc_pid 144 wait_for_pids $rc_pid 145 fi 146 for _jail in ${jail_list} 147 do 148 init_variables $_jail 149 if checkyesno jail_fdescfs; then 150 if [ -d ${jail_fdescdir} ] ; then 151 umount -f ${jail_fdescdir} >/dev/null 2>&1 152 fi 153 fi 154 if checkyesno jail_devfs; then 155 if [ -d ${jail_devdir} ] ; then 156 umount -f ${jail_devdir} >/dev/null 2>&1 157 fi 158 fi 159 if checkyesno jail_procfs; then 160 if [ -d ${jail_procdir} ] ; then 161 umount -f ${jail_procdir} >/dev/null 2>&1 162 fi 163 fi 164 done 165} 166 167 168load_rc_config $name 169run_rc_command "$1" 170