Attachment #194658 for bug #229266

View | Details | Raw Unified | Return to bug 229266
Collapse All | Expand All




 */
#include <sys/param.h>
#include <sys/errno.h>
#include <sys/jail.h>
#include <sys/time.h>
#include <sys/sysctl.h>
#include <sys/ucred.h>
#include <sys/uio.h>
#include <sys/mount.h>

#include <security/mac_bsdextended/mac_bsdextended.h>

}

static int
bsde_get_jailid(const char *name, size_t buflen, char *errstr)
{
	char *ep;
	int jid;
	struct iovec jiov[4];

	/* Copy jail_getid(3) instead of messing with library dependancies */
	jid = strtoul(name, &ep, 10);
	if (*name && !*ep)
		return jid;
	jiov[0].iov_base = __DECONST(char *, "name");
	jiov[0].iov_len = sizeof("name");
	jiov[1].iov_len = strlen(name) + 1;
	jiov[1].iov_base = alloca(jiov[1].iov_len);
	strcpy(jiov[1].iov_base, name);
	if (errstr && buflen) {
		jiov[2].iov_base = __DECONST(char *, "errmsg");
		jiov[2].iov_len = sizeof("errmsg");
		jiov[3].iov_base = errstr;
		jiov[3].iov_len = buflen;
		errstr[0] = 0;
		jid = jail_get(jiov, 4, 0);
		if (jid < 0 && !errstr[0])
			snprintf(errstr, buflen, "jail_get: %s",
			    strerror(errno));
	} else
		jid = jail_get(jiov, 2, 0);
	return jid;
}

static int
bsde_parse_subject(int argc, char *argv[],
    struct mac_bsdextended_subject *subject, size_t buflen, char *errstr)
{
	int not_seen, flags;
	int current, neg, nextnot;
	char *endp;
	uid_t uid_min, uid_max;
	gid_t gid_min, gid_max;
	int jid = 0;
	long value;

	current = 0;
	flags = 0;

				snprintf(errstr, buflen, "one jail only");
				return (-1);
			}
			jid = bsde_get_jailid(argv[current+1], buflen, errstr);
			if (jid < 0)
				snprintf(errstr, buflen, "invalid jid: '%s'",
				    argv[current+1]);
				return (-1);
			}
			jid = value;
			flags |= MBS_PRISON_DEFINED;
			if (nextnot) {
				neg ^= MBS_PRISON_DEFINED;

Lines 13-19 Link Here

(-)sbin/ipfw/Makefile (-1 / +1 lines)
13	CFLAGS+=-DPF	13	CFLAGS+=-DPF
14	.endif	14	.endif
15		15
16	LIBADD= util	16	LIBADD= jail util
17	MAN= ipfw.8	17	MAN= ipfw.8
18		18
19	.include <bsd.prog.mk>	19	.include <bsd.prog.mk>




.\"
.\" $FreeBSD$
.\"
.Dd June 26, 2018
.Dt IPFW 8
.Os
.Sh NAME

A
.Ar group
may be specified by name or number.
.It Cm jail Ar prison
Matches all TCP or UDP packets sent by or received for the
jail whos prison ID or name is
.Ar prison .
.It Cm icmptypes Ar types
Matches ICMP packets whose ICMP type is in the list
.Ar types .




#include <err.h>
#include <errno.h>
#include <grp.h>
#include <jail.h>
#include <netdb.h>
#include <pwd.h>
#include <stdio.h>

		case TOK_JAIL:
			NEED1("jail requires argument");
		    {
			char *end;
			int jid;

			cmd->opcode = O_JAIL;
			jid = jail_getid(*av);
			if (jid < 0)
				errx(EX_DATAERR, "%s", jail_errmsg);
			cmd32->d[0] = (uint32_t)jid;
			cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
			av++;

Lines 2-5 Link Here

(-)usr.bin/cpuset/Makefile (+2 lines)
2		2
3	PROG= cpuset	3	PROG= cpuset
4		4
		5	LIBADD= jail
		6
5	.include <bsd.prog.mk>	7	.include <bsd.prog.mk>




.\"
.\" $FreeBSD$
.\"
.Dd June 26, 2018
.Dt CPUSET 1
.Os
.Sh NAME

.Nm
.Fl g
.Op Fl cir
.Op Fl d Ar domain | Fl j Ar jail | Fl p Ar pid | Fl t Ar tid | Fl s Ar setid | Fl x Ar irq
.Sh DESCRIPTION
The
.Nm

.Nm
requires a target to modify or query.
The target may be specified as a command, process id, thread id, a
cpuset id, an irq, a jail, or a NUMA domain.
Using
.Fl g
the target's set id or mask may be queried.

When used with the
.Fl g
option print the id rather than the valid mask of the target.
.It Fl j Ar jail
Specifies a jail id or name as the target of the operation.
.It Fl l Ar cpu-list
Specifies a list of CPUs to apply to a target.
Specification may include

Lines 42-47 Link Here

(-)usr.bin/cpuset/cpuset.c (-1 / +4 lines)
42	#include <ctype.h>	42	#include <ctype.h>
43	#include <err.h>	43	#include <err.h>
44	#include <errno.h>	44	#include <errno.h>
		45	#include <jail.h>
45	#include <limits.h>	46	#include <limits.h>
46	#include <stdio.h>	47	#include <stdio.h>
47	#include <stdlib.h>	48	#include <stdlib.h>
Lines 320-326 Link Here
320	case 'j':	321	case 'j':
321	jflag = 1;	322	jflag = 1;
322	which = CPU_WHICH_JAIL;	323	which = CPU_WHICH_JAIL;
323	id = atoi(optarg);	324	id = jail_getid(optarg);
		325	if (id < 0)
		326	errx(EXIT_FAILURE, "%s", jail_errmsg);
324	break;	327	break;
325	case 'l':	328	case 'l':
326	lflag = 1;	329	lflag = 1;

Lines 2-5 Link Here

(-)usr.bin/sockstat/Makefile (+2 lines)
2		2
3	PROG= sockstat	3	PROG= sockstat
4		4
		5	LIBADD= jail
		6
5	.include <bsd.prog.mk>	7	.include <bsd.prog.mk>

Lines 27-33 Link Here

(-)usr.bin/sockstat/sockstat.1 (-3 / +3 lines)
27	.\"	27	.\"
28	.\" $FreeBSD$	28	.\" $FreeBSD$
29	.\"	29	.\"
30	.Dd January 23, 2018	30	.Dd June 26, 2018
31	.Dt SOCKSTAT 1	31	.Dt SOCKSTAT 1
32	.Os	32	.Os
33	.Sh NAME	33	.Sh NAME
Lines 58-65 Link Here
58	(IPv6) sockets.	58	(IPv6) sockets.
59	.It Fl c	59	.It Fl c
60	Show connected sockets.	60	Show connected sockets.
61	.It Fl j Ar jid	61	.It Fl j Ar jail
62	Show only sockets belonging to the specified jail ID.	62	Show only sockets belonging to the specified jail ID or name.
63	.It Fl L	63	.It Fl L
64	Only show Internet sockets if the local and foreign addresses are not	64	Only show Internet sockets if the local and foreign addresses are not
65	in the loopback network prefix	65	in the loopback network prefix

Lines 57-62 Link Here

(-)usr.bin/sockstat/sockstat.c (-1 / +4 lines)
57	#include <ctype.h>	57	#include <ctype.h>
58	#include <err.h>	58	#include <err.h>
59	#include <errno.h>	59	#include <errno.h>
		60	#include <jail.h>
60	#include <netdb.h>	61	#include <netdb.h>
61	#include <pwd.h>	62	#include <pwd.h>
62	#include <stdarg.h>	63	#include <stdarg.h>
Lines 1263-1269 Link Here
1263	opt_c = 1;	1264	opt_c = 1;
1264	break;	1265	break;
1265	case 'j':	1266	case 'j':
1266	opt_j = atoi(optarg);	1267	opt_j = jail_getid(optarg);
		1268	if (opt_j < 0)
		1269	errx(1, "%s", jail_errmsg);
1267	break;	1270	break;
1268	case 'L':	1271	case 'L':
1269	opt_L = 1;	1272	opt_L = 1;

Return to bug 229266

Lines 34-42 Link Here

(-)lib/libugidfw/ugidfw.c (-8 / +35 lines)
34	*/	34	*/
35	#include <sys/param.h>	35	#include <sys/param.h>
36	#include <sys/errno.h>	36	#include <sys/errno.h>
		37	#include <sys/jail.h>
37	#include <sys/time.h>	38	#include <sys/time.h>
38	#include <sys/sysctl.h>	39	#include <sys/sysctl.h>
39	#include <sys/ucred.h>	40	#include <sys/ucred.h>
		41	#include <sys/uio.h>
40	#include <sys/mount.h>	42	#include <sys/mount.h>
41		43
42	#include <security/mac_bsdextended/mac_bsdextended.h>	44	#include <security/mac_bsdextended/mac_bsdextended.h>
Lines 600-615 Link Here
600	}	602	}
601		603
602	static int	604	static int
		605	bsde_get_jailid(const char name, size_t buflen, char errstr)
		606	{
		607	char *ep;
		608	int jid;
		609	struct iovec jiov[4];
		610
		611	/* Copy jail_getid(3) instead of messing with library dependancies */
		612	jid = strtoul(name, &ep, 10);
		613	if (name && !ep)
		614	return jid;
		615	jiov[0].iov_base = __DECONST(char *, "name");
		616	jiov[0].iov_len = sizeof("name");
		617	jiov[1].iov_len = strlen(name) + 1;
		618	jiov[1].iov_base = alloca(jiov[1].iov_len);
		619	strcpy(jiov[1].iov_base, name);
		620	if (errstr && buflen) {
		621	jiov[2].iov_base = __DECONST(char *, "errmsg");
		622	jiov[2].iov_len = sizeof("errmsg");
		623	jiov[3].iov_base = errstr;
		624	jiov[3].iov_len = buflen;
		625	errstr[0] = 0;
		626	jid = jail_get(jiov, 4, 0);
		627	if (jid < 0 && !errstr[0])
		628	snprintf(errstr, buflen, "jail_get: %s",
		629	strerror(errno));
		630	} else
		631	jid = jail_get(jiov, 2, 0);
		632	return jid;
		633	}
		634
		635	static int
603	bsde_parse_subject(int argc, char *argv[],	636	bsde_parse_subject(int argc, char *argv[],
604	struct mac_bsdextended_subject subject, size_t buflen, char errstr)	637	struct mac_bsdextended_subject subject, size_t buflen, char errstr)
605	{	638	{
606	int not_seen, flags;	639	int not_seen, flags;
607	int current, neg, nextnot;	640	int current, neg, nextnot;
608	char *endp;
609	uid_t uid_min, uid_max;	641	uid_t uid_min, uid_max;
610	gid_t gid_min, gid_max;	642	gid_t gid_min, gid_max;
611	int jid = 0;	643	int jid = 0;
612	long value;
613		644
614	current = 0;	645	current = 0;
615	flags = 0;	646	flags = 0;
Lines 668-680 Link Here
668	snprintf(errstr, buflen, "one jail only");	699	snprintf(errstr, buflen, "one jail only");
669	return (-1);	700	return (-1);
670	}	701	}
671	value = strtol(argv[current+1], &endp, 10);	702	jid = bsde_get_jailid(argv[current+1], buflen, errstr);
672	if (*endp != '\0') {	703	if (jid < 0)
673	snprintf(errstr, buflen, "invalid jid: '%s'",
674	argv[current+1]);
675	return (-1);	704	return (-1);
676	}
677	jid = value;
678	flags \|= MBS_PRISON_DEFINED;	705	flags \|= MBS_PRISON_DEFINED;
679	if (nextnot) {	706	if (nextnot) {
680	neg ^= MBS_PRISON_DEFINED;	707	neg ^= MBS_PRISON_DEFINED;

Lines 32-37 Link Here

(-)sbin/ipfw/ipfw2.c (-4 / +4 lines)
32	#include <err.h>	32	#include <err.h>
33	#include <errno.h>	33	#include <errno.h>
34	#include <grp.h>	34	#include <grp.h>
		35	#include <jail.h>
35	#include <netdb.h>	36	#include <netdb.h>
36	#include <pwd.h>	37	#include <pwd.h>
37	#include <stdio.h>	38	#include <stdio.h>
Lines 4581-4593 Link Here
4581	case TOK_JAIL:	4582	case TOK_JAIL:
4582	NEED1("jail requires argument");	4583	NEED1("jail requires argument");
4583	{	4584	{
4584	char *end;
4585	int jid;	4585	int jid;
4586		4586
4587	cmd->opcode = O_JAIL;	4587	cmd->opcode = O_JAIL;
4588	jid = (int)strtol(*av, &end, 0);	4588	jid = jail_getid(*av);
4589	if (jid < 0 \|\| *end != '\0')	4589	if (jid < 0)
4590	errx(EX_DATAERR, "jail requires prison ID");	4590	errx(EX_DATAERR, "%s", jail_errmsg);
4591	cmd32->d[0] = (uint32_t)jid;	4591	cmd32->d[0] = (uint32_t)jid;
4592	cmd->len \|= F_INSN_SIZE(ipfw_insn_u32);	4592	cmd->len \|= F_INSN_SIZE(ipfw_insn_u32);
4593	av++;	4593	av++;

Lines 1-7 Link Here

(-)sbin/ipfw/ipfw.8 (-4 / +4 lines)
1	.\"	1	.\"
2	.\" $FreeBSD$	2	.\" $FreeBSD$
3	.\"	3	.\"
4	.Dd May 9, 2018	4	.Dd June 26, 2018
5	.Dt IPFW 8	5	.Dt IPFW 8
6	.Os	6	.Os
7	.Sh NAME	7	.Sh NAME
Lines 1535-1544 Link Here
1535	A	1535	A
1536	.Ar group	1536	.Ar group
1537	may be specified by name or number.	1537	may be specified by name or number.
1538	.It Cm jail Ar prisonID	1538	.It Cm jail Ar prison
1539	Matches all TCP or UDP packets sent by or received for the	1539	Matches all TCP or UDP packets sent by or received for the
1540	jail whos prison ID is	1540	jail whos prison ID or name is
1541	.Ar prisonID .	1541	.Ar prison .
1542	.It Cm icmptypes Ar types	1542	.It Cm icmptypes Ar types
1543	Matches ICMP packets whose ICMP type is in the list	1543	Matches ICMP packets whose ICMP type is in the list
1544	.Ar types .	1544	.Ar types .

Lines 25-31 Link Here

(-)usr.bin/cpuset/cpuset.1 (-5 / +5 lines)
25	.\"	25	.\"
26	.\" $FreeBSD$	26	.\" $FreeBSD$
27	.\"	27	.\"
28	.Dd February 26, 2018	28	.Dd June 26, 2018
29	.Dt CPUSET 1	29	.Dt CPUSET 1
30	.Os	30	.Os
31	.Sh NAME	31	.Sh NAME
Lines 56-62 Link Here
56	.Nm	56	.Nm
57	.Fl g	57	.Fl g
58	.Op Fl cir	58	.Op Fl cir
59	.Op Fl d Ar domain \| Fl j Ar jailid \| Fl p Ar pid \| Fl t Ar tid \| Fl s Ar setid \| Fl x Ar irq	59	.Op Fl d Ar domain \| Fl j Ar jail \| Fl p Ar pid \| Fl t Ar tid \| Fl s Ar setid \| Fl x Ar irq
60	.Sh DESCRIPTION	60	.Sh DESCRIPTION
61	The	61	The
62	.Nm	62	.Nm
Lines 68-74 Link Here
68	.Nm	68	.Nm
69	requires a target to modify or query.	69	requires a target to modify or query.
70	The target may be specified as a command, process id, thread id, a	70	The target may be specified as a command, process id, thread id, a
71	cpuset id, an irq, a jail id, or a NUMA domain.	71	cpuset id, an irq, a jail, or a NUMA domain.
72	Using	72	Using
73	.Fl g	73	.Fl g
74	the target's set id or mask may be queried.	74	the target's set id or mask may be queried.
Lines 136-143 Link Here
136	When used with the	136	When used with the
137	.Fl g	137	.Fl g
138	option print the id rather than the valid mask of the target.	138	option print the id rather than the valid mask of the target.
139	.It Fl j Ar jailid	139	.It Fl j Ar jail
140	Specifies a jail id as the target of the operation.	140	Specifies a jail id or name as the target of the operation.
141	.It Fl l Ar cpu-list	141	.It Fl l Ar cpu-list
142	Specifies a list of CPUs to apply to a target.	142	Specifies a list of CPUs to apply to a target.
143	Specification may include	143	Specification may include