1 /*- 2 * Copyright (c) 1999 Poul-Henning Kamp. 3 * Copyright (c) 2009-2012 James Gritton 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25 * SUCH DAMAGE. 26 */ 27 28 #include <sys/cdefs.h> 29 __FBSDID("$FreeBSD$"); 30 31 #include <sys/types.h> 32 #include <sys/stat.h> 33 #include <sys/socket.h> 34 #include <sys/sysctl.h> 35 36 #include <arpa/inet.h> 37 #include <netinet/in.h> 38 39 #include <err.h> 40 #include <errno.h> 41 #include <stdarg.h> 42 #include <stdio.h> 43 #include <stdlib.h> 44 #include <string.h> 45 #include <unistd.h> 46 47 #include "jailp.h" 48 49 #define JP_RDTUN(jp) (((jp)->jp_ctltype & CTLFLAG_RDTUN) == CTLFLAG_RDTUN) 50 51 struct permspec { 52 const char *name; 53 enum intparam ipnum; 54 int rev; 55 }; 56 57 const char *cfname; 58 int note_remove; 59 int verbose; 60 61 static void clear_persist(struct cfjail *j); 62 static int update_jail(struct cfjail *j); 63 static int rdtun_params(struct cfjail *j, int dofail); 64 static void running_jid(struct cfjail *j, int dflag); 65 static void jail_quoted_warnx(const struct cfjail *j, const char *name_msg, 66 const char *noname_msg); 67 static int jailparam_set_note(const struct cfjail *j, struct jailparam *jp, 68 unsigned njp, int flags); 69 static void print_jail(FILE *fp, struct cfjail *j, int oldcl); 70 static void print_param(FILE *fp, const struct cfparam *p, int sep, int doname); 71 static void quoted_print(FILE *fp, char *str); 72 static void usage(void); 73 74 static struct permspec perm_sysctl[] = { 75 { "security.jail.set_hostname_allowed", KP_ALLOW_SET_HOSTNAME, 0 }, 76 { "security.jail.sysvipc_allowed", KP_ALLOW_SYSVIPC, 0 }, 77 { "security.jail.allow_raw_sockets", KP_ALLOW_RAW_SOCKETS, 0 }, 78 { "security.jail.chflags_allowed", KP_ALLOW_CHFLAGS, 0 }, 79 { "security.jail.mount_allowed", KP_ALLOW_MOUNT, 0 }, 80 { "security.jail.socket_unixiproute_only", KP_ALLOW_SOCKET_AF, 1 }, 81 }; 82 83 static const enum intparam startcommands[] = { 84 IP__NULL, 85 #ifdef INET 86 IP__IP4_IFADDR, 87 #endif 88 #ifdef INET6 89 IP__IP6_IFADDR, 90 #endif 91 IP_MOUNT, 92 IP__MOUNT_FROM_FSTAB, 93 IP_MOUNT_DEVFS, 94 IP_EXEC_PRESTART, 95 IP__OP, 96 IP_VNET_INTERFACE, 97 IP_EXEC_START, 98 IP_COMMAND, 99 IP_EXEC_POSTSTART, 100 IP__NULL 101 }; 102 103 static const enum intparam stopcommands[] = { 104 IP__NULL, 105 IP_EXEC_PRESTOP, 106 IP_EXEC_STOP, 107 IP_STOP_TIMEOUT, 108 IP__OP, 109 IP_EXEC_POSTSTOP, 110 IP_MOUNT_DEVFS, 111 IP__MOUNT_FROM_FSTAB, 112 IP_MOUNT, 113 #ifdef INET6 114 IP__IP6_IFADDR, 115 #endif 116 #ifdef INET 117 IP__IP4_IFADDR, 118 #endif 119 IP__NULL 120 }; 121 122 int 123 main(int argc, char **argv) 124 { 125 struct stat st; 126 FILE *jfp; 127 struct cfjail *j; 128 char *JidFile; 129 size_t sysvallen; 130 unsigned op, pi; 131 int ch, docf, error, i, oldcl, sysval; 132 int dflag, iflag, Rflag; 133 char enforce_statfs[4]; 134 #if defined(INET) || defined(INET6) 135 char *cs, *ncs; 136 #endif 137 #if defined(INET) && defined(INET6) 138 struct in6_addr addr6; 139 #endif 140 141 op = 0; 142 dflag = iflag = Rflag = 0; 143 docf = 1; 144 cfname = CONF_FILE; 145 JidFile = NULL; 146 147 while ((ch = getopt(argc, argv, "cdf:hiJ:lmn:p:qrRs:U:v")) != -1) { 148 switch (ch) { 149 case 'c': 150 op |= JF_START; 151 break; 152 case 'd': 153 dflag = 1; 154 break; 155 case 'f': 156 cfname = optarg; 157 break; 158 case 'h': 159 #if defined(INET) || defined(INET6) 160 add_param(NULL, NULL, IP_IP_HOSTNAME, NULL); 161 #endif 162 docf = 0; 163 break; 164 case 'i': 165 iflag = 1; 166 verbose = -1; 167 break; 168 case 'J': 169 JidFile = optarg; 170 break; 171 case 'l': 172 add_param(NULL, NULL, IP_EXEC_CLEAN, NULL); 173 docf = 0; 174 break; 175 case 'm': 176 op |= JF_SET; 177 break; 178 case 'n': 179 add_param(NULL, NULL, KP_NAME, optarg); 180 docf = 0; 181 break; 182 case 'p': 183 paralimit = strtol(optarg, NULL, 10); 184 if (paralimit == 0) 185 paralimit = -1; 186 break; 187 case 'q': 188 verbose = -1; 189 break; 190 case 'r': 191 op |= JF_STOP; 192 break; 193 case 'R': 194 op |= JF_STOP; 195 Rflag = 1; 196 break; 197 case 's': 198 add_param(NULL, NULL, KP_SECURELEVEL, optarg); 199 docf = 0; 200 break; 201 case 'u': 202 add_param(NULL, NULL, IP_EXEC_JAIL_USER, optarg); 203 add_param(NULL, NULL, IP_EXEC_SYSTEM_JAIL_USER, NULL); 204 docf = 0; 205 break; 206 case 'U': 207 add_param(NULL, NULL, IP_EXEC_JAIL_USER, optarg); 208 add_param(NULL, NULL, IP_EXEC_SYSTEM_JAIL_USER, 209 "false"); 210 docf = 0; 211 break; 212 case 'v': 213 verbose = 1; 214 break; 215 default: 216 usage(); 217 } 218 } 219 argc -= optind; 220 argv += optind; 221 222 /* Find out which of the four command line styles this is. */ 223 oldcl = 0; 224 if (!op) { 225 /* Old-style command line with four fixed parameters */ 226 if (argc < 4 || argv[0][0] != '/') 227 usage(); 228 op = JF_START; 229 docf = 0; 230 oldcl = 1; 231 add_param(NULL, NULL, KP_PATH, argv[0]); 232 add_param(NULL, NULL, KP_HOST_HOSTNAME, argv[1]); 233 #if defined(INET) || defined(INET6) 234 if (argv[2][0] != '\0') { 235 for (cs = argv[2];; cs = ncs + 1) { 236 ncs = strchr(cs, ','); 237 if (ncs) 238 *ncs = '\0'; 239 add_param(NULL, NULL, 240 #if defined(INET) && defined(INET6) 241 inet_pton(AF_INET6, cs, &addr6) == 1 242 ? KP_IP6_ADDR : KP_IP4_ADDR, 243 #elif defined(INET) 244 KP_IP4_ADDR, 245 #elif defined(INET6) 246 KP_IP6_ADDR, 247 #endif 248 cs); 249 if (!ncs) 250 break; 251 } 252 } 253 #endif 254 for (i = 3; i < argc; i++) 255 add_param(NULL, NULL, IP_COMMAND, argv[i]); 256 /* Emulate the defaults from security.jail.* sysctls. */ 257 sysvallen = sizeof(sysval); 258 if (sysctlbyname("security.jail.jailed", &sysval, &sysvallen, 259 NULL, 0) == 0 && sysval == 0) { 260 for (pi = 0; pi < sizeof(perm_sysctl) / 261 sizeof(perm_sysctl[0]); pi++) { 262 sysvallen = sizeof(sysval); 263 if (sysctlbyname(perm_sysctl[pi].name, 264 &sysval, &sysvallen, NULL, 0) == 0) 265 add_param(NULL, NULL, 266 perm_sysctl[pi].ipnum, 267 (sysval ? 1 : 0) ^ 268 perm_sysctl[pi].rev 269 ? NULL : "false"); 270 } 271 sysvallen = sizeof(sysval); 272 if (sysctlbyname("security.jail.enforce_statfs", 273 &sysval, &sysvallen, NULL, 0) == 0) { 274 snprintf(enforce_statfs, 275 sizeof(enforce_statfs), "%d", sysval); 276 add_param(NULL, NULL, KP_ENFORCE_STATFS, 277 enforce_statfs); 278 } 279 } 280 } else if (op == JF_STOP) { 281 /* Jail remove, perhaps using the config file */ 282 if (!docf || argc == 0) 283 usage(); 284 if (!Rflag) 285 for (i = 0; i < argc; i++) 286 if (strchr(argv[i], '=')) 287 usage(); 288 if ((docf = !Rflag && 289 (!strcmp(cfname, "-") || stat(cfname, &st) == 0))) 290 load_config(); 291 note_remove = docf || argc > 1 || wild_jail_name(argv[0]); 292 } else if (argc > 1 || (argc == 1 && strchr(argv[0], '='))) { 293 /* Single jail specified on the command line */ 294 if (Rflag) 295 usage(); 296 docf = 0; 297 for (i = 0; i < argc; i++) { 298 if (!strncmp(argv[i], "command", 7) && 299 (argv[i][7] == '\0' || argv[i][7] == '=')) { 300 if (argv[i][7] == '=') 301 add_param(NULL, NULL, IP_COMMAND, 302 argv[i] + 8); 303 for (i++; i < argc; i++) 304 add_param(NULL, NULL, IP_COMMAND, 305 argv[i]); 306 break; 307 } 308 add_param(NULL, NULL, 0, argv[i]); 309 } 310 } else { 311 /* From the config file, perhaps with a specified jail */ 312 if (Rflag || !docf) 313 usage(); 314 load_config(); 315 } 316 317 /* Find out which jails will be run. */ 318 dep_setup(docf); 319 error = 0; 320 if (op == JF_STOP) { 321 for (i = 0; i < argc; i++) 322 if (start_state(argv[i], docf, op, Rflag) < 0) 323 error = 1; 324 } else { 325 if (start_state(argv[0], docf, op, 0) < 0) 326 exit(1); 327 } 328 329 jfp = NULL; 330 if (JidFile != NULL) { 331 jfp = fopen(JidFile, "w"); 332 if (jfp == NULL) 333 err(1, "open %s", JidFile); 334 setlinebuf(jfp); 335 } 336 setlinebuf(stdout); 337 338 /* 339 * The main loop: Get an available jail and perform the required 340 * operation on it. When that is done, the jail may be finished, 341 * or it may go back for the next step. 342 */ 343 while ((j = next_jail())) 344 { 345 if (j->flags & JF_FAILED) { 346 error = 1; 347 if (j->comparam == NULL) { 348 dep_done(j, 0); 349 continue; 350 } 351 } 352 if (!(j->flags & JF_PARAMS)) 353 { 354 j->flags |= JF_PARAMS; 355 if (dflag) 356 add_param(j, NULL, IP_ALLOW_DYING, NULL); 357 if (check_intparams(j) < 0) 358 continue; 359 if ((j->flags & (JF_START | JF_SET)) && 360 import_params(j) < 0) 361 continue; 362 } 363 if (!j->jid) 364 running_jid(j, 365 (j->flags & (JF_SET | JF_DEPEND)) == JF_SET 366 ? dflag || bool_param(j->intparams[IP_ALLOW_DYING]) 367 : 0); 368 if (finish_command(j)) 369 continue; 370 371 switch (j->flags & JF_OP_MASK) { 372 /* 373 * These operations just turn into a different op 374 * depending on the jail's current status. 375 */ 376 case JF_START_SET: 377 j->flags = j->jid < 0 ? JF_START : JF_SET; 378 break; 379 case JF_SET_RESTART: 380 if (j->jid < 0) { 381 jail_quoted_warnx(j, "not found", 382 "no jail specified"); 383 failed(j); 384 continue; 385 } 386 j->flags = rdtun_params(j, 0) ? JF_RESTART : JF_SET; 387 if (j->flags == JF_RESTART) 388 dep_reset(j); 389 break; 390 case JF_START_SET_RESTART: 391 j->flags = j->jid < 0 ? JF_START 392 : rdtun_params(j, 0) ? JF_RESTART : JF_SET; 393 if (j->flags == JF_RESTART) 394 dep_reset(j); 395 } 396 397 switch (j->flags & JF_OP_MASK) { 398 case JF_START: 399 if (j->comparam == NULL) { 400 if (j->jid > 0 && 401 !(j->flags & (JF_DEPEND | JF_WILD))) { 402 jail_quoted_warnx(j, "already exists", 403 NULL); 404 failed(j); 405 continue; 406 } 407 if (dep_check(j)) 408 continue; 409 if (j->jid > 0) 410 goto jail_create_done; 411 j->comparam = startcommands; 412 j->comstring = NULL; 413 } 414 if (next_command(j)) 415 continue; 416 jail_create_done: 417 clear_persist(j); 418 if (iflag) 419 printf("%d\n", j->jid); 420 if (jfp != NULL) 421 print_jail(jfp, j, oldcl); 422 dep_done(j, 0); 423 break; 424 425 case JF_SET: 426 if (j->jid < 0 && !(j->flags & JF_DEPEND)) { 427 jail_quoted_warnx(j, "not found", 428 "no jail specified"); 429 failed(j); 430 continue; 431 } 432 if (dep_check(j)) 433 continue; 434 if (!(j->flags & JF_DEPEND)) { 435 if (rdtun_params(j, 1) < 0 || 436 update_jail(j) < 0) 437 continue; 438 if (verbose >= 0 && (j->name || verbose > 0)) 439 jail_note(j, "updated\n"); 440 } 441 dep_done(j, 0); 442 break; 443 444 case JF_STOP: 445 case JF_RESTART: 446 if (j->comparam == NULL) { 447 if (dep_check(j)) 448 continue; 449 if (j->jid < 0) { 450 if (!(j->flags & (JF_DEPEND | JF_WILD)) 451 && verbose >= 0) 452 jail_quoted_warnx(j, 453 "not found", NULL); 454 goto jail_remove_done; 455 } 456 j->comparam = stopcommands; 457 j->comstring = NULL; 458 } else if ((j->flags & JF_FAILED) && j->jid > 0) 459 goto jail_remove_done; 460 if (next_command(j)) 461 continue; 462 jail_remove_done: 463 dep_done(j, 0); 464 if ((j->flags & (JF_START | JF_FAILED)) == JF_START) { 465 j->comparam = NULL; 466 j->flags &= ~JF_STOP; 467 dep_reset(j); 468 requeue(j, j->ndeps ? &depend : &ready); 469 } 470 break; 471 } 472 } 473 474 if (jfp != NULL) 475 fclose(jfp); 476 exit(error); 477 } 478 479 /* 480 * Mark a jail's failure for future handling. 481 */ 482 void 483 failed(struct cfjail *j) 484 { 485 j->flags |= JF_FAILED; 486 TAILQ_REMOVE(j->queue, j, tq); 487 TAILQ_INSERT_HEAD(&ready, j, tq); 488 j->queue = &ready; 489 } 490 491 /* 492 * Exit slightly more gracefully when out of memory. 493 */ 494 void * 495 emalloc(size_t size) 496 { 497 void *p; 498 499 p = malloc(size); 500 if (!p) 501 err(1, "malloc"); 502 return p; 503 } 504 505 void * 506 erealloc(void *ptr, size_t size) 507 { 508 void *p; 509 510 p = realloc(ptr, size); 511 if (!p) 512 err(1, "malloc"); 513 return p; 514 } 515 516 char * 517 estrdup(const char *str) 518 { 519 char *ns; 520 521 ns = strdup(str); 522 if (!ns) 523 err(1, "malloc"); 524 return ns; 525 } 526 527 /* 528 * Print a message including an optional jail name. 529 */ 530 void 531 jail_note(const struct cfjail *j, const char *fmt, ...) 532 { 533 va_list ap, tap; 534 char *cs; 535 size_t len; 536 537 va_start(ap, fmt); 538 va_copy(tap, ap); 539 len = vsnprintf(NULL, 0, fmt, tap); 540 va_end(tap); 541 cs = alloca(len + 1); 542 (void)vsnprintf(cs, len + 1, fmt, ap); 543 va_end(ap); 544 if (j->name) 545 printf("%s: %s", j->name, cs); 546 else 547 printf("%s", cs); 548 } 549 550 /* 551 * Print a warning message including an optional jail name. 552 */ 553 void 554 jail_warnx(const struct cfjail *j, const char *fmt, ...) 555 { 556 va_list ap, tap; 557 char *cs; 558 size_t len; 559 560 va_start(ap, fmt); 561 va_copy(tap, ap); 562 len = vsnprintf(NULL, 0, fmt, tap); 563 va_end(tap); 564 cs = alloca(len + 1); 565 (void)vsnprintf(cs, len + 1, fmt, ap); 566 va_end(ap); 567 if (j->name) 568 warnx("%s: %s", j->name, cs); 569 else 570 warnx("%s", cs); 571 } 572 573 /* 574 * Create a new jail. 575 */ 576 int 577 create_jail(struct cfjail *j) 578 { 579 struct iovec jiov[4]; 580 struct stat st; 581 struct jailparam *jp, *setparams, *setparams2, *sjp; 582 const char *path; 583 int dopersist, ns, jid, dying, didfail; 584 585 /* 586 * Check the jail's path, with a better error message than jail_set 587 * gives. 588 */ 589 if ((path = string_param(j->intparams[KP_PATH]))) { 590 if (j->name != NULL && path[0] != '/') { 591 jail_warnx(j, "path %s: not an absolute pathname", 592 path); 593 return -1; 594 } 595 if (stat(path, &st) < 0) { 596 jail_warnx(j, "path %s: %s", path, strerror(errno)); 597 return -1; 598 } 599 if (!S_ISDIR(st.st_mode)) { 600 jail_warnx(j, "path %s: %s", path, strerror(ENOTDIR)); 601 return -1; 602 } 603 } 604 605 /* 606 * Copy all the parameters, except that "persist" is always set when 607 * there are commands to run later. 608 */ 609 dopersist = !bool_param(j->intparams[KP_PERSIST]) && 610 (j->intparams[IP_EXEC_START] || j->intparams[IP_COMMAND] || 611 j->intparams[IP_EXEC_POSTSTART]); 612 sjp = setparams = 613 alloca((j->njp + dopersist) * sizeof(struct jailparam)); 614 if (dopersist && jailparam_init(sjp++, "persist") < 0) { 615 jail_warnx(j, "%s", jail_errmsg); 616 return -1; 617 } 618 for (jp = j->jp; jp < j->jp + j->njp; jp++) 619 if (!dopersist || !equalopts(jp->jp_name, "persist")) 620 *sjp++ = *jp; 621 ns = sjp - setparams; 622 623 didfail = 0; 624 j->jid = jailparam_set_note(j, setparams, ns, JAIL_CREATE); 625 if (j->jid < 0 && errno == EEXIST && 626 bool_param(j->intparams[IP_ALLOW_DYING]) && 627 int_param(j->intparams[KP_JID], &jid) && jid != 0) { 628 /* 629 * The jail already exists, but may be dying. 630 * Make sure it is, in which case an update is appropriate. 631 */ 632 *(const void **)&jiov[0].iov_base = "jid"; 633 jiov[0].iov_len = sizeof("jid"); 634 jiov[1].iov_base = &jid; 635 jiov[1].iov_len = sizeof(jid); 636 *(const void **)&jiov[2].iov_base = "dying"; 637 jiov[2].iov_len = sizeof("dying"); 638 jiov[3].iov_base = &dying; 639 jiov[3].iov_len = sizeof(dying); 640 if (jail_get(jiov, 4, JAIL_DYING) < 0) { 641 /* 642 * It could be that the jail just barely finished 643 * dying, or it could be that the jid never existed 644 * but the name does. In either case, another try 645 * at creating the jail should do the right thing. 646 */ 647 if (errno == ENOENT) 648 j->jid = jailparam_set_note(j, setparams, ns, 649 JAIL_CREATE); 650 } else if (dying) { 651 j->jid = jid; 652 if (rdtun_params(j, 1) < 0) { 653 j->jid = -1; 654 didfail = 1; 655 } else { 656 sjp = setparams2 = alloca((j->njp + dopersist) * 657 sizeof(struct jailparam)); 658 for (jp = setparams; jp < setparams + ns; jp++) 659 if (!JP_RDTUN(jp) || 660 !strcmp(jp->jp_name, "jid")) 661 *sjp++ = *jp; 662 j->jid = jailparam_set_note(j, setparams2, 663 sjp - setparams2, JAIL_UPDATE | JAIL_DYING); 664 /* 665 * Again, perhaps the jail just finished dying. 666 */ 667 if (j->jid < 0 && errno == ENOENT) 668 j->jid = jailparam_set_note(j, 669 setparams, ns, JAIL_CREATE); 670 } 671 } 672 } 673 if (j->jid < 0 && !didfail) { 674 jail_warnx(j, "%s", jail_errmsg); 675 failed(j); 676 } 677 if (dopersist) { 678 jailparam_free(setparams, 1); 679 if (j->jid > 0) 680 j->flags |= JF_PERSIST; 681 } 682 return j->jid; 683 } 684 685 /* 686 * Remove a temporarily set "persist" parameter. 687 */ 688 static void 689 clear_persist(struct cfjail *j) 690 { 691 struct iovec jiov[4]; 692 int jid; 693 694 if (!(j->flags & JF_PERSIST)) 695 return; 696 j->flags &= ~JF_PERSIST; 697 *(const void **)&jiov[0].iov_base = "jid"; 698 jiov[0].iov_len = sizeof("jid"); 699 jiov[1].iov_base = &j->jid; 700 jiov[1].iov_len = sizeof(j->jid); 701 *(const void **)&jiov[2].iov_base = "nopersist"; 702 jiov[2].iov_len = sizeof("nopersist"); 703 jiov[3].iov_base = NULL; 704 jiov[3].iov_len = 0; 705 jid = jail_set(jiov, 4, JAIL_UPDATE); 706 if (verbose > 0) 707 jail_note(j, "jail_set(JAIL_UPDATE) jid=%d nopersist%s%s\n", 708 j->jid, jid < 0 ? ": " : "", 709 jid < 0 ? strerror(errno) : ""); 710 } 711 712 /* 713 * Set a jail's parameters. 714 */ 715 static int 716 update_jail(struct cfjail *j) 717 { 718 struct jailparam *jp, *setparams, *sjp; 719 int ns, jid; 720 721 ns = 0; 722 for (jp = j->jp; jp < j->jp + j->njp; jp++) 723 if (!JP_RDTUN(jp)) 724 ns++; 725 if (ns == 0) 726 return 0; 727 sjp = setparams = alloca(++ns * sizeof(struct jailparam)); 728 if (jailparam_init(sjp, "jid") < 0 || 729 jailparam_import_raw(sjp, &j->jid, sizeof j->jid) < 0) { 730 jail_warnx(j, "%s", jail_errmsg); 731 failed(j); 732 return -1; 733 } 734 for (jp = j->jp; jp < j->jp + j->njp; jp++) 735 if (!JP_RDTUN(jp)) 736 *++sjp = *jp; 737 738 jid = jailparam_set_note(j, setparams, ns, 739 bool_param(j->intparams[IP_ALLOW_DYING]) 740 ? JAIL_UPDATE | JAIL_DYING : JAIL_UPDATE); 741 if (jid < 0) { 742 jail_warnx(j, "%s", jail_errmsg); 743 failed(j); 744 } 745 jailparam_free(setparams, 1); 746 return jid; 747 } 748 749 /* 750 * Return if a jail set would change any create-only parameters. 751 */ 752 static int 753 rdtun_params(struct cfjail *j, int dofail) 754 { 755 struct jailparam *jp, *rtparams, *rtjp; 756 int nrt, rval; 757 758 if (j->flags & JF_RDTUN) 759 return 0; 760 j->flags |= JF_RDTUN; 761 nrt = 0; 762 for (jp = j->jp; jp < j->jp + j->njp; jp++) 763 if (JP_RDTUN(jp) && strcmp(jp->jp_name, "jid")) 764 nrt++; 765 if (nrt == 0) 766 return 0; 767 rtjp = rtparams = alloca(++nrt * sizeof(struct jailparam)); 768 if (jailparam_init(rtjp, "jid") < 0 || 769 jailparam_import_raw(rtjp, &j->jid, sizeof j->jid) < 0) { 770 jail_warnx(j, "%s", jail_errmsg); 771 exit(1); 772 } 773 for (jp = j->jp; jp < j->jp + j->njp; jp++) 774 if (JP_RDTUN(jp) && strcmp(jp->jp_name, "jid")) 775 *++rtjp = *jp; 776 rval = 0; 777 if (jailparam_get(rtparams, nrt, 778 bool_param(j->intparams[IP_ALLOW_DYING]) ? JAIL_DYING : 0) > 0) { 779 rtjp = rtparams + 1; 780 for (jp = j->jp, rtjp = rtparams + 1; rtjp < rtparams + nrt; 781 jp++) { 782 if (JP_RDTUN(jp) && strcmp(jp->jp_name, "jid")) { 783 if (!((jp->jp_flags & (JP_BOOL | JP_NOBOOL)) && 784 jp->jp_valuelen == 0 && 785 *(int *)jp->jp_value) && 786 !(rtjp->jp_valuelen == jp->jp_valuelen && 787 !memcmp(rtjp->jp_value, jp->jp_value, 788 jp->jp_valuelen))) { 789 if (dofail) { 790 jail_warnx(j, "%s cannot be " 791 "changed after creation", 792 jp->jp_name); 793 failed(j); 794 rval = -1; 795 } else 796 rval = 1; 797 break; 798 } 799 rtjp++; 800 } 801 } 802 } 803 for (rtjp = rtparams + 1; rtjp < rtparams + nrt; rtjp++) 804 rtjp->jp_name = NULL; 805 jailparam_free(rtparams, nrt); 806 return rval; 807 } 808 809 /* 810 * Get the jail's jid if it is running. 811 */ 812 static void 813 running_jid(struct cfjail *j, int dflag) 814 { 815 struct iovec jiov[2]; 816 const char *pval; 817 char *ep; 818 int jid; 819 820 if ((pval = string_param(j->intparams[KP_JID]))) { 821 if (!(jid = strtol(pval, &ep, 10)) || *ep) { 822 j->jid = -1; 823 return; 824 } 825 *(const void **)&jiov[0].iov_base = "jid"; 826 jiov[0].iov_len = sizeof("jid"); 827 jiov[1].iov_base = &jid; 828 jiov[1].iov_len = sizeof(jid); 829 } else if ((pval = string_param(j->intparams[KP_NAME]))) { 830 *(const void **)&jiov[0].iov_base = "name"; 831 jiov[0].iov_len = sizeof("name"); 832 jiov[1].iov_len = strlen(pval) + 1; 833 jiov[1].iov_base = alloca(jiov[1].iov_len); 834 strcpy(jiov[1].iov_base, pval); 835 } else { 836 j->jid = -1; 837 return; 838 } 839 j->jid = jail_get(jiov, 2, dflag ? JAIL_DYING : 0); 840 } 841 842 static void 843 jail_quoted_warnx(const struct cfjail *j, const char *name_msg, 844 const char *noname_msg) 845 { 846 const char *pval; 847 848 if ((pval = j->name) || (pval = string_param(j->intparams[KP_JID])) || 849 (pval = string_param(j->intparams[KP_NAME]))) 850 warnx("\"%s\" %s", pval, name_msg); 851 else 852 warnx("%s", noname_msg); 853 } 854 855 /* 856 * Set jail parameters and possible print them out. 857 */ 858 static int 859 jailparam_set_note(const struct cfjail *j, struct jailparam *jp, unsigned njp, 860 int flags) 861 { 862 char *value; 863 int jid; 864 unsigned i; 865 866 jid = jailparam_set(jp, njp, flags); 867 if (verbose > 0) { 868 jail_note(j, "jail_set(%s%s)", 869 (flags & (JAIL_CREATE | JAIL_UPDATE)) == JAIL_CREATE 870 ? "JAIL_CREATE" : "JAIL_UPDATE", 871 (flags & JAIL_DYING) ? " | JAIL_DYING" : ""); 872 for (i = 0; i < njp; i++) { 873 printf(" %s", jp[i].jp_name); 874 if (jp[i].jp_value == NULL) 875 continue; 876 putchar('='); 877 value = jailparam_export(jp + i); 878 if (value == NULL) 879 err(1, "jailparam_export"); 880 quoted_print(stdout, value); 881 free(value); 882 } 883 if (jid < 0) 884 printf(": %s", strerror(errno)); 885 printf("\n"); 886 } 887 return jid; 888 } 889 890 /* 891 * Print a jail record. 892 */ 893 static void 894 print_jail(FILE *fp, struct cfjail *j, int oldcl) 895 { 896 struct cfparam *p; 897 898 if (oldcl) { 899 fprintf(fp, "%d\t", j->jid); 900 print_param(fp, j->intparams[KP_PATH], ',', 0); 901 putc('\t', fp); 902 print_param(fp, j->intparams[KP_HOST_HOSTNAME], ',', 0); 903 putc('\t', fp); 904 #ifdef INET 905 print_param(fp, j->intparams[KP_IP4_ADDR], ',', 0); 906 #ifdef INET6 907 if (j->intparams[KP_IP4_ADDR] && 908 !TAILQ_EMPTY(&j->intparams[KP_IP4_ADDR]->val) && 909 j->intparams[KP_IP6_ADDR] && 910 !TAILQ_EMPTY(&j->intparams[KP_IP6_ADDR]->val)) 911 putc(',', fp); 912 #endif 913 #endif 914 #ifdef INET6 915 print_param(fp, j->intparams[KP_IP6_ADDR], ',', 0); 916 #endif 917 putc('\t', fp); 918 print_param(fp, j->intparams[IP_COMMAND], ' ', 0); 919 } else { 920 fprintf(fp, "jid=%d", j->jid); 921 TAILQ_FOREACH(p, &j->params, tq) 922 if (strcmp(p->name, "jid")) { 923 putc(' ', fp); 924 print_param(fp, p, ',', 1); 925 } 926 } 927 putc('\n', fp); 928 } 929 930 /* 931 * Print a parameter value, or a name=value pair. 932 */ 933 static void 934 print_param(FILE *fp, const struct cfparam *p, int sep, int doname) 935 { 936 const struct cfstring *s, *ts; 937 938 if (doname) 939 fputs(p->name, fp); 940 if (p == NULL || TAILQ_EMPTY(&p->val)) 941 return; 942 if (doname) 943 putc('=', fp); 944 TAILQ_FOREACH_SAFE(s, &p->val, tq, ts) { 945 quoted_print(fp, s->s); 946 if (ts != NULL) 947 putc(sep, fp); 948 } 949 } 950 951 /* 952 * Print a string with quotes around spaces. 953 */ 954 static void 955 quoted_print(FILE *fp, char *str) 956 { 957 int c, qc; 958 char *p = str; 959 960 qc = !*p ? '"' 961 : strchr(p, '\'') ? '"' 962 : strchr(p, '"') ? '\'' 963 : strchr(p, ' ') || strchr(p, '\t') ? '"' 964 : 0; 965 if (qc) 966 putc(qc, fp); 967 while ((c = *p++)) { 968 if (c == '\\' || c == qc) 969 putc('\\', fp); 970 putc(c, fp); 971 } 972 if (qc) 973 putc(qc, fp); 974 } 975 976 static void 977 usage(void) 978 { 979 980 (void)fprintf(stderr, 981 "usage: jail [-dhilqv] [-J jid_file] [-u username] [-U username]\n" 982 " -[cmr] param=value ... [command=command ...]\n" 983 " jail [-dqv] [-f file] -[cmr] [jail]\n" 984 " jail [-qv] [-f file] -[rR] ['*' | jail ...]\n" 985 " jail [-dhilqv] [-J jid_file] [-u username] [-U username]\n" 986 " [-n jailname] [-s securelevel]\n" 987 " path hostname [ip[,...]] command ...\n"); 988 exit(1); 989 } 990