1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-11-28 08:02:54 +00:00

Refine the "nojail" rc keyword, adding "nojailvnet" for files that don't

apply to most jails but do apply to vnet jails.  This includes adding
a new sysctl "security.jail.vnet" to identify vnet jails.

PR:		conf/149050
Submitted by:	mdodd
MFC after:	3 days
This commit is contained in:
Jamie Gritton 2013-05-19 04:10:34 +00:00
parent 156860b2b3
commit 761d2bb5b9
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=250804
6 changed files with 32 additions and 4 deletions

3
etc/rc
View File

@ -77,6 +77,9 @@ if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then
if [ "$early_late_divider" = "FILESYSTEMS" ]; then
early_late_divider=NETWORKING
fi
if [ `/sbin/sysctl -n security.jail.vnet` -ne 1 ]; then
skip="$skip -s nojailvnet"
fi
fi
# Do a first pass to get everything up to $early_late_divider so that

View File

@ -5,7 +5,7 @@
# PROVIDE: ipfw
# REQUIRE: ppp
# KEYWORD: nojail
# KEYWORD: nojailvnet
. /etc/rc.subr
. /etc/network.subr

View File

@ -28,7 +28,7 @@
# PROVIDE: netif
# REQUIRE: atm1 FILESYSTEMS serial sppp sysctl
# REQUIRE: ipfilter ipfs
# KEYWORD: nojail
# KEYWORD: nojailvnet
. /etc/rc.subr
. /etc/network.subr

View File

@ -7,7 +7,7 @@
# PROVIDE: routing
# REQUIRE: faith netif ppp stf
# KEYWORD: nojail
# KEYWORD: nojailvnet
. /etc/rc.subr
. /etc/network.subr

View File

@ -81,7 +81,12 @@ fi
# and perform the operation
#
rcorder_opts="-k shutdown"
[ `/sbin/sysctl -n security.jail.jailed` -eq 1 ] && rcorder_opts="$rcorder_opts -s nojail"
if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then
rcorder_opts="$rcorder_opts -s nojail"
if [ `/sbin/sysctl -n security.jail.vnet` -ne 1 ]; then
rcorder_opts="$rcorder_opts -s nojailvnet"
fi
fi
case ${local_startup} in
[Nn][Oo] | '') ;;

View File

@ -4132,6 +4132,26 @@ SYSCTL_PROC(_security_jail, OID_AUTO, jailed,
CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
sysctl_jail_jailed, "I", "Process in jail?");
static int
sysctl_jail_vnet(SYSCTL_HANDLER_ARGS)
{
int error, havevnet;
#ifdef VIMAGE
struct ucred *cred = req->td->td_ucred;
havevnet = jailed(cred) && prison_owns_vnet(cred);
#else
havevnet = 0;
#endif
error = SYSCTL_OUT(req, &havevnet, sizeof(havevnet));
return (error);
}
SYSCTL_PROC(_security_jail, OID_AUTO, vnet,
CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
sysctl_jail_vnet, "I", "Jail owns VNET?");
#if defined(INET) || defined(INET6)
SYSCTL_UINT(_security_jail, OID_AUTO, jail_max_af_ips, CTLFLAG_RW,
&jail_max_af_ips, 0,