mirror of
https://git.FreeBSD.org/src.git
synced 2024-11-28 08:02:54 +00:00
Refine the "nojail" rc keyword, adding "nojailvnet" for files that don't
apply to most jails but do apply to vnet jails. This includes adding a new sysctl "security.jail.vnet" to identify vnet jails. PR: conf/149050 Submitted by: mdodd MFC after: 3 days
This commit is contained in:
parent
156860b2b3
commit
761d2bb5b9
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=250804
3
etc/rc
3
etc/rc
@ -77,6 +77,9 @@ if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then
|
||||
if [ "$early_late_divider" = "FILESYSTEMS" ]; then
|
||||
early_late_divider=NETWORKING
|
||||
fi
|
||||
if [ `/sbin/sysctl -n security.jail.vnet` -ne 1 ]; then
|
||||
skip="$skip -s nojailvnet"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Do a first pass to get everything up to $early_late_divider so that
|
||||
|
@ -5,7 +5,7 @@
|
||||
|
||||
# PROVIDE: ipfw
|
||||
# REQUIRE: ppp
|
||||
# KEYWORD: nojail
|
||||
# KEYWORD: nojailvnet
|
||||
|
||||
. /etc/rc.subr
|
||||
. /etc/network.subr
|
||||
|
@ -28,7 +28,7 @@
|
||||
# PROVIDE: netif
|
||||
# REQUIRE: atm1 FILESYSTEMS serial sppp sysctl
|
||||
# REQUIRE: ipfilter ipfs
|
||||
# KEYWORD: nojail
|
||||
# KEYWORD: nojailvnet
|
||||
|
||||
. /etc/rc.subr
|
||||
. /etc/network.subr
|
||||
|
@ -7,7 +7,7 @@
|
||||
|
||||
# PROVIDE: routing
|
||||
# REQUIRE: faith netif ppp stf
|
||||
# KEYWORD: nojail
|
||||
# KEYWORD: nojailvnet
|
||||
|
||||
. /etc/rc.subr
|
||||
. /etc/network.subr
|
||||
|
@ -81,7 +81,12 @@ fi
|
||||
# and perform the operation
|
||||
#
|
||||
rcorder_opts="-k shutdown"
|
||||
[ `/sbin/sysctl -n security.jail.jailed` -eq 1 ] && rcorder_opts="$rcorder_opts -s nojail"
|
||||
if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then
|
||||
rcorder_opts="$rcorder_opts -s nojail"
|
||||
if [ `/sbin/sysctl -n security.jail.vnet` -ne 1 ]; then
|
||||
rcorder_opts="$rcorder_opts -s nojailvnet"
|
||||
fi
|
||||
fi
|
||||
|
||||
case ${local_startup} in
|
||||
[Nn][Oo] | '') ;;
|
||||
|
@ -4132,6 +4132,26 @@ SYSCTL_PROC(_security_jail, OID_AUTO, jailed,
|
||||
CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
|
||||
sysctl_jail_jailed, "I", "Process in jail?");
|
||||
|
||||
static int
|
||||
sysctl_jail_vnet(SYSCTL_HANDLER_ARGS)
|
||||
{
|
||||
int error, havevnet;
|
||||
#ifdef VIMAGE
|
||||
struct ucred *cred = req->td->td_ucred;
|
||||
|
||||
havevnet = jailed(cred) && prison_owns_vnet(cred);
|
||||
#else
|
||||
havevnet = 0;
|
||||
#endif
|
||||
error = SYSCTL_OUT(req, &havevnet, sizeof(havevnet));
|
||||
|
||||
return (error);
|
||||
}
|
||||
|
||||
SYSCTL_PROC(_security_jail, OID_AUTO, vnet,
|
||||
CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
|
||||
sysctl_jail_vnet, "I", "Jail owns VNET?");
|
||||
|
||||
#if defined(INET) || defined(INET6)
|
||||
SYSCTL_UINT(_security_jail, OID_AUTO, jail_max_af_ips, CTLFLAG_RW,
|
||||
&jail_max_af_ips, 0,
|
||||
|
Loading…
Reference in New Issue
Block a user