jail revision 302953
1#!/bin/sh 2# 3# $FreeBSD: stable/11/etc/rc.d/jail 302953 2016-07-17 14:05:11Z jamie $ 4# 5 6# PROVIDE: jail 7# REQUIRE: LOGIN FILESYSTEMS 8# BEFORE: securelevel 9# KEYWORD: nojail shutdown 10 11. /etc/rc.subr 12 13name="jail" 14desc="Manage system jails" 15rcvar="jail_enable" 16 17start_cmd="jail_start" 18start_postcmd="jail_warn" 19stop_cmd="jail_stop" 20config_cmd="jail_config" 21console_cmd="jail_console" 22status_cmd="jail_status" 23extra_commands="config console status" 24: ${jail_conf:=/etc/jail.conf} 25: ${jail_program:=/usr/sbin/jail} 26: ${jail_consolecmd:=/usr/bin/login -f root} 27: ${jail_jexec:=/usr/sbin/jexec} 28: ${jail_jls:=/usr/sbin/jls} 29 30need_dad_wait= 31 32# extract_var jv name param num defval 33# Extract value from ${jail_$jv_$name} or ${jail_$name} and 34# set it to $param. If not defined, $defval is used. 35# When $num is [0-9]*, ${jail_$jv_$name$num} are looked up and 36# $param is set by using +=. $num=0 is optional (params may start at 1). 37# When $num is YN or NY, the value is interpreted as boolean. 38# When $num is @, the value is interpreted as an array separted by IFS. 39extract_var() 40{ 41 local i _jv _name _param _num _def _name1 _name2 42 _jv=$1 43 _name=$2 44 _param=$3 45 _num=$4 46 _def=$5 47 48 case $_num in 49 YN) 50 _name1=jail_${_jv}_${_name} 51 _name2=jail_${_name} 52 eval $_name1=\"\${$_name1:-\${$_name2:-$_def}}\" 53 if checkyesno $_name1; then 54 echo " $_param = 1;" 55 else 56 echo " $_param = 0;" 57 fi 58 ;; 59 NY) 60 _name1=jail_${_jv}_${_name} 61 _name2=jail_${_name} 62 eval $_name1=\"\${$_name1:-\${$_name2:-$_def}}\" 63 if checkyesno $_name1; then 64 echo " $_param = 0;" 65 else 66 echo " $_param = 1;" 67 fi 68 ;; 69 [0-9]*) 70 i=$_num 71 while : ; do 72 _name1=jail_${_jv}_${_name}${i} 73 _name2=jail_${_name}${i} 74 eval _tmpargs=\"\${$_name1:-\${$_name2:-$_def}}\" 75 if [ -n "$_tmpargs" ]; then 76 echo " $_param += \"$_tmpargs\";" 77 elif [ $i != 0 ]; then 78 break; 79 fi 80 i=$(($i + 1)) 81 done 82 ;; 83 @) 84 _name1=jail_${_jv}_${_name} 85 _name2=jail_${_name} 86 eval _tmpargs=\"\${$_name1:-\${$_name2:-$_def}}\" 87 set -- $_tmpargs 88 if [ $# -gt 0 ]; then 89 echo -n " $_param = " 90 while [ $# -gt 1 ]; do 91 echo -n "\"$1\", " 92 shift 93 done 94 echo "\"$1\";" 95 fi 96 ;; 97 *) 98 _name1=jail_${_jv}_${_name} 99 _name2=jail_${_name} 100 eval _tmpargs=\"\${$_name1:-\${$_name2:-$_def}}\" 101 if [ -n "$_tmpargs" ]; then 102 echo " $_param = \"$_tmpargs\";" 103 fi 104 ;; 105 esac 106} 107 108# parse_options _j _jv 109# Parse options and create a temporary configuration file if necessary. 110# 111parse_options() 112{ 113 local _j _jv _p 114 _j=$1 115 _jv=$2 116 117 _confwarn=0 118 if [ -z "$_j" ]; then 119 warn "parse_options: you must specify a jail" 120 return 121 fi 122 eval _jconf=\"\${jail_${_jv}_conf:-/etc/jail.${_j}.conf}\" 123 eval _rootdir=\"\$jail_${_jv}_rootdir\" 124 eval _hostname=\"\$jail_${_jv}_hostname\" 125 if [ -z "$_rootdir" -o \ 126 -z "$_hostname" ]; then 127 if [ -r "$_jconf" ]; then 128 _conf="$_jconf" 129 return 0 130 elif [ -r "$jail_conf" ]; then 131 _conf="$jail_conf" 132 return 0 133 else 134 warn "Invalid configuration for $_j " \ 135 "(no jail.conf, no hostname, or no path). " \ 136 "Jail $_j was ignored." 137 fi 138 return 1 139 fi 140 eval _ip=\"\$jail_${_jv}_ip\" 141 if [ -z "$_ip" ] && ! check_kern_features vimage; then 142 warn "no ipaddress specified and no vimage support. " \ 143 "Jail $_j was ignored." 144 return 1 145 fi 146 _conf=/var/run/jail.${_j}.conf 147 # 148 # To relieve confusion, show a warning message. 149 # 150 _confwarn=1 151 if [ -r "$jail_conf" -o -r "$_jconf" ]; then 152 if ! checkyesno jail_parallel_start; then 153 warn "$_conf is created and used for jail $_j." 154 fi 155 fi 156 /usr/bin/install -m 0644 -o root -g wheel /dev/null $_conf || return 1 157 158 eval : \${jail_${_jv}_flags:=${jail_flags}} 159 eval _exec=\"\$jail_${_jv}_exec\" 160 eval _exec_start=\"\$jail_${_jv}_exec_start\" 161 eval _exec_stop=\"\$jail_${_jv}_exec_stop\" 162 if [ -n "${_exec}" ]; then 163 # simple/backward-compatible execution 164 _exec_start="${_exec}" 165 _exec_stop="" 166 else 167 # flexible execution 168 if [ -z "${_exec_start}" ]; then 169 _exec_start="/bin/sh /etc/rc" 170 if [ -z "${_exec_stop}" ]; then 171 _exec_stop="/bin/sh /etc/rc.shutdown" 172 fi 173 fi 174 fi 175 eval _interface=\"\${jail_${_jv}_interface:-${jail_interface}}\" 176 eval _parameters=\"\${jail_${_jv}_parameters:-${jail_parameters}}\" 177 eval _fstab=\"\${jail_${_jv}_fstab:-${jail_fstab:-/etc/fstab.$_j}}\" 178 ( 179 date +"# Generated by rc.d/jail at %Y-%m-%d %H:%M:%S" 180 echo "$_j {" 181 extract_var $_jv hostname host.hostname - "" 182 extract_var $_jv rootdir path - "" 183 if [ -n "$_ip" ]; then 184 extract_var $_jv interface interface - "" 185 jail_handle_ips_option $_ip $_interface 186 alias=0 187 while : ; do 188 eval _x=\"\$jail_${_jv}_ip_multi${alias}\" 189 [ -z "$_x" ] && break 190 191 jail_handle_ips_option $_x $_interface 192 alias=$(($alias + 1)) 193 done 194 case $need_dad_wait in 195 1) 196 # Sleep to let DAD complete before 197 # starting services. 198 echo " exec.start += \"sleep " \ 199 $(($(${SYSCTL_N} net.inet6.ip6.dad_count) + 1)) \ 200 "\";" 201 ;; 202 esac 203 # These are applicable only to non-vimage jails. 204 extract_var $_jv fib exec.fib - "" 205 extract_var $_jv socket_unixiproute_only \ 206 allow.raw_sockets NY YES 207 else 208 echo " vnet;" 209 extract_var $_jv vnet_interface vnet.interface @ "" 210 fi 211 212 echo " exec.clean;" 213 echo " exec.system_user = \"root\";" 214 echo " exec.jail_user = \"root\";" 215 extract_var $_jv exec_prestart exec.prestart 0 "" 216 extract_var $_jv exec_poststart exec.poststart 0 "" 217 extract_var $_jv exec_prestop exec.prestop 0 "" 218 extract_var $_jv exec_poststop exec.poststop 0 "" 219 220 echo " exec.start += \"$_exec_start\";" 221 extract_var $_jv exec_afterstart exec.start 0 "" 222 echo " exec.stop = \"$_exec_stop\";" 223 224 extract_var $_jv consolelog exec.consolelog - \ 225 /var/log/jail_${_j}_console.log 226 227 if [ -r $_fstab ]; then 228 echo " mount.fstab = \"$_fstab\";" 229 fi 230 231 eval : \${jail_${_jv}_devfs_enable:=${jail_devfs_enable:-NO}} 232 if checkyesno jail_${_jv}_devfs_enable; then 233 echo " mount.devfs;" 234 eval _ruleset=\${jail_${_jv}_devfs_ruleset:-${jail_devfs_ruleset}} 235 case $_ruleset in 236 "") ;; 237 [0-9]*) echo " devfs_ruleset = \"$_ruleset\";" ;; 238 devfsrules_jail) 239 # XXX: This is the default value, 240 # Let jail(8) to use the default because 241 # mount(8) only accepts an integer. 242 # This should accept a ruleset name. 243 ;; 244 *) warn "devfs_ruleset must be an integer." ;; 245 esac 246 fi 247 eval : \${jail_${_jv}_fdescfs_enable:=${jail_fdescfs_enable:-NO}} 248 if checkyesno jail_${_jv}_fdescfs_enable; then 249 echo " mount.fdescfs;" 250 fi 251 eval : \${jail_${_jv}_procfs_enable:=${jail_procfs_enable:-NO}} 252 if checkyesno jail_${_jv}_procfs_enable; then 253 echo " mount.procfs;" 254 fi 255 256 eval : \${jail_${_jv}_mount_enable:=${jail_mount_enable:-NO}} 257 if checkyesno jail_${_jv}_mount_enable; then 258 echo " allow.mount;" 259 fi 260 261 extract_var $_jv set_hostname_allow allow.set_hostname YN NO 262 extract_var $_jv sysvipc_allow allow.sysvipc YN NO 263 extract_var $_jv osreldate osreldate 264 extract_var $_jv osrelease osrelease 265 for _p in $_parameters; do 266 echo " ${_p%\;};" 267 done 268 echo "}" 269 ) >> $_conf 270 271 return 0 272} 273 274# jail_extract_address argument iface 275# The second argument is the string from one of the _ip 276# or the _multi variables. In case of a comma separated list 277# only one argument must be passed in at a time. 278# The function alters the _type, _iface, _addr and _mask variables. 279# 280jail_extract_address() 281{ 282 local _i _interface 283 _i=$1 284 _interface=$2 285 286 if [ -z "${_i}" ]; then 287 warn "jail_extract_address: called without input" 288 return 289 fi 290 291 # Check if we have an interface prefix given and split into 292 # iFace and rest. 293 case "${_i}" in 294 *\|*) # ifN|.. prefix there 295 _iface=${_i%%|*} 296 _r=${_i##*|} 297 ;; 298 *) _iface="" 299 _r=${_i} 300 ;; 301 esac 302 303 # In case the IP has no interface given, check if we have a global one. 304 _iface=${_iface:-${_interface}} 305 306 # Set address, cut off any prefix/netmask/prefixlen. 307 _addr=${_r} 308 _addr=${_addr%%[/ ]*} 309 310 # Theoretically we can return here if interface is not set, 311 # as we only care about the _mask if we call ifconfig. 312 # This is not done because we may want to santize IP addresses 313 # based on _type later, and optionally change the type as well. 314 315 # Extract the prefix/netmask/prefixlen part by cutting off the address. 316 _mask=${_r} 317 _mask=`expr "${_mask}" : "${_addr}\(.*\)"` 318 319 # Identify type {inet,inet6}. 320 case "${_addr}" in 321 *\.*\.*\.*) _type="inet" ;; 322 *:*) _type="inet6" ;; 323 *) warn "jail_extract_address: type not identified" 324 ;; 325 esac 326 327 # Handle the special /netmask instead of /prefix or 328 # "netmask xxx" case for legacy IP. 329 # We do NOT support shortend class-full netmasks. 330 if [ "${_type}" = "inet" ]; then 331 case "${_mask}" in 332 /*\.*\.*\.*) _mask=" netmask ${_mask#/}" ;; 333 *) ;; 334 esac 335 336 # In case _mask is still not set use /32. 337 _mask=${_mask:-/32} 338 339 elif [ "${_type}" = "inet6" ]; then 340 # In case _mask is not set for IPv6, use /128. 341 _mask=${_mask:-/128} 342 fi 343} 344 345# jail_handle_ips_option input iface 346# Handle a single argument imput which can be a comma separated 347# list of addresses (theoretically with an option interface and 348# prefix/netmask/prefixlen). 349# 350jail_handle_ips_option() 351{ 352 local _x _type _i _defif 353 _x=$1 354 _defif=$2 355 356 if [ -z "${_x}" ]; then 357 # No IP given. This can happen for the primary address 358 # of each address family. 359 return 360 fi 361 362 # Loop, in case we find a comma separated list, we need to handle 363 # each argument on its own. 364 while [ ${#_x} -gt 0 ]; do 365 case "${_x}" in 366 *,*) # Extract the first argument and strip it off the list. 367 _i=`expr "${_x}" : '^\([^,]*\)'` 368 _x=`expr "${_x}" : "^[^,]*,\(.*\)"` 369 ;; 370 *) _i=${_x} 371 _x="" 372 ;; 373 esac 374 375 _type="" 376 _addr="" 377 _mask="" 378 _iface="" 379 jail_extract_address $_i $_defif 380 381 # make sure we got an address. 382 case $_addr in 383 "") continue ;; 384 *) ;; 385 esac 386 387 # Append address to list of addresses for the jail command. 388 case $_type in 389 inet) 390 echo " ip4.addr += \"${_iface:+${_iface}|}${_addr}${_mask}\";" 391 ;; 392 inet6) 393 echo " ip6.addr += \"${_iface:+${_iface}|}${_addr}${_mask}\";" 394 need_dad_wait=1 395 ;; 396 esac 397 done 398} 399 400jail_config() 401{ 402 local _j _jv 403 404 case $1 in 405 _ALL) return ;; 406 esac 407 for _j in $@; do 408 _j=$(echo $_j | tr /. _) 409 _jv=$(echo -n $_j | tr -c '[:alnum:]' _) 410 if parse_options $_j $_jv; then 411 echo "$_j: parameters are in $_conf." 412 fi 413 done 414} 415 416jail_console() 417{ 418 local _j _jv _cmd 419 420 # One argument that is not _ALL. 421 case $#:$1 in 422 0:*|1:_ALL) err 3 "Specify a jail name." ;; 423 1:*) ;; 424 esac 425 _j=$(echo $1 | tr /. _) 426 _jv=$(echo -n $1 | tr -c '[:alnum:]' _) 427 shift 428 case $# in 429 0) eval _cmd=\${jail_${_jv}_consolecmd:-$jail_consolecmd} ;; 430 *) _cmd=$@ ;; 431 esac 432 $jail_jexec $_j $_cmd 433} 434 435jail_status() 436{ 437 438 $jail_jls -N 439} 440 441jail_start() 442{ 443 local _j _jv _jid _id _name 444 445 if [ $# = 0 ]; then 446 return 447 fi 448 echo -n 'Starting jails:' 449 case $1 in 450 _ALL) 451 command=$jail_program 452 rc_flags=$jail_flags 453 command_args="-f $jail_conf -c" 454 _tmp=`mktemp -t jail` || exit 3 455 if $command $rc_flags $command_args >> $_tmp 2>&1; then 456 $jail_jls jid name | while read _id _name; do 457 echo -n " $_name" 458 echo $_id > /var/run/jail_${_name}.id 459 done 460 else 461 tail -1 $_tmp 462 fi 463 rm -f $_tmp 464 echo '.' 465 return 466 ;; 467 esac 468 if checkyesno jail_parallel_start; then 469 # 470 # Start jails in parallel and then check jail id when 471 # jail_parallel_start is YES. 472 # 473 for _j in $@; do 474 _j=$(echo $_j | tr /. _) 475 _jv=$(echo -n $_j | tr -c '[:alnum:]' _) 476 parse_options $_j $_jv || continue 477 478 eval rc_flags=\${jail_${_jv}_flags:-$jail_flags} 479 eval command=\${jail_${_jv}_program:-$jail_program} 480 command_args="-i -f $_conf -c $_j" 481 ( 482 _tmp=`mktemp -t jail_${_j}` || exit 3 483 if $command $rc_flags $command_args \ 484 >> $_tmp 2>&1 </dev/null; then 485 echo -n " ${_hostname:-${_j}}" 486 _jid=$($jail_jls -j $_j jid) 487 echo $_jid > /var/run/jail_${_j}.id 488 else 489 echo " cannot start jail " \ 490 "\"${_hostname:-${_j}}\": " 491 cat $_tmp 492 fi 493 rm -f $_tmp 494 ) & 495 done 496 wait 497 else 498 # 499 # Start jails one-by-one when jail_parallel_start is NO. 500 # 501 for _j in $@; do 502 _j=$(echo $_j | tr /. _) 503 _jv=$(echo -n $_j | tr -c '[:alnum:]' _) 504 parse_options $_j $_jv || continue 505 506 eval rc_flags=\${jail_${_jv}_flags:-$jail_flags} 507 eval command=\${jail_${_jv}_program:-$jail_program} 508 command_args="-i -f $_conf -c $_j" 509 _tmp=`mktemp -t jail` || exit 3 510 if $command $rc_flags $command_args \ 511 >> $_tmp 2>&1 </dev/null; then 512 echo -n " ${_hostname:-${_j}}" 513 _jid=$($jail_jls -j $_j jid) 514 echo $_jid > /var/run/jail_${_j}.id 515 else 516 echo " cannot start jail " \ 517 "\"${_hostname:-${_j}}\": " 518 cat $_tmp 519 fi 520 rm -f $_tmp 521 done 522 fi 523 echo '.' 524} 525 526jail_stop() 527{ 528 local _j _jv 529 530 if [ $# = 0 ]; then 531 return 532 fi 533 echo -n 'Stopping jails:' 534 case $1 in 535 _ALL) 536 command=$jail_program 537 rc_flags=$jail_flags 538 command_args="-f $jail_conf -r" 539 if checkyesno jail_reverse_stop; then 540 $jail_jls name | tail -r 541 else 542 $jail_jls name 543 fi | while read _j; do 544 echo -n " $_j" 545 _tmp=`mktemp -t jail` || exit 3 546 $command $rc_flags $command_args $_j >> $_tmp 2>&1 547 if $jail_jls -j $_j > /dev/null 2>&1; then 548 tail -1 $_tmp 549 else 550 rm -f /var/run/jail_${_j}.id 551 fi 552 rm -f $_tmp 553 done 554 echo '.' 555 return 556 ;; 557 esac 558 checkyesno jail_reverse_stop && set -- $(reverse_list $@) 559 for _j in $@; do 560 _j=$(echo $_j | tr /. _) 561 _jv=$(echo -n $_j | tr -c '[:alnum:]' _) 562 parse_options $_j $_jv || continue 563 if ! $jail_jls -j $_j > /dev/null 2>&1; then 564 continue 565 fi 566 eval command=\${jail_${_jv}_program:-$jail_program} 567 echo -n " ${_hostname:-${_j}}" 568 _tmp=`mktemp -t jail` || exit 3 569 $command -q -f $_conf -r $_j >> $_tmp 2>&1 570 if $jail_jls -j $_j > /dev/null 2>&1; then 571 tail -1 $_tmp 572 else 573 rm -f /var/run/jail_${_j}.id 574 fi 575 rm -f $_tmp 576 done 577 echo '.' 578} 579 580jail_warn() 581{ 582 583 # To relieve confusion, show a warning message. 584 case $_confwarn in 585 1) warn "Per-jail configuration via jail_* variables " \ 586 "is obsolete. Please consider migrating to $jail_conf." 587 ;; 588 esac 589} 590 591load_rc_config $name 592case $# in 5931) run_rc_command $@ ${jail_list:-_ALL} ;; 594*) jail_reverse_stop="no" 595 run_rc_command $@ ;; 596esac 597