Lines Matching +full:- +full:j
1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
61 struct cfjail *j; member
65 int paralimit = -1;
69 static int run_command(struct cfjail *j);
70 static int add_proc(struct cfjail *j, pid_t pid);
71 static void clear_procs(struct cfjail *j);
73 static int term_procs(struct cfjail *j);
74 static int get_user_info(struct cfjail *j, const char *username,
76 static int check_path(struct cfjail *j, const char *pname, const char *path,
93 error = cpuset_getid(CPU_LEVEL_ROOT, CPU_WHICH_PID, -1, &setid); in root_cpuset_id()
103 next_command(struct cfjail *j) in next_command() argument
109 if (j->flags & JF_FROM_RUNQ) in next_command()
110 requeue_head(j, &runnable); in next_command()
112 requeue(j, &runnable); in next_command()
115 j->flags &= ~JF_FROM_RUNQ; in next_command()
116 create_failed = (j->flags & (JF_STOP | JF_FAILED)) == JF_FAILED; in next_command()
117 stopping = (j->flags & JF_STOP) != 0; in next_command()
118 comparam = *j->comparam; in next_command()
120 if (j->comstring == NULL) { in next_command()
121 j->comparam += create_failed ? -1 : 1; in next_command()
122 switch ((comparam = *j->comparam)) { in next_command()
126 if (!bool_param(j->intparams[IP_MOUNT_DEVFS])) in next_command()
128 j->comstring = &dummystring; in next_command()
131 if (!bool_param(j->intparams[IP_MOUNT_FDESCFS])) in next_command()
133 j->comstring = &dummystring; in next_command()
136 if (!bool_param(j->intparams[IP_MOUNT_PROCFS])) in next_command()
138 j->comstring = &dummystring; in next_command()
142 j->comstring = &dummystring; in next_command()
145 if (j->intparams[comparam] == NULL) in next_command()
147 j->comstring = create_failed || (stopping && in next_command()
148 (j->intparams[comparam]->flags & PF_REV)) in next_command()
149 ? TAILQ_LAST(&j->intparams[comparam]->val, in next_command()
151 : TAILQ_FIRST(&j->intparams[comparam]->val); in next_command()
154 j->comstring = j->comstring == &dummystring ? NULL : in next_command()
156 (j->intparams[comparam]->flags & PF_REV)) in next_command()
157 ? TAILQ_PREV(j->comstring, cfstrings, tq) in next_command()
158 : TAILQ_NEXT(j->comstring, tq); in next_command()
160 if (j->comstring == NULL || j->comstring->len == 0 || in next_command()
166 switch (run_command(j)) { in next_command()
167 case -1: in next_command()
168 failed(j); in next_command()
180 finish_command(struct cfjail *j) in finish_command() argument
185 if (!(j->flags & JF_SLEEPQ)) in finish_command()
187 j->flags &= ~JF_SLEEPQ; in finish_command()
188 if (*j->comparam == IP_STOP_TIMEOUT) { in finish_command()
189 j->flags &= ~JF_TIMEOUT; in finish_command()
190 j->pstatus = 0; in finish_command()
196 rj->flags |= JF_FROM_RUNQ; in finish_command()
200 if (j->flags & JF_TIMEOUT) { in finish_command()
201 j->flags &= ~JF_TIMEOUT; in finish_command()
202 if (*j->comparam != IP_STOP_TIMEOUT) { in finish_command()
203 jail_warnx(j, "%s: timed out", j->comline); in finish_command()
204 failed(j); in finish_command()
205 error = -1; in finish_command()
207 jail_note(j, "timed out\n"); in finish_command()
208 } else if (j->pstatus != 0) { in finish_command()
209 if (WIFSIGNALED(j->pstatus)) in finish_command()
210 jail_warnx(j, "%s: exited on signal %d", in finish_command()
211 j->comline, WTERMSIG(j->pstatus)); in finish_command()
213 jail_warnx(j, "%s: failed", j->comline); in finish_command()
214 j->pstatus = 0; in finish_command()
215 failed(j); in finish_command()
216 error = -1; in finish_command()
218 free(j->comline); in finish_command()
219 j->comline = NULL; in finish_command()
232 struct cfjail *j; in next_proc() local
237 if ((j = TAILQ_FIRST(&sleeping)) && j->timeout.tv_sec) { in next_proc()
239 ts.tv_sec = j->timeout.tv_sec - ts.tv_sec; in next_proc()
240 ts.tv_nsec = j->timeout.tv_nsec - ts.tv_nsec; in next_proc()
242 ts.tv_sec--; in next_proc()
247 j->flags |= JF_TIMEOUT; in next_proc()
248 clear_procs(j); in next_proc()
249 return j; in next_proc()
259 case -1: in next_proc()
265 j = TAILQ_FIRST(&sleeping); in next_proc()
266 j->flags |= JF_TIMEOUT; in next_proc()
267 clear_procs(j); in next_proc()
268 return j; in next_proc()
273 if ((j = find_proc(ke.ident))) { in next_proc()
274 j->pstatus = ke.data; in next_proc()
275 return j; in next_proc()
287 run_command(struct cfjail *j) in run_command() argument
307 comparam = *j->comparam; in run_command()
308 down = j->flags & (JF_STOP | JF_FAILED); in run_command()
311 return term_procs(j); in run_command()
315 if (jail_remove(j->jid) < 0 && errno == EPERM) { in run_command()
316 jail_warnx(j, "jail_remove: %s", in run_command()
318 return -1; in run_command()
320 if (verbose > 0 || (verbose == 0 && (j->flags & JF_STOP in run_command()
321 ? note_remove : j->name != NULL))) in run_command()
322 jail_note(j, "removed\n"); in run_command()
323 j->jid = -1; in run_command()
324 if (j->flags & JF_STOP) in run_command()
325 dep_done(j, DF_LIGHT); in run_command()
327 j->flags &= ~JF_PERSIST; in run_command()
329 if (create_jail(j) < 0) in run_command()
330 return -1; in run_command()
332 printf("%d\n", j->jid); in run_command()
333 if (verbose >= 0 && (j->name || verbose > 0)) in run_command()
334 jail_note(j, "created\n"); in run_command()
341 if (j->intparams[KP_JID] == NULL) { in run_command()
345 j->jid); in run_command()
346 add_param(j, NULL, KP_JID, ljidstr); in run_command()
350 if (j->intparams[KP_NAME] == NULL) in run_command()
351 add_param(j, j->intparams[KP_JID], KP_NAME, in run_command()
354 dep_done(j, DF_LIGHT); in run_command()
364 comstring = j->comstring; in run_command()
370 val = alloca(strlen(comstring->s) + 1); in run_command()
371 strcpy(val, comstring->s); in run_command()
386 argv[1] = acs = alloca(cs - val + 1); in run_command()
387 strlcpy(acs, val, cs - val + 1); in run_command()
390 argv[1] = string_param(j->intparams[IP_INTERFACE]); in run_command()
400 argv[3] = acs = alloca(cs - addr + 1); in run_command()
401 strlcpy(acs, addr, cs - addr + 1); in run_command()
419 argv[argc] = down ? "-alias" : "alias"; in run_command()
427 val = alloca(strlen(comstring->s) + 1); in run_command()
428 strcpy(val, comstring->s); in run_command()
443 argv[1] = acs = alloca(cs - val + 1); in run_command()
444 strlcpy(acs, val, cs - val + 1); in run_command()
447 argv[1] = string_param(j->intparams[IP_INTERFACE]); in run_command()
468 argv[argc] = down ? "-alias" : "alias"; in run_command()
476 argv[1] = comstring->s; in run_command()
477 argv[2] = down ? "-vnet" : "vnet"; in run_command()
478 argv[3] = string_param(j->intparams[KP_JID]); in run_command()
485 comcs = alloca(comstring->len + 1); in run_command()
486 strcpy(comcs, comstring->s); in run_command()
491 jail_warnx(j, "%s: %s: fstab parse error", in run_command()
492 j->intparams[comparam]->name, comstring->s); in run_command()
493 return -1; in run_command()
500 jail_warnx(j, "%s: %s: missing information", in run_command()
501 j->intparams[comparam]->name, comstring->s); in run_command()
502 return -1; in run_command()
504 if (check_path(j, j->intparams[comparam]->name, argv[1], 0, in run_command()
506 return -1; in run_command()
517 argv[3] = "-o"; in run_command()
525 argv[1] = "-t"; in run_command()
530 path = string_param(j->intparams[KP_PATH]); in run_command()
532 jail_warnx(j, "mount.devfs: no jail root path defined"); in run_command()
533 return -1; in run_command()
537 if (check_path(j, "mount.devfs", devpath, 0, in run_command()
539 return -1; in run_command()
546 argv[1] = "-t"; in run_command()
548 ruleset = string_param(j->intparams[KP_DEVFS_RULESET]); in run_command()
552 sprintf(acs, "-oruleset=%s", ruleset); in run_command()
561 path = string_param(j->intparams[KP_PATH]); in run_command()
563 jail_warnx(j, "mount.fdescfs: no jail root path defined"); in run_command()
564 return -1; in run_command()
568 if (check_path(j, "mount.fdescfs", devpath, 0, in run_command()
570 return -1; in run_command()
577 argv[1] = "-t"; in run_command()
587 path = string_param(j->intparams[KP_PATH]); in run_command()
589 jail_warnx(j, "mount.procfs: no jail root path defined"); in run_command()
590 return -1; in run_command()
594 if (check_path(j, "mount.procfs", devpath, 0, in run_command()
596 return -1; in run_command()
603 argv[1] = "-t"; in run_command()
613 jidstr = string_param(j->intparams[KP_JID]); in run_command()
614 …fmt = "if [ $(/sbin/zfs get -H -o value jailed %s) = on ]; then /sbin/zfs jail %s %s || echo error… in run_command()
617 + 4 * comstring->len in run_command()
618 - 6 * 2 /* 6 * "%s" */ in run_command()
621 ret = snprintf(comcs, comlen, fmt, comstring->s, in run_command()
622 jidstr, comstring->s, comstring->s, jidstr, in run_command()
623 comstring->s); in run_command()
625 jail_warnx(j, "internal error in ZFS dataset handling"); in run_command()
629 argv[1] = "-c"; in run_command()
635 if (j->name != NULL) in run_command()
638 TAILQ_FOREACH(s, &j->intparams[IP_COMMAND]->val, tq) in run_command()
642 TAILQ_FOREACH(s, &j->intparams[IP_COMMAND]->val, tq) in run_command()
643 argv[argc++] = s->s; in run_command()
645 j->comstring = &dummystring; in run_command()
650 if ((cs = strpbrk(comstring->s, "!\"$&'()*;<>?[\\]`{|}~")) && in run_command()
654 argv[1] = "-c"; in run_command()
655 argv[2] = comstring->s; in run_command()
662 comcs = alloca(comstring->len + 1); in run_command()
663 strcpy(comcs, comstring->s); in run_command()
669 strcpy(comcs, comstring->s); in run_command()
680 if (int_param(j->intparams[IP_EXEC_TIMEOUT], &timeout) && in run_command()
682 clock_gettime(CLOCK_REALTIME, &j->timeout); in run_command()
683 j->timeout.tv_sec += timeout; in run_command()
685 j->timeout.tv_sec = 0; in run_command()
693 clean = bool_param(j->intparams[IP_EXEC_CLEAN]); in run_command()
694 username = string_param(j->intparams[injail in run_command()
696 sjuser = bool_param(j->intparams[IP_EXEC_SYSTEM_JAIL_USER]); in run_command()
700 (conslog = string_param(j->intparams[IP_EXEC_CONSOLELOG]))) { in run_command()
701 if (check_path(j, "exec.consolelog", conslog, 1, NULL) < 0) in run_command()
702 return -1; in run_command()
706 jail_warnx(j, "open %s: %s", conslog, strerror(errno)); in run_command()
707 return -1; in run_command()
714 j->comline = cs = emalloc(comlen); in run_command()
719 cs[-1] = ' '; in run_command()
723 jail_note(j, "run command%s%s%s: %s\n", in run_command()
725 username ? username : "", j->comline); in run_command()
731 if (bg || !add_proc(j, pid)) { in run_command()
732 free(j->comline); in run_command()
733 j->comline = NULL; in run_command()
736 paralimit--; in run_command()
747 get_user_info(j, username, &pwd, &lcap) < 0) in run_command()
751 path = string_param(j->intparams[KP_PATH]); in run_command()
753 jail_warnx(j, "chdir %s: %s", path, strerror(errno)); in run_command()
756 if (int_param(j->intparams[IP_EXEC_FIB], &fib) && in run_command()
758 jail_warnx(j, "setfib: %s", strerror(errno)); in run_command()
768 * This is just a best-effort to use as wide of mask as in run_command()
772 (void)cpuset_setid(CPU_WHICH_PID, -1, setid); in run_command()
774 if (jail_attach(j->jid) < 0) { in run_command()
775 jail_warnx(j, "jail_attach: %s", strerror(errno)); in run_command()
781 get_user_info(j, username, &pwd, &lcap) < 0) in run_command()
790 if (setgid(pwd->pw_gid) < 0) { in run_command()
791 jail_warnx(j, "setgid %d: %s", pwd->pw_gid, in run_command()
795 if (setusercontext(lcap, pwd, pwd->pw_uid, username in run_command()
798 jail_warnx(j, "setusercontext %s: %s", pwd->pw_name, in run_command()
803 setenv("USER", pwd->pw_name, 1); in run_command()
804 setenv("HOME", pwd->pw_dir, 1); in run_command()
806 *pwd->pw_shell ? pwd->pw_shell : _PATH_BSHELL, 1); in run_command()
807 if (clean && username && chdir(pwd->pw_dir) < 0) { in run_command()
808 jail_warnx(j, "chdir %s: %s", in run_command()
809 pwd->pw_dir, strerror(errno)); in run_command()
815 if (string_param(j->intparams[KP_JID])) in run_command()
816 setenv("JID", string_param(j->intparams[KP_JID]), 1); in run_command()
817 setenv("JNAME", string_param(j->intparams[KP_NAME]), 1); in run_command()
819 path = string_param(j->intparams[KP_PATH]); in run_command()
824 jail_warnx(j, "exec.consolelog: %s", strerror(errno)); in run_command()
829 jail_warnx(j, "exec %s: %s", argv[0], strerror(errno)); in run_command()
837 add_proc(struct cfjail *j, pid_t pid) in add_proc() argument
852 ph->j = j; in add_proc()
853 ph->pid = pid; in add_proc()
855 j->nprocs++; in add_proc()
856 j->flags |= JF_SLEEPQ; in add_proc()
857 if (j->timeout.tv_sec == 0) in add_proc()
858 requeue(j, &sleeping); in add_proc()
861 TAILQ_REMOVE(j->queue, j, tq); in add_proc()
863 if (!tj->timeout.tv_sec || in add_proc()
864 j->timeout.tv_sec < tj->timeout.tv_sec || in add_proc()
865 (j->timeout.tv_sec == tj->timeout.tv_sec && in add_proc()
866 j->timeout.tv_nsec <= tj->timeout.tv_nsec)) { in add_proc()
867 TAILQ_INSERT_BEFORE(tj, j, tq); in add_proc()
872 TAILQ_INSERT_TAIL(&sleeping, j, tq); in add_proc()
873 j->queue = &sleeping; in add_proc()
882 clear_procs(struct cfjail *j) in clear_procs() argument
888 j->nprocs = 0; in clear_procs()
891 if (ph->j == j) { in clear_procs()
892 EV_SET(&ke, ph->pid, EVFILT_PROC, EV_DELETE, in clear_procs()
906 struct cfjail *j; in find_proc() local
910 if (ph->pid == pid) { in find_proc()
911 j = ph->j; in find_proc()
914 return --j->nprocs ? NULL : j; in find_proc()
923 term_procs(struct cfjail *j) in term_procs() argument
930 if (!int_param(j->intparams[IP_STOP_TIMEOUT], &timeout)) in term_procs()
946 if (ki[i].ki_jid == j->jid && in term_procs()
948 (void)add_proc(j, ki[i].ki_pid); in term_procs()
952 jail_note(j, "sent SIGTERM to:"); in term_procs()
959 if (j->nprocs > 0) { in term_procs()
960 clock_gettime(CLOCK_REALTIME, &j->timeout); in term_procs()
961 j->timeout.tv_sec += timeout; in term_procs()
971 get_user_info(struct cfjail *j, const char *username, in get_user_info() argument
980 jail_warnx(j, "getpwnam%s%s: %s", username ? " " : "", in get_user_info()
983 jail_warnx(j, "%s: no such user", username); in get_user_info()
985 jail_warnx(j, "unknown uid %d", getuid()); in get_user_info()
986 return -1; in get_user_info()
990 jail_warnx(j, "getpwclass %s: %s", pwd->pw_name, in get_user_info()
992 return -1; in get_user_info()
995 if (initgroups(pwd->pw_name, pwd->pw_gid) < 0) { in get_user_info()
996 jail_warnx(j, "initgroups %s: %s", pwd->pw_name, in get_user_info()
998 return -1; in get_user_info()
1008 check_path(struct cfjail *j, const char *pname, const char *path, int isfile, in check_path() argument
1018 jail_warnx(j, "%s: %s: not an absolute pathname", in check_path()
1020 return -1; in check_path()
1026 jailpath = string_param(j->intparams[KP_PATH]); in check_path()
1040 jail_warnx(j, "%s: %s: %s", pname, tpath, in check_path()
1042 return -1; in check_path()
1045 jail_warnx(j, "%s: %s is a symbolic link", in check_path()
1047 return -1; in check_path()
1055 jail_warnx(j, "%s: %s: %s", pname, path, in check_path()
1057 return -1; in check_path()
1060 jail_warnx(j, "%s: %s: %s", pname, stfs.f_mntonname, in check_path()
1062 return -1; in check_path()
1065 jail_warnx(j, "%s: %s: not a mount point", in check_path()
1067 return -1; in check_path()
1070 jail_warnx(j, "%s: %s: not a %s mount", in check_path()
1072 return -1; in check_path()