History log of /freebsd-head/usr.sbin/jail/config.c
Revision Date Author Comments
b5bdd5a3db74eb50e728be9d87cf31854ed11e91 16-Aug-2018 jamie <jamie@FreeBSD.org> security.jail.enforce_statfs is handled by jail_set(2), so handling it in
userspace jail(8) is redundant.

Differential Revision: D14791
42ccecb54bc6d2fd91950ba895e4ac88c7a08efd 15-Aug-2018 netchild <netchild@FreeBSD.org> - Add exec hook "exec.created". This is called when the jail is
created and before exec.start is called. [1]
- Bump __FreeBSD_version.

This allows to attach ZFS datasets and various other things to be
done before any command/service/rc-script is started in the new
jail.

PR: 228066 [1]
Reviewed by: jamie [1]
Submitted by: Stefan Grönke <stefan@gronke.net> [1]
Differential Revision: https://reviews.freebsd.org/D15330 [1]
7551d83c353e040b32c6ac205e577dbc5f2c8955 27-Nov-2017 pfg <pfg@FreeBSD.org> various: general adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

No functional change intended.
00d578928eca75be320b36d37543a7e2a4f9fbdb 27-May-2016 grehan <grehan@FreeBSD.org> Create branch for bhyve graphics import.
edc9e0e402414ef2f54058cbe73a30a47e4ac6bd 21-Jan-2016 jamie <jamie@FreeBSD.org> MFC r294183:

Clear errno before calling getpw*.

MFC r294196:

Don't bother checking an ip[46].addr netmask/prefixlen. This is already
handled by ifconfig, and it was doing it wrong when the paramater included
extra ifconfig options.

PR: 205926
2595beb23eaefead7d0a7c8928f688e2bacc8574 16-Jan-2016 jamie <jamie@FreeBSD.org> Don't bother checking an ip[46].addr netmask/prefixlen. This is already
handled by ifconfig, and it was doing it wrong when the paramater included
extra ifconfig options.

PR: 205926
MFC after: 5 days
979a1cd315a9f7ff11c9f6fcf2b41562a5148425 23-Jul-2015 hrs <hrs@FreeBSD.org> MFC r285261, r285279:

- Fix offset calculation in variable substitution
in jail.conf. The following did not work correctly:

A="A_${B}_C_${D}"
B="BBBBB"
D="DDDD_${E}_FFFFF"
E="EEEEE"

- Implement PF_IMMUTABLE flag and apply it to "name" and "jid" in
jail.conf parameters. This flag disallows redefinition of the parameter.

"name" and/or "jid" are automatically defined in jail.conf by using
the jail names at the front of jail parameter definitions. However,
one could override them by using a variable with the same name like
$name = "foo". This confused the parser and could end up with SIGSEGV.

Note that this change also affects a case when all of parameters are
defined in the command line arguments, not in jail.conf. Specifically,
"jail -c name=j1 name=j2" no longer works. This should be harmless.

Approved by: re (gjb)
6a6f4266c7bdb95f45b0f4822b0f7e176a775549 08-Jul-2015 hrs <hrs@FreeBSD.org> Implement PF_IMMUTABLE flag and apply it to "name" and "jid" in
jail.conf parameters. This flag disallows redefinition of the parameter.

"name" and/or "jid" are automatically defined in jail.conf by using
the jail names at the front of jail parameter definitions. However,
one could override them by using a variable with the same name like
$name = "foo". This confused the parser and could end up with SIGSEGV.

Note that this change also affects a case when all of parameters are
defined in the command line arguments, not in jail.conf. Specifically,
"jail -c name=j1 name=j2" no longer works. This should be harmless.

PR: 196574
Reviewed by: jamie
Differential Revision: https://reviews.freebsd.org/D3017
3c6c216f16bc709c4ec041197fc43da17b24d02d 08-Jul-2015 hrs <hrs@FreeBSD.org> Fix offset calculation in variable substitution
in jail.conf. The following did not work correctly:

A="A_${B}_C_${D}"
B="BBBBB"
D="DDDD_${E}_FFFFF"
E="EEEEE"

PR: 189139
Reviewed by: jamie
Differential Revision: https://reviews.freebsd.org/D3018
f8ff07ebef14d8d87007863c4b3bfcf35f6b515f 10-Feb-2015 jamie <jamie@FreeBSD.org> MFC r278323:

Add mount.procfs jail parameter, so procfs can be mounted when a prison's
root is in its fstab.

Also fix a typo while I'm at it.

PR: 197237 197066
6064614ca50b8b6311bd60d1f85c0dcba8ef8954 06-Feb-2015 jamie <jamie@FreeBSD.org> Add mount.procfs jail parameter, so procfs can be mounted when a prison's
root is in its fstab.

Also fix a typo while I'm at it.

PR: 197237 197066
MFC after: 3 days
ffdde8cca2df0bfc380bac235a6db29f0e6269e5 11-Aug-2014 smh <smh@FreeBSD.org> MFC r269522

Added support for extra ifconfig args to jail ip4.addr & ip6.addr params

This allows for CARP interfaces to be used in jails e.g.
ip4.addr = "em0|10.10.1.20/32 vhid 1 pass MyPass advskew 100"

r269340 will not be MFC'ed as mentioned due to the slim window and the
amount of additional commits required to support it.

Sponsored by: Multiplay
1aebfbbf080f1487de07af157c3325645d98f9d9 04-Aug-2014 smh <smh@FreeBSD.org> Added support for extra ifconfig args to jail ip4.addr & ip6.addr params

This allows for CARP interfaces to be used in jails e.g.
ip4.addr = "em0|10.10.1.20/32 vhid 1 pass MyPass advskew 100"

Before this change using exec.prestart to configure a CARP address
would result in the wrong MAC being broadcast on startup as jail creates
IP aliases to support ip[4|6].addr before exec.prestart is executed.

PR: 191832
Reviewed by: jamie
MFC after: 1 week
X-MFC-With: r269340
Phabric: D528
Sponsored by: Multiplay
eb1a5f8de9f7ea602c373a710f531abbf81141c4 21-Feb-2014 gjb <gjb@FreeBSD.org> Move ^/user/gjb/hacking/release-embedded up one directory, and remove
^/user/gjb/hacking since this is likely to be merged to head/ soon.

Sponsored by: The FreeBSD Foundation
6b01bbf146ab195243a8e7d43bb11f8835c76af8 27-Dec-2013 gjb <gjb@FreeBSD.org> Copy head@r259933 -> user/gjb/hacking/release-embedded for initial
inclusion of (at least) arm builds with the release.

Sponsored by: The FreeBSD Foundation
2a6361507410ac1bd935b61f13d48c2512bb6cc3 12-Oct-2013 hrs <hrs@FreeBSD.org> MFC 256385:

- Add mount.fdescfs parameter to jail(8). This is similar to
mount.devfs but mounts fdescfs. The mount happens just after
mount.devfs.

- rc.d/jail now displays whole error message from jail(8) when a jail
fails to start.

Approved by: re (gjb)
513bdd96d7234f6f561d60a5f7956c040564278b 12-Oct-2013 hrs <hrs@FreeBSD.org> - Add mount.fdescfs parameter to jail(8). This is similar to
mount.devfs but mounts fdescfs. The mount happens just after
mount.devfs.

- rc.d/jail now displays whole error message from jail(8) when a jail
fails to start.

Approved by: re (gjb)
82d58114889a20fcd15b9f51da2e60600642ed77 28-Mar-2013 jamie <jamie@FreeBSD.org> Reverse the order of some implicit commands (FS mounts and ifconfigs)
when stopping jails. This matters particularly for nested filesystem
mounts.

PR: kern/177325
Submitted by: Harald Schmalzbauer
MFC after: 3 days
1b32102bdf4aa51f58e449687805d2a027d82f51 04-Oct-2012 jamie <jamie@FreeBSD.org> Move properly to the next parameter when jailparam_init fails
(i.e. on an unknown parameter), to avoid freeing bogus pointers.
44f6adcfe508d818ffa24b55aa971bdab966465c 23-Aug-2012 jamie <jamie@FreeBSD.org> Partially roll back r239601 - keep parameter strings both length-delimited
and null-terminated at the same time, because they're later passed to
libjail as null-terminated. That means I also need to add a nul byte when
comma-combining array parameters.

MFC after: 6 days
2c0fa1424091a2dec98b12412d446a9cac3edc15 23-Aug-2012 jamie <jamie@FreeBSD.org> Remember that I'm using length-defined strings in parameters:

Remove a bogus null terminator when stripping the netmask from
IP addresses. This was causing later addresses in a comma-separated
string to disappear.

Use memcpy instead of strcpy. This could just cause Bad Things.

PR: 170832
MFC after: 1 week
310ab6d7ff9b6ca4c8c1159bdd4eafd63aaf34ba 22-May-2012 bapt <bapt@FreeBSD.org> Fix world after byacc import:
- old yacc(1) use to magicially append stdlib.h, while new one don't
- new yacc(1) do declare yyparse by itself, fix redundant declaration of
'yyparse'

Approved by: des (mentor)
18b00ce05256ac1bef00083a0ce9a34fcb4c49a9 03-May-2012 jamie <jamie@FreeBSD.org> Add a meta-parameter IP__NULL to enum intparam, instead of mixing
enum values and zeroes. This keeps clang happy (and is just good form).

Submitted by: dim
6fe59c6c06d9b42a052d1fb76fdbd3237ffba98e 27-Feb-2012 jamie <jamie@FreeBSD.org> Use the defvs_ruleset paramater when mounting a jail's /dev,
instead of a mount.devfs.ruleset pseudo-parameter.
6811668a5f8d31f9754803ba22ad926b39c67e0c 20-Jun-2011 jamie <jamie@FreeBSD.org> Following r222465:

Check for IPv4 or IPv6 to be available by the kernel to not
provoke errors trying to query options not available.
Make it possible to compile out INET or INET6 only parts.
6a72e94c3019b6332e3ceed20230b005217aaa55 20-Jun-2011 jamie <jamie@FreeBSD.org> Linty stuff.
8d425bfde2c0af68087f5784ac994ac5d316a375 17-Jun-2011 jamie <jamie@FreeBSD.org> Update copyright dates and other whitespacey stuff.
bf5da8413e8633aec301ea33b6698aa264e91927 17-Jun-2011 jamie <jamie@FreeBSD.org> Split run_command up into an outer function (next_command) that chooses
a single command string to run, and an inner function (run_command) that
runs that single string.
Move the list of start/stop commands to run from a switch statement into
an array, with a new placeholder parameter IP__OP for actually creating
or removing the jail.
When jail creation fails, revert all non-exec commands in reverse order.
0e5ec9dce0b4f9791252ba22064fb407dc733ff9 17-Jun-2011 jamie <jamie@FreeBSD.org> Change cfstrings from an STAILQ into a TAILQ to allow commands to be
traversed in reverse order.
85767896da1c52300de322e3fc4f29fe9b7e4413 04-Nov-2010 jamie <jamie@FreeBSD.org> Reads the mount.fstab file, and put its lines separately into the
IP__MOUNT_FROM_FSTAB internal parameter.
94aa5f72213aae7248f78420b16afc320dd93e4b 01-Nov-2010 jamie <jamie@FreeBSD.org> Combine check_intparams() and ip_params(), JF_CHECKINT and JF_IPPARAMS.
0cc1eb58369550147e49374b59c58673074f2b21 27-Oct-2010 jamie <jamie@FreeBSD.org> Use a little more "ifdef INET6".
235aefe21957ecc7c526a419943418bbb1248f11 27-Oct-2010 jamie <jamie@FreeBSD.org> Keep all internal/known parameter names in one place, and use
enum constants everywhere else.
3b31921eb1179730750d3f91afe80cd48a49aa95 20-Oct-2010 jamie <jamie@FreeBSD.org> Initial work on the new jail(8). There are more features to add, and some
cleaning up to do on existing features, but this is pretty much what the
final product will look like.