rc.d: add a service jails config to all base system services

This gives more permissions to services (e.g. network access to
services which require this) when they are started as an automatic
service jail.

The sshd patch is important for the sshd-related functionality as
described in the man-page in the service jails part.

The location of the added env vars is supposed to allow overriding them
in rc.conf, and to hard-disable the use of svcj for some parts where it
doesn't make sense or will not work.

Only a subset of all of the services are fully tested (I'm running this
since more than a year with various services started as service jails).
The untested parts should be most of the time ok, in some edge-cases
more permissions are needed inside the service jail.
Differential Revision:	https://reviews.freebsd.org/D40371

libexec/rc/rc.d/accounting

@@ -76,4 +76,8 @@ accounting_rotate_log()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: jail can't manipulate accounting
+accounting_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/adjkerntz

@@ -14,4 +14,8 @@ start_cmd="adjkerntz -i"
 stop_cmd=":"
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: jail can't modify kerntz
+adjkerntz_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/apm

@@ -43,4 +43,8 @@ apm_status()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+apm_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/apmd

@@ -34,4 +34,8 @@ apmd_prestart()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+apmd_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/auditd

@@ -32,4 +32,8 @@ auditd_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+auditd_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/auditdistd

@@ -17,5 +17,7 @@ command="/usr/sbin/${name}"
 required_files="/etc/security/${name}.conf"
 extra_commands="reload"
 
+: ${auditdistd_svcj_options:="net_basic"}
+
 load_rc_config $name
 run_rc_command "$1"

libexec/rc/rc.d/automount

@@ -28,4 +28,8 @@ automount_stop()
 }
 
 load_rc_config $name
+
+# mounting shall not be performed in a svcj
+automount_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/automountd

@@ -17,4 +17,8 @@ command="/usr/sbin/${name}"
 required_modules="autofs"
 
 load_rc_config $name
+
+# mounting shall not be performed in a svcj
+automountd_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/autounmountd

@@ -16,4 +16,8 @@ pidfile="/var/run/${name}.pid"
 command="/usr/sbin/${name}"
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+autounmountd_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/bgfsck

@@ -46,4 +46,8 @@ bgfsck_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj
+bgfsck_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/blacklistd

@@ -40,5 +40,8 @@ rcvar="blacklistd_enable"
 command="/usr/sbin/${name}"
 required_files="/etc/blacklistd.conf"
 
+# no svcj options needed
+: ${blacklistd_svcj_options:=""}
+
 load_rc_config $name
 run_rc_command "$1"

libexec/rc/rc.d/bluetooth

@@ -317,5 +317,8 @@ bluetooth_stop()
 load_rc_config $name
 hccontrol="${bluetooth_hccontrol:-/usr/sbin/hccontrol}"
 
+# doesn't make sense to run in a svcj: nojail keyword
+bluetooth_svcj="NO"
+
 run_rc_command $*
 

libexec/rc/rc.d/bootparams

@@ -15,5 +15,7 @@ rcvar="bootparamd_enable"
 required_files="/etc/bootparams"
 command="/usr/sbin/${name}"
 
+: ${bootparamd_svcj_options:="net_basic"}
+
 load_rc_config $name
 run_rc_command "$1"

libexec/rc/rc.d/bridge

@@ -90,4 +90,8 @@ bridge_stop()
 iflist=$2
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+bridge_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/bsnmpd

@@ -13,6 +13,8 @@ desc="Simple and extensible SNMP daemon"
 rcvar="bsnmpd_enable"
 command="/usr/sbin/${name}"
 
+: ${bsnmpd_svcj_options:="net_basic"}
+
 load_rc_config $name
 pidfile="${bsnmpd_pidfile:-/var/run/snmpd.pid}"
 command_args="-p ${pidfile}"

libexec/rc/rc.d/bthidd

@@ -50,4 +50,7 @@ if evdev_enabled; then
 fi
 required_files="${config}"
 
+# doesn't make sense to run in a svcj: nojail keyword
+bthidd_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/ccd

@@ -21,4 +21,8 @@ ccd_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+ccd_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/cfumass

@@ -145,4 +145,8 @@ cfumass_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+cfumass_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/cleanvar

@@ -43,4 +43,8 @@ cleanvar_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj
+cleanvar_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/cleartmp

@@ -57,4 +57,8 @@ cleartmp_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj
+cleartmp_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/cron

@@ -16,6 +16,11 @@ command="/usr/sbin/${name}"
 pidfile="/var/run/${name}.pid"
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: in the generic case it may need
+# access to more than a jails allows
+cron_svcj="NO"
+
 if checkyesno cron_dst
 then
 	cron_flags="$cron_flags -s"

libexec/rc/rc.d/ctld

@@ -19,4 +19,8 @@ required_modules="ctl"
 extra_commands="reload"
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+ctld_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/ddb

@@ -35,4 +35,7 @@ load_rc_config $name
 required_files="${ddb_config}"
 command_args="${ddb_config}"
 
+# doesn't make sense to run in a svcj: privileged operation
+ddb_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/defaultroute

@@ -70,4 +70,8 @@ defaultroute_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+defaultroute_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/devd

@@ -38,4 +38,8 @@ devd_prestart()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: executing potential privileged operations
+devd_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/devfs

@@ -68,4 +68,8 @@ read_devfs_conf()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: may need more permissions
+devfs_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/devmatch

@@ -78,4 +78,8 @@ devmatch_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: privileged operations
+devmatch_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/dhclient

@@ -59,6 +59,9 @@ dhclient_prestart()
 load_rc_config $name
 load_rc_config network
 
+# dhclient_prestart is not compatible with svcj
+dhclient_svcj="NO"
+
 if [ -z $ifn ] ; then
 	# only complain if a command was specified but no interface
 	if [ -n "$1" ] ; then

libexec/rc/rc.d/dmesg

@@ -23,4 +23,8 @@ do_dmesg()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj
+dmesg_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/dnctl

@@ -16,6 +16,9 @@ start_cmd="${name}_start"
 required_files="$dnctl_rules"
 required_modules="dummynet"
 
+# doesn't make sense to run in a svcj: config setting
+dnctl_svcj="NO"
+
 dnctl_start()
 {
 	startmsg -n "Enabling ${name}"

libexec/rc/rc.d/dumpon

@@ -97,4 +97,8 @@ dumpon_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+dumpon_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/fsck

@@ -91,4 +91,8 @@ fsck_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj
+fsck_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/ftp-proxy

@@ -13,6 +13,8 @@ desc="Internet File Transfer Protocol proxy daemon"
 rcvar="ftpproxy_enable"
 command="/usr/sbin/ftp-proxy"
 
+: ${ftpproxy_svcj_options:="net_basic"}
+
 load_rc_config $name
 
 #

libexec/rc/rc.d/ftpd

@@ -13,13 +13,11 @@ desc="Internet File Transfer Protocol daemon"
 rcvar="ftpd_enable"
 command="/usr/libexec/${name}"
 pidfile="/var/run/${name}.pid"
-start_precmd=ftpd_prestart
 
-ftpd_prestart()
-{
-	rc_flags="-D ${rc_flags}"
-	return 0
-}
+: ${ftpd_svcj_options:="net_basic"}
 
 load_rc_config $name
+
+flags="-D ${flags} ${rc_flags}"
+
 run_rc_command "$1"

libexec/rc/rc.d/geli

@@ -121,4 +121,8 @@ geli_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+geli_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/geli2

@@ -55,4 +55,8 @@ geli2_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+geli2_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/ggated

@@ -14,6 +14,9 @@ pidfile="/var/run/${name}.pid"
 load_rc_config $name
 required_files="${ggated_config}"
 
+# XXX?: doesn't make sense to run in a svcj: low-level access
+ggated_svcj="NO"
+
 command_args="${ggated_config}"
 
 run_rc_command "$1"

libexec/rc/rc.d/gptboot

@@ -73,4 +73,8 @@ gptboot_report()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+gptboot_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/growfs

@@ -306,4 +306,8 @@ growfs_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+growfs_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/growfs_fstab

@@ -58,4 +58,8 @@ growfs_fstab_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+growfs_fstab_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/gssd

@@ -13,5 +13,7 @@ name=gssd
 desc="Generic Security Services Daemon"
 rcvar=gssd_enable
 
+: ${gssd_svcj_options:="net_basic nfsd"}
+
 load_rc_config $name
 run_rc_command "$1"

libexec/rc/rc.d/hastd

@@ -26,4 +26,8 @@ hastd_stop_precmd()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+hastd_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/hcsecd

@@ -21,4 +21,7 @@ config="${hcsecd_config:-/etc/bluetooth/${name}.conf}"
 command_args="-f ${config}"
 required_files="${config}"
 
+# doesn't make sense to run in a svcj: nojail keyword
+hcsecd_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/hostapd

@@ -38,4 +38,8 @@ required_modules="wlan_xauth wlan_wep wlan_tkip wlan_ccmp"
 extra_commands="reload"
 
 load_rc_config ${name}
+
+# doesn't make sense to run in a svcj: nojail keyword
+hostapd_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/hostid

@@ -156,4 +156,8 @@ hostid_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+hostid_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/hostid_save

@@ -44,4 +44,8 @@ hostid_save()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+hostid_save_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/hostname

@@ -77,4 +77,8 @@ hostname_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+hostname_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/inetd

@@ -16,5 +16,7 @@ pidfile="/var/run/${name}.pid"
 required_files="/etc/${name}.conf"
 extra_commands="reload"
 
+: ${inetd_svcj_options:="net_basic"}
+
 load_rc_config $name
 run_rc_command "$1"

libexec/rc/rc.d/iovctl

@@ -35,4 +35,8 @@ iovctl_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+iovctl_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/ip6addrctl

@@ -120,4 +120,8 @@ ip6addrctl_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+ipv6addrctl_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/ipfilter

@@ -15,6 +15,9 @@ rcvar="ipfilter_enable"
 load_rc_config $name
 stop_precmd="test -f ${ipfilter_rules}"
 
+# doesn't make sense to run in a svcj: config setting
+ipfilter_svcj="NO"
+
 start_precmd="$stop_precmd"
 start_cmd="ipfilter_start"
 stop_cmd="ipfilter_stop"

libexec/rc/rc.d/ipfs

@@ -49,4 +49,8 @@ ipfs_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+ipfs_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/ipfw

@@ -163,4 +163,7 @@ ipfw_status()
 load_rc_config $name
 firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"
 
+# doesn't make sense to run in a svcj: config setting
+ipfw_svcj="NO"
+
 run_rc_command $*

libexec/rc/rc.d/ipfw_netflow

@@ -73,4 +73,7 @@ ipfw_netflow_stop()
 
 load_rc_config $name
 
+# doesn't make sense to run in a svcj: config setting
+ipfw_netflow_svcj="NO"
+
 run_rc_command $*

libexec/rc/rc.d/ipmon

@@ -15,6 +15,9 @@ rcvar="ipmon_enable"
 command="/sbin/${name}"
 start_precmd="ipmon_precmd"
 
+# no svcj options needed
+: ${ipmon_svcj_options:=""}
+
 ipmon_precmd()
 {
 	# Continue only if ipfilter or ipnat is enabled and the

libexec/rc/rc.d/ipnat

@@ -18,6 +18,9 @@ extra_commands="reload"
 required_files="${ipnat_rules}"
 required_modules="ipl:ipfilter"
 
+# doesn't make sense to run in a svcj: config setting
+ipnat_svcj="NO"
+
 ipnat_start()
 {
 	echo "Installing NAT rules."

libexec/rc/rc.d/ippool

@@ -13,6 +13,10 @@ name="ippool"
 desc="user interface to the IPFilter pools"
 rcvar="ippool_enable"
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+ippool_svcj="NO"
+
 start_precmd="ippool_start_precmd"
 stop_cmd="${ippool_program} -F"
 reload_cmd="ippool_reload"

libexec/rc/rc.d/ipropd_master

@@ -14,6 +14,8 @@ required_files="$ipropd_master_keytab"
 start_precmd=${name}_start_precmd
 start_postcmd=${name}_start_postcmd
 
+: ${ipropd_master_svcj_options:="net_basic"}
+
 ipropd_master_start_precmd()
 {
 
@@ -24,10 +26,6 @@ ipropd_master_start_precmd()
 	for _slave in $ipropd_master_slaves; do
 		echo $_slave
 	done > /var/heimdal/slaves || return 1
-	command_args="$command_args \
-	    --keytab=\"$ipropd_master_keytab\" \
-	    --detach \
-	"
 }
 ipropd_master_start_postcmd()
 {
@@ -36,4 +34,10 @@ ipropd_master_start_postcmd()
 }
 
 load_rc_config $name
+
+command_args="$command_args \
+    --keytab=\"$ipropd_master_keytab\" \
+    --detach \
+"
+
 run_rc_command "$1"

libexec/rc/rc.d/ipropd_slave

@@ -13,6 +13,8 @@ rcvar=${name}_enable
 required_files="$ipropd_slave_keytab"
 start_precmd=${name}_start_precmd
 
+: ${ipropd_slave_svcj_options:="net_basic"}
+
 ipropd_slave_start_precmd()
 {
 
@@ -20,12 +22,14 @@ ipropd_slave_start_precmd()
 		warn "\$ipropd_slave_master is empty."
 		return 1
 	fi
-	command_args=" \
-	    $command_args \
-	    --keytab=\"$ipropd_slave_keytab\" \
-	    --detach \
-	    $ipropd_slave_master"
 }
 
 load_rc_config $name
+
+command_args=" \
+    command_args \
+    --keytab=\"$ipropd_slave_keytab\" \
+    --detach \
+    $ipropd_slave_master"
+
 run_rc_command "$1"

libexec/rc/rc.d/ipsec

@@ -57,4 +57,8 @@ ipsec_reload()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+ipsec_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/iscsictl

@@ -17,4 +17,8 @@ command_args="${iscsictl_flags}"
 required_modules="iscsi"
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+iscsictl_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/iscsid

@@ -17,4 +17,8 @@ command="/usr/sbin/${name}"
 required_modules="iscsi"
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+iscsid_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/jail

@@ -605,6 +605,10 @@ jail_warn()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj
+jail_svcj="NO"
+
 case $# in
 1)	run_rc_command $@ ${jail_list:-_ALL} ;;
 *)	jail_reverse_stop="no"

libexec/rc/rc.d/kadmind

@@ -12,17 +12,13 @@ name=kadmind
 desc="Server for administrative access to Kerberos database"
 rcvar=${name}_enable
 required_vars=kdc_enable
-start_precmd=${name}_start_precmd
+command_args="$command_args &"
+
+: ${kadmind_svcj_options:="net_basic"}
 
 set_rcvar_obsolete kadmind5_server_enable kadmind_enable
 set_rcvar_obsolete kadmind5_server kadmind_program
 set_rcvar_obsolete kerberos5_server_enable kdc_enable
 
-kadmind_start_precmd()
-{
-
-	command_args="$command_args &"
-}
-
 load_rc_config $name
 run_rc_command "$1"

libexec/rc/rc.d/kdc

@@ -14,6 +14,7 @@ desc="Kerberos 5 server"
 rcvar=${name}_enable
 : ${kdc_restart:="NO"}
 : ${kdc_restart_delay:=""}
+: ${kdc_svcj_options:="net_basic"}
 
 set_rcvar_obsolete kerberos5_server_enable kdc_enable
 set_rcvar_obsolete kerberos5_server kdc_program

libexec/rc/rc.d/keyserv

@@ -17,6 +17,8 @@ rcvar="keyserv_enable"
 command="/usr/sbin/${name}"
 start_precmd="keyserv_prestart"
 
+: ${keyserv_svcj_options:="net_basic"}
+
 keyserv_prestart()
 {
 	force_depend rpcbind || return 1

libexec/rc/rc.d/kfd

@@ -11,13 +11,9 @@
 name=kfd
 desc="Receive forwarded tickets"
 rcvar=${name}_enable
-start_precmd=${name}_start_precmd
+command_args="$command_args -i &"
 
-kfd_start_precmd()
-{
-
-	command_args="$command_args -i &"
-}
+: ${kfd_svcj_options:="net_basic"}
 
 load_rc_config $name
 run_rc_command "$1"

libexec/rc/rc.d/kld

@@ -51,4 +51,8 @@ kld_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj
+kld_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/kldxref

@@ -33,4 +33,8 @@ kldxref_start() {
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj
+kldxref_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/kpasswdd

@@ -12,17 +12,13 @@ name=kpasswdd
 desc="Kerberos 5 password changing"
 rcvar=${name}_enable
 required_vars=kdc_enable
-start_precmd=${name}_start_precmd
+command_args="$command_args &"
+
+: ${kpasswdd_svcj_options:="net_basic"}
 
 set_rcvar_obsolete kpasswdd_server_enable kpasswdd_enable
 set_rcvar_obsolete kpasswdd_server kpasswdd_program
 set_rcvar_obsolete kerberos5_server_enable kdc_enable
 
-kpasswdd_start_precmd()
-{
-
-	command_args="$command_args &"
-}
-
 load_rc_config $name
 run_rc_command "$1"

libexec/rc/rc.d/ldconfig

@@ -72,4 +72,8 @@ ldconfig_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+ldconfig_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/linux

@@ -81,4 +81,8 @@ linux_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: kernel modules and FS-mounting
+linux_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/local

@@ -33,4 +33,8 @@ local_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: it may contain everything
+local_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/local_unbound

@@ -35,6 +35,7 @@ load_rc_config $name
 : ${local_unbound_tls:=}
 : ${local_unbound_pidfile:=${pidfile}}
 pidfile=${local_unbound_pidfile}
+: ${local_unbound_svcj_options:="net_basic"}
 
 do_as_unbound()
 {

libexec/rc/rc.d/localpkg

@@ -66,6 +66,8 @@ pkg_stop()
 				(set -T
 				trap 'exit 1' 2
 				${script} stop)
+			elif [ -f "${script}" -o -L "${script}" ]; then
+				echo -n " (skipping ${script##*/}, not executable)"
 			fi
 		done
 		[ -n "${initdone}" ] && echo '.'
@@ -74,4 +76,8 @@ pkg_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: other rc.d scripts need to decide on their own
+localpkg_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/lockd

@@ -16,6 +16,8 @@ rcvar=rpc_lockd_enable
 command="/usr/sbin/rpc.${name}"
 start_precmd='lockd_precmd'
 
+: ${lockd_svcj_options:="net_basic"}
+
 # Make sure that we are either an NFS client or server, and that we get
 # the correct flags from rc.conf(5).
 #
@@ -23,9 +25,10 @@ lockd_precmd()
 {
 	force_depend rpcbind || return 1
 	force_depend statd rpc_statd || return 1
-	
-	rc_flags=${rpc_lockd_flags}
 }
 
 load_rc_config $name
+
+rc_flags=${rpc_lockd_flags}
+
 run_rc_command $1

libexec/rc/rc.d/lpd

@@ -16,6 +16,8 @@ command="/usr/sbin/${name}"
 required_files="/etc/printcap"
 start_precmd="chkprintcap"
 
+: ${lpd_svcj_options:="net_basic"}
+
 chkprintcap()
 {
 	if checkyesno chkprintcap_enable ; then

libexec/rc/rc.d/mdconfig

@@ -181,6 +181,9 @@ fi
 
 load_rc_config $name
 
+# doesn't make sense to run in a svcj: config setting
+mdconfig_svcj="NO"
+
 if [ -z "${_mdconfig_list}" ]; then
 	for _mdconfig_config in `list_vars mdconfig_md[0-9]\* |
 		sort_lite -nk1.12`

libexec/rc/rc.d/mdconfig2

@@ -211,6 +211,9 @@ fi
 
 load_rc_config $name
 
+# doesn't make sense to run in a svcj: config setting
+mdconfig2_svcj="NO"
+
 if [ -z "${_mdconfig2_list}" ]; then
 	for _mdconfig2_config in `list_vars mdconfig_md[0-9]\* |
 		sort_lite -nk1.12`

libexec/rc/rc.d/mixer

@@ -100,4 +100,8 @@ mixer_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+mixer_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/motd

@@ -55,4 +55,8 @@ motd_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+motd_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/mountcritlocal

@@ -60,4 +60,8 @@ mountcritlocal_start()
 }
 
 load_rc_config $name
+
+# mounting shall not be performed in a svcj
+mountcritlocal_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/mountcritremote

@@ -86,4 +86,8 @@ mountcritremote_start()
 }
 
 load_rc_config $name
+
+# mounting shall not be performed in a svcj
+mountcritremote_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/mountd

@@ -17,6 +17,8 @@ required_files="/etc/exports"
 start_precmd="mountd_precmd"
 extra_commands="reload"
 
+: ${mountd_svcj_options:="net_basic nfsd"}
+
 mountd_precmd()
 {
 
@@ -68,4 +70,8 @@ mountd_precmd()
 }
 
 load_rc_config $name
+
+# precmd is not compatible with svcj
+mountd_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/mountlate

@@ -44,4 +44,8 @@ mountlate_start()
 }
 
 load_rc_config $name
+
+# mounting shall not be performed in a svcj
+mountlate_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/moused

@@ -18,6 +18,11 @@ pidfile="${pidprefix}.pid"
 pidarg=
 load_rc_config $name
 
+# doesn't make sense to run in a svcj: nojail keyword
+# XXX: How does moused communiacte with the kernel?
+# XXX: Does the kernel prevent this communcation in jails?
+moused_svcj="NO"
+
 # Set the pid file and variable name. The second argument, if it exists, is
 # expected to be the mouse device.
 #

libexec/rc/rc.d/msgs

@@ -22,4 +22,8 @@ msgs_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+msgs_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/natd

@@ -40,4 +40,8 @@ natd_precmd()
 }
 
 load_rc_config $name
+
+# precmd is not compatible with svcj
+natd_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/netif

@@ -268,4 +268,8 @@ netif_common()
 # This is needed for mfsBSD at least.
 load_rc_config network
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+netif_svcj="NO"
+
 run_rc_command $*

libexec/rc/rc.d/netoptions

@@ -122,4 +122,8 @@ netoptions_inet6()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+netoptions_svcj="NO"
+
 run_rc_command $1

libexec/rc/rc.d/netwait

@@ -111,4 +111,8 @@ netwait_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+netwait_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/newsyslog

@@ -23,4 +23,8 @@ newsyslog_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: needs to send signals outside the svcj
+newsyslog_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/nfscbd

@@ -14,6 +14,8 @@ rcvar="nfscbd_enable"
 command="/usr/sbin/${name}"
 sig_stop="USR1"
 
+: ${nfscbd_svcj_options:="net_basic"}
+
 load_rc_config $name
 
 run_rc_command "$1"

libexec/rc/rc.d/nfsclient

@@ -46,4 +46,8 @@ unmount_all()
 	fi
 }
 load_rc_config $name
+
+# no unmounting in svcj
+nfsclient_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/nfsd

@@ -14,7 +14,11 @@ rcvar="nfs_server_enable"
 command="/usr/sbin/${name}"
 nfs_server_vhost=""
 
+: ${nfsd_svcj_options:="net_basic nfsd"}
+
 load_rc_config $name
+# precmd is not compatible with svcj
+nfsd_svcj="NO"
 start_precmd="nfsd_precmd"
 sig_stop="USR1"
 

libexec/rc/rc.d/nfsuserd

@@ -14,7 +14,11 @@ rcvar="nfsuserd_enable"
 command="/usr/sbin/${name}"
 sig_stop="USR1"
 
+: ${nfsuserd_svcj_options:="net_basic nfsd"}
+
 load_rc_config $name
+# precmd is not compatible with svcj
+nfsuserd_svcj="NO"
 start_precmd="nfsuserd_precmd"
 
 nfsuserd_precmd()

libexec/rc/rc.d/nisdomain

@@ -51,4 +51,8 @@ nisdomain_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+nisdomain_svcj="NO"
+
 run_rc_command "$1"

libexec/rc/rc.d/nscd

@@ -21,6 +21,9 @@ name="nscd"
 desc="Name-service caching daemon"
 rcvar="nscd_enable"
 
+# no svcj options needed
+: ${nscd_svcj_options:=""}
+
 command=/usr/sbin/nscd
 extra_commands="flush"
 flush_cmd="${command} -I all"

libexec/rc/rc.d/ntpd

@@ -28,6 +28,9 @@ pidfile="${_ntp_default_dir}/${name}.pid"
 
 load_rc_config $name
 
+# doesn't make sense to run in a svcj: nojail keyword
+ntpd_svcj="NO"
+
 leapfile_is_disabled() {
 	# Return true (0) if automatic leapfile handling is disabled.
 	case "$ntp_db_leapfile" in

libexec/rc/rc.d/ntpdate

@@ -31,4 +31,8 @@ ntpdate_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: privileged operations
+ntpdate_svcj="NO"
+
 run_rc_command "$1"