1#!/bin/sh 2# 3# $FreeBSD$ 4# 5 6# PROVIDE: jail 7# REQUIRE: LOGIN FILESYSTEMS 8# BEFORE: securelevel 9# KEYWORD: shutdown 10 11. /etc/rc.subr 12 13name="jail" 14desc="Manage system jails" 15rcvar="jail_enable" 16 17start_cmd="jail_start" 18start_postcmd="jail_warn" 19stop_cmd="jail_stop" 20config_cmd="jail_config" 21console_cmd="jail_console" 22status_cmd="jail_status" 23extra_commands="config console status" 24: ${jail_program:=/usr/sbin/jail} 25: ${jail_consolecmd:=/usr/bin/login -f root} 26: ${jail_jexec:=/usr/sbin/jexec} 27: ${jail_jls:=/usr/sbin/jls} 28 29need_dad_wait= 30 31# extract_var jv name param num defval 32# Extract value from ${jail_$jv_$name} or ${jail_$name} and 33# set it to $param. If not defined, $defval is used. 34# When $num is [0-9]*, ${jail_$jv_$name$num} are looked up and 35# $param is set by using +=. $num=0 is optional (params may start at 1). 36# When $num is YN or NY, the value is interpreted as boolean. 37# When $num is @, the value is interpreted as an array separted by IFS. 38extract_var() 39{ 40 local i _jv _name _param _num _def _name1 _name2 41 _jv=$1 42 _name=$2 43 _param=$3 44 _num=$4 45 _def=$5 46 47 case $_num in 48 YN) 49 _name1=jail_${_jv}_${_name} 50 _name2=jail_${_name} 51 eval $_name1=\"\${$_name1:-\${$_name2:-$_def}}\" 52 if checkyesno $_name1; then 53 echo " $_param = 1;" 54 else 55 echo " $_param = 0;" 56 fi 57 ;; 58 NY) 59 _name1=jail_${_jv}_${_name} 60 _name2=jail_${_name} 61 eval $_name1=\"\${$_name1:-\${$_name2:-$_def}}\" 62 if checkyesno $_name1; then 63 echo " $_param = 0;" 64 else 65 echo " $_param = 1;" 66 fi 67 ;; 68 [0-9]*) 69 i=$_num 70 while : ; do 71 _name1=jail_${_jv}_${_name}${i} 72 _name2=jail_${_name}${i} 73 eval _tmpargs=\"\${$_name1:-\${$_name2:-$_def}}\" 74 if [ -n "$_tmpargs" ]; then 75 echo " $_param += \"$_tmpargs\";" 76 elif [ $i != 0 ]; then 77 break; 78 fi 79 i=$(($i + 1)) 80 done 81 ;; 82 @) 83 _name1=jail_${_jv}_${_name} 84 _name2=jail_${_name} 85 eval _tmpargs=\"\${$_name1:-\${$_name2:-$_def}}\" 86 set -- $_tmpargs 87 if [ $# -gt 0 ]; then 88 echo -n " $_param = " 89 while [ $# -gt 1 ]; do 90 echo -n "\"$1\", " 91 shift 92 done 93 echo "\"$1\";" 94 fi 95 ;; 96 *) 97 _name1=jail_${_jv}_${_name} 98 _name2=jail_${_name} 99 eval _tmpargs=\"\${$_name1:-\${$_name2:-$_def}}\" 100 if [ -n "$_tmpargs" ]; then 101 echo " $_param = \"$_tmpargs\";" 102 fi 103 ;; 104 esac 105} 106 107# parse_options _j _jv 108# Parse options and create a temporary configuration file if necessary. 109# 110parse_options() 111{ 112 local _j _jv _p 113 _j=$1 114 _jv=$2 115 116 _confwarn=0 117 if [ -z "$_j" ]; then 118 warn "parse_options: you must specify a jail" 119 return 120 fi 121 eval _jconf=\"\${jail_${_jv}_conf:-/etc/jail.${_j}.conf}\" 122 eval _rootdir=\"\$jail_${_jv}_rootdir\" 123 eval _hostname=\"\$jail_${_jv}_hostname\" 124 if [ -z "$_rootdir" -o \ 125 -z "$_hostname" ]; then 126 if [ -r "$_jconf" ]; then 127 _conf="$_jconf" 128 return 0 129 elif [ -r "$jail_conf" ]; then 130 _conf="$jail_conf" 131 return 0 132 else 133 warn "Invalid configuration for $_j " \ 134 "(no jail.conf, no hostname, or no path). " \ 135 "Jail $_j was ignored." 136 fi 137 return 1 138 fi 139 eval _ip=\"\$jail_${_jv}_ip\" 140 if [ -z "$_ip" ] && ! check_kern_features vimage; then 141 warn "no ipaddress specified and no vimage support. " \ 142 "Jail $_j was ignored." 143 return 1 144 fi 145 _conf=/var/run/jail.${_j}.conf 146 # 147 # To relieve confusion, show a warning message. 148 # 149 : ${jail_confwarn:=YES} 150 checkyesno jail_confwarn && _confwarn=1 151 if [ -r "$jail_conf" -o -r "$_jconf" ]; then 152 if ! checkyesno jail_parallel_start; then 153 warn "$_conf is created and used for jail $_j." 154 fi 155 fi 156 /usr/bin/install -m 0644 -o root -g wheel /dev/null $_conf || return 1 157 158 eval : \${jail_${_jv}_flags:=${jail_flags}} 159 eval _exec=\"\$jail_${_jv}_exec\" 160 eval _exec_start=\"\$jail_${_jv}_exec_start\" 161 eval _exec_stop=\"\$jail_${_jv}_exec_stop\" 162 if [ -n "${_exec}" ]; then 163 # simple/backward-compatible execution 164 _exec_start="${_exec}" 165 _exec_stop="" 166 else 167 # flexible execution 168 if [ -z "${_exec_start}" ]; then 169 _exec_start="/bin/sh /etc/rc" 170 if [ -z "${_exec_stop}" ]; then 171 _exec_stop="/bin/sh /etc/rc.shutdown jail" 172 fi 173 fi 174 fi 175 eval _interface=\"\${jail_${_jv}_interface:-${jail_interface}}\" 176 eval _parameters=\"\${jail_${_jv}_parameters:-${jail_parameters}}\" 177 eval _fstab=\"\${jail_${_jv}_fstab:-${jail_fstab:-/etc/fstab.$_j}}\" 178 ( 179 date +"# Generated by rc.d/jail at %Y-%m-%d %H:%M:%S" 180 echo "$_j {" 181 extract_var $_jv hostname host.hostname - "" 182 extract_var $_jv rootdir path - "" 183 if [ -n "$_ip" ]; then 184 extract_var $_jv interface interface - "" 185 jail_handle_ips_option $_ip $_interface 186 alias=0 187 while : ; do 188 eval _x=\"\$jail_${_jv}_ip_multi${alias}\" 189 [ -z "$_x" ] && break 190 191 jail_handle_ips_option $_x $_interface 192 alias=$(($alias + 1)) 193 done 194 case $need_dad_wait in 195 1) 196 # Sleep to let DAD complete before 197 # starting services. 198 echo " exec.start += \"sleep " \ 199 $(($(${SYSCTL_N} net.inet6.ip6.dad_count) + 1)) \ 200 "\";" 201 ;; 202 esac 203 # These are applicable only to non-vimage jails. 204 extract_var $_jv fib exec.fib - "" 205 extract_var $_jv socket_unixiproute_only \ 206 allow.raw_sockets NY YES 207 else 208 echo " vnet;" 209 extract_var $_jv vnet_interface vnet.interface @ "" 210 fi 211 212 echo " exec.clean;" 213 echo " exec.system_user = \"root\";" 214 echo " exec.jail_user = \"root\";" 215 extract_var $_jv exec_prestart exec.prestart 0 "" 216 extract_var $_jv exec_poststart exec.poststart 0 "" 217 extract_var $_jv exec_prestop exec.prestop 0 "" 218 extract_var $_jv exec_poststop exec.poststop 0 "" 219 220 echo " exec.start += \"$_exec_start\";" 221 extract_var $_jv exec_afterstart exec.start 0 "" 222 echo " exec.stop = \"$_exec_stop\";" 223 224 extract_var $_jv consolelog exec.consolelog - \ 225 /var/log/jail_${_j}_console.log 226 227 if [ -r $_fstab ]; then 228 echo " mount.fstab = \"$_fstab\";" 229 fi 230 231 eval : \${jail_${_jv}_devfs_enable:=${jail_devfs_enable:-NO}} 232 if checkyesno jail_${_jv}_devfs_enable; then 233 echo " mount.devfs;" 234 eval _ruleset=\${jail_${_jv}_devfs_ruleset:-${jail_devfs_ruleset}} 235 case $_ruleset in 236 "") ;; 237 [0-9]*) echo " devfs_ruleset = \"$_ruleset\";" ;; 238 devfsrules_jail) 239 # XXX: This is the default value, 240 # Let jail(8) to use the default because 241 # mount(8) only accepts an integer. 242 # This should accept a ruleset name. 243 ;; 244 *) warn "devfs_ruleset must be an integer." ;; 245 esac 246 fi 247 eval : \${jail_${_jv}_fdescfs_enable:=${jail_fdescfs_enable:-NO}} 248 if checkyesno jail_${_jv}_fdescfs_enable; then 249 echo " mount.fdescfs;" 250 fi 251 eval : \${jail_${_jv}_procfs_enable:=${jail_procfs_enable:-NO}} 252 if checkyesno jail_${_jv}_procfs_enable; then 253 echo " mount.procfs;" 254 fi 255 256 eval : \${jail_${_jv}_mount_enable:=${jail_mount_enable:-NO}} 257 if checkyesno jail_${_jv}_mount_enable; then 258 echo " allow.mount;" 259 fi 260 261 extract_var $_jv set_hostname_allow allow.set_hostname YN NO 262 extract_var $_jv sysvipc_allow allow.sysvipc YN NO 263 extract_var $_jv enforce_statfs enforce_statfs - 2 264 extract_var $_jv osreldate osreldate 265 extract_var $_jv osrelease osrelease 266 for _p in $_parameters; do 267 echo " ${_p%\;};" 268 done 269 echo "}" 270 ) >> $_conf 271 272 return 0 273} 274 275# jail_extract_address argument iface 276# The second argument is the string from one of the _ip 277# or the _multi variables. In case of a comma separated list 278# only one argument must be passed in at a time. 279# The function alters the _type, _iface, _addr and _mask variables. 280# 281jail_extract_address() 282{ 283 local _i _interface 284 _i=$1 285 _interface=$2 286 287 if [ -z "${_i}" ]; then 288 warn "jail_extract_address: called without input" 289 return 290 fi 291 292 # Check if we have an interface prefix given and split into 293 # iFace and rest. 294 case "${_i}" in 295 *\|*) # ifN|.. prefix there 296 _iface=${_i%%|*} 297 _r=${_i##*|} 298 ;; 299 *) _iface="" 300 _r=${_i} 301 ;; 302 esac 303 304 # In case the IP has no interface given, check if we have a global one. 305 _iface=${_iface:-${_interface}} 306 307 # Set address, cut off any prefix/netmask/prefixlen. 308 _addr=${_r} 309 _addr=${_addr%%[/ ]*} 310 311 # Theoretically we can return here if interface is not set, 312 # as we only care about the _mask if we call ifconfig. 313 # This is not done because we may want to santize IP addresses 314 # based on _type later, and optionally change the type as well. 315 316 # Extract the prefix/netmask/prefixlen part by cutting off the address. 317 _mask=${_r} 318 _mask=`expr -- "${_mask}" : "${_addr}\(.*\)"` 319 320 # Identify type {inet,inet6}. 321 case "${_addr}" in 322 *\.*\.*\.*) _type="inet" ;; 323 *:*) _type="inet6" ;; 324 *) warn "jail_extract_address: type not identified" 325 ;; 326 esac 327 328 # Handle the special /netmask instead of /prefix or 329 # "netmask xxx" case for legacy IP. 330 # We do NOT support shortend class-full netmasks. 331 if [ "${_type}" = "inet" ]; then 332 case "${_mask}" in 333 /*\.*\.*\.*) _mask=" netmask ${_mask#/}" ;; 334 *) ;; 335 esac 336 337 # In case _mask is still not set use /32. 338 _mask=${_mask:-/32} 339 340 elif [ "${_type}" = "inet6" ]; then 341 # In case _mask is not set for IPv6, use /128. 342 _mask=${_mask:-/128} 343 fi 344} 345 346# jail_handle_ips_option input iface 347# Handle a single argument imput which can be a comma separated 348# list of addresses (theoretically with an option interface and 349# prefix/netmask/prefixlen). 350# 351jail_handle_ips_option() 352{ 353 local _x _type _i _defif 354 _x=$1 355 _defif=$2 356 357 if [ -z "${_x}" ]; then 358 # No IP given. This can happen for the primary address 359 # of each address family. 360 return 361 fi 362 363 # Loop, in case we find a comma separated list, we need to handle 364 # each argument on its own. 365 while [ ${#_x} -gt 0 ]; do 366 case "${_x}" in 367 *,*) # Extract the first argument and strip it off the list. 368 _i=`expr -- "${_x}" : '^\([^,]*\)'` 369 _x=`expr -- "${_x}" : "^[^,]*,\(.*\)"` 370 ;; 371 *) _i=${_x} 372 _x="" 373 ;; 374 esac 375 376 _type="" 377 _addr="" 378 _mask="" 379 _iface="" 380 jail_extract_address $_i $_defif 381 382 # make sure we got an address. 383 case $_addr in 384 "") continue ;; 385 *) ;; 386 esac 387 388 # Append address to list of addresses for the jail command. 389 case $_type in 390 inet) 391 echo " ip4.addr += \"${_iface:+${_iface}|}${_addr}${_mask}\";" 392 ;; 393 inet6) 394 echo " ip6.addr += \"${_iface:+${_iface}|}${_addr}${_mask}\";" 395 need_dad_wait=1 396 ;; 397 esac 398 done 399} 400 401jail_config() 402{ 403 local _j _jv 404 405 case $1 in 406 _ALL) return ;; 407 esac 408 for _j in $@; do 409 _j=$(echo $_j | tr /. _) 410 _jv=$(echo -n $_j | tr -c '[:alnum:]' _) 411 if parse_options $_j $_jv; then 412 echo "$_j: parameters are in $_conf." 413 fi 414 done 415} 416 417jail_console() 418{ 419 local _j _jv _cmd 420 421 # One argument that is not _ALL. 422 case $#:$1 in 423 0:*|1:_ALL) err 3 "Specify a jail name." ;; 424 1:*) ;; 425 esac 426 _j=$(echo $1 | tr /. _) 427 _jv=$(echo -n $1 | tr -c '[:alnum:]' _) 428 shift 429 case $# in 430 0) eval _cmd=\${jail_${_jv}_consolecmd:-$jail_consolecmd} ;; 431 *) _cmd=$@ ;; 432 esac 433 $jail_jexec $_j $_cmd 434} 435 436jail_status() 437{ 438 439 $jail_jls -N 440} 441 442jail_start() 443{ 444 local _j _jv _jid _id _name 445 446 if [ $# = 0 ]; then 447 return 448 fi 449 echo -n 'Starting jails:' 450 case $1 in 451 _ALL) 452 command=$jail_program 453 rc_flags=$jail_flags 454 command_args="-f $jail_conf -c" 455 if ! checkyesno jail_parallel_start; then 456 command_args="$command_args -p1" 457 fi 458 _tmp=`mktemp -t jail` || exit 3 459 if $command $rc_flags $command_args >> $_tmp 2>&1; then 460 $jail_jls jid name | while read _id _name; do 461 echo -n " $_name" 462 echo $_id > /var/run/jail_${_name}.id 463 done 464 else 465 cat $_tmp 466 fi 467 rm -f $_tmp 468 echo '.' 469 return 470 ;; 471 esac 472 if checkyesno jail_parallel_start; then 473 # 474 # Start jails in parallel and then check jail id when 475 # jail_parallel_start is YES. 476 # 477 for _j in $@; do 478 _j=$(echo $_j | tr /. _) 479 _jv=$(echo -n $_j | tr -c '[:alnum:]' _) 480 parse_options $_j $_jv || continue 481 482 eval rc_flags=\${jail_${_jv}_flags:-$jail_flags} 483 eval command=\${jail_${_jv}_program:-$jail_program} 484 command_args="-i -f $_conf -c $_j" 485 ( 486 _tmp=`mktemp -t jail_${_j}` || exit 3 487 if $command $rc_flags $command_args \ 488 >> $_tmp 2>&1 </dev/null; then 489 echo -n " ${_hostname:-${_j}}" 490 _jid=$($jail_jls -j $_j jid) 491 echo $_jid > /var/run/jail_${_j}.id 492 else 493 echo " cannot start jail " \ 494 "\"${_hostname:-${_j}}\": " 495 cat $_tmp 496 fi 497 rm -f $_tmp 498 ) & 499 done 500 wait 501 else 502 # 503 # Start jails one-by-one when jail_parallel_start is NO. 504 # 505 for _j in $@; do 506 _j=$(echo $_j | tr /. _) 507 _jv=$(echo -n $_j | tr -c '[:alnum:]' _) 508 parse_options $_j $_jv || continue 509 510 eval rc_flags=\${jail_${_jv}_flags:-$jail_flags} 511 eval command=\${jail_${_jv}_program:-$jail_program} 512 command_args="-i -f $_conf -c $_j" 513 _tmp=`mktemp -t jail` || exit 3 514 if $command $rc_flags $command_args \ 515 >> $_tmp 2>&1 </dev/null; then 516 echo -n " ${_hostname:-${_j}}" 517 _jid=$($jail_jls -j $_j jid) 518 echo $_jid > /var/run/jail_${_j}.id 519 else 520 echo " cannot start jail " \ 521 "\"${_hostname:-${_j}}\": " 522 cat $_tmp 523 fi 524 rm -f $_tmp 525 done 526 fi 527 echo '.' 528} 529 530jail_stop() 531{ 532 local _j _jv 533 534 if [ $# = 0 ]; then 535 return 536 fi 537 echo -n 'Stopping jails:' 538 case $1 in 539 _ALL) 540 command=$jail_program 541 rc_flags=$jail_flags 542 command_args="-f $jail_conf -r" 543 if checkyesno jail_reverse_stop; then 544 $jail_jls name | tail -r 545 else 546 $jail_jls name 547 fi | while read _j; do 548 echo -n " $_j" 549 _tmp=`mktemp -t jail` || exit 3 550 $command $rc_flags $command_args $_j >> $_tmp 2>&1 551 if $jail_jls -j $_j > /dev/null 2>&1; then 552 cat $_tmp 553 else 554 rm -f /var/run/jail_${_j}.id 555 fi 556 rm -f $_tmp 557 done 558 echo '.' 559 return 560 ;; 561 esac 562 checkyesno jail_reverse_stop && set -- $(reverse_list $@) 563 for _j in $@; do 564 _j=$(echo $_j | tr /. _) 565 _jv=$(echo -n $_j | tr -c '[:alnum:]' _) 566 parse_options $_j $_jv || continue 567 if ! $jail_jls -j $_j > /dev/null 2>&1; then 568 continue 569 fi 570 eval command=\${jail_${_jv}_program:-$jail_program} 571 echo -n " ${_hostname:-${_j}}" 572 _tmp=`mktemp -t jail` || exit 3 573 $command -q -f $_conf -r $_j >> $_tmp 2>&1 574 if $jail_jls -j $_j > /dev/null 2>&1; then 575 cat $_tmp 576 else 577 rm -f /var/run/jail_${_j}.id 578 fi 579 rm -f $_tmp 580 done 581 echo '.' 582} 583 584jail_warn() 585{ 586 587 # To relieve confusion, show a warning message. 588 case $_confwarn in 589 1) warn "Per-jail configuration via jail_* variables " \ 590 "is obsolete. Please consider migrating to $jail_conf." 591 ;; 592 esac 593} 594 595load_rc_config $name 596case $# in 5971) run_rc_command $@ ${jail_list:-_ALL} ;; 598*) jail_reverse_stop="no" 599 run_rc_command $@ ;; 600esac 601