diff -ruN ezjail-3.4.2_org/Makefile ezjail-3.4.2/Makefile --- ezjail-3.4.2_org/Makefile 2015-11-22 22:04:32.000000000 -0500 +++ ezjail-3.4.2/Makefile 2017-04-27 10:58:08.287387000 -0400 @@ -14,9 +14,10 @@ cp -R share/zsh/site-functions/ ${DST}/share/zsh/site-functions/ sed s:EZJAIL_PREFIX:${PREFIX}: ezjail.conf.sample > ${DST}/etc/ezjail.conf.sample sed s:EZJAIL_PREFIX:${PREFIX}: ezjail.sh > ${DST}/etc/rc.d/ezjail + sed s:EZJAIL_PREFIX:${PREFIX}: ezjail.jail > ${DST}/bin/ezjail.jail sed s:EZJAIL_PREFIX:${PREFIX}: ezjail-admin > ${DST}/bin/ezjail-admin sed s:EZJAIL_PREFIX:${PREFIX}: man8/ezjail-admin.8 > ${DST}/man/man8/ezjail-admin.8 sed s:EZJAIL_PREFIX:${PREFIX}: man5/ezjail.conf.5 > ${DST}/man/man5/ezjail.conf.5 sed s:EZJAIL_PREFIX:${PREFIX}: man7/ezjail.7 > ${DST}/man/man7/ezjail.7 - chmod 755 ${DST}/etc/rc.d/ezjail ${DST}/bin/ezjail-admin + chmod 755 ${DST}/etc/rc.d/ezjail ${DST}/bin/ezjail-admin ${DST}/bin/ezjail.jail chmod 0440 ${DST}/share/examples/ezjail/example/usr/local/etc/sudoers diff -ruN ezjail-3.4.2_org/ezjail-clone.sh ezjail-3.4.2/ezjail-clone.sh --- ezjail-3.4.2_org/ezjail-clone.sh 2015-04-14 18:10:53.000000000 -0400 +++ ezjail-3.4.2/ezjail-clone.sh 1969-12-31 19:00:00.000000000 -0500 @@ -1,56 +0,0 @@ -#!/bin/sh - -ezjail_dirlist="bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/libdata usr/libexec usr/sbin usr/src usr/share usr/lib32 usr/ports" - -ezjail_name=`uname -n` -ezjail_safename=`echo -n "${ezjail_name}" | tr -c '[:alnum:]' _` -ezjail_archive_tag="${ezjail_safename}-`date +%Y%m%d%H%M.%S`" -ezjail_archive="${ezjail_archive_tag}.tar.gz" -ezjail_archive_opt="-f `pwd -P`/${ezjail_archive}" - -# Create soft links needed in all ezjails -mkdir -p /tmp/ezjail_fakeroot/usr /tmp/ezjail_fakeroot/basejail -for dir in ${ezjail_dirlist}; do - ln -s /basejail/${dir} /tmp/ezjail_fakeroot/${dir} -done - -# Construct regex that excludes directories from newjail -# Also excludes the directories themself, they will be added as softlinks -repl="" -for dir in ${ezjail_dirlist}; do - repl="${repl} -s:^./${dir}/.*::p -s:^./${dir}$::p" -done - -# Do not want to archive the archive itself -repl="${repl} -s:.*/${ezjail_archive}$::p" - -# Must not archive content of /dev and /proc -repl="${repl} -s:^./dev/.*::p -s:^./proc/.*::p" - -# Map the softlinks found in our fake root into the jails root -# exclude fakeroot's /usr -repl="${repl} -s:^./tmp/ezjail_fakeroot/usr$::p -s:^./tmp/ezjail_fakeroot/:ezjail/:p" - -# Finally re-locate all files under ezjail/ so that the restore command find them -repl="${repl} -s:^\.:ezjail:p" - -cd / -pax -wt -x cpio ${ezjail_archive_opt} ${repl} . -ezjail_paxresult=$? - -rm -rf /tmp/ezjail_fakeroot/ - -# Debug: unset LANG LC_CTYPE -# Debug: find -dE / ! -regex "/(dev|proc|${ezjail_dirlist})/.*" -a ! -regex "/(${ezjail_dirlist})" -a ! -path /tmp/ezjail_fakeroot/usr -a ! -name "${ezjail_archive}" \ - -if [ ${ezjail_paxresult} -eq 0 ]; then - echo Your system has been archived to ${ezjail_archive} - echo On the destination ezjail installation use the following command to - echo import it as an ezjail: - echo ezjail-admin create -a ./${ezjail_archive} HOSTNAME IP - echo Of course you can use many other switches to ezjail-admin create on - echo the target system as well. -else - echo Your system could not be archived, try the following command to find - echo out why: -fi diff -ruN ezjail-3.4.2_org/ezjail.jail ezjail-3.4.2/ezjail.jail --- ezjail-3.4.2_org/ezjail.jail 1969-12-31 19:00:00.000000000 -0500 +++ ezjail-3.4.2/ezjail.jail 2017-04-27 09:02:19.493483000 -0400 @@ -0,0 +1,599 @@ +#!/bin/sh +# +# $FreeBSD: releng/11.0/etc/rc.d/jail 302955 2016-07-17 14:07:51Z jamie $ +# + +# PROVIDE: jail +# REQUIRE: LOGIN FILESYSTEMS +# BEFORE: securelevel +# KEYWORD: nojail shutdown + +. /etc/rc.subr + +name="jail" +desc="Manage system jails" +rcvar="jail_enable" + +start_cmd="jail_start" +start_postcmd="jail_warn" +stop_cmd="jail_stop" +config_cmd="jail_config" +console_cmd="jail_console" +status_cmd="jail_status" +extra_commands="config console status" +: ${jail_conf:=/etc/jail.conf} +: ${jail_program:=/usr/sbin/jail} +: ${jail_consolecmd:=/usr/bin/login -f root} +: ${jail_jexec:=/usr/sbin/jexec} +: ${jail_jls:=/usr/sbin/jls} + +need_dad_wait= + +# extract_var jv name param num defval +# Extract value from ${jail_$jv_$name} or ${jail_$name} and +# set it to $param. If not defined, $defval is used. +# When $num is [0-9]*, ${jail_$jv_$name$num} are looked up and +# $param is set by using +=. $num=0 is optional (params may start at 1). +# When $num is YN or NY, the value is interpreted as boolean. +# When $num is @, the value is interpreted as an array separted by IFS. +extract_var() +{ + local i _jv _name _param _num _def _name1 _name2 + _jv=$1 + _name=$2 + _param=$3 + _num=$4 + _def=$5 + + case $_num in + YN) + _name1=jail_${_jv}_${_name} + _name2=jail_${_name} + eval $_name1=\"\${$_name1:-\${$_name2:-$_def}}\" + if checkyesno $_name1; then + echo " $_param = 1;" + else + echo " $_param = 0;" + fi + ;; + NY) + _name1=jail_${_jv}_${_name} + _name2=jail_${_name} + eval $_name1=\"\${$_name1:-\${$_name2:-$_def}}\" + if checkyesno $_name1; then + echo " $_param = 0;" + else + echo " $_param = 1;" + fi + ;; + [0-9]*) + i=$_num + while : ; do + _name1=jail_${_jv}_${_name}${i} + _name2=jail_${_name}${i} + eval _tmpargs=\"\${$_name1:-\${$_name2:-$_def}}\" + if [ -n "$_tmpargs" ]; then + echo " $_param += \"$_tmpargs\";" + elif [ $i != 0 ]; then + break; + fi + i=$(($i + 1)) + done + ;; + @) + _name1=jail_${_jv}_${_name} + _name2=jail_${_name} + eval _tmpargs=\"\${$_name1:-\${$_name2:-$_def}}\" + set -- $_tmpargs + if [ $# -gt 0 ]; then + echo -n " $_param = " + while [ $# -gt 1 ]; do + echo -n "\"$1\", " + shift + done + echo "\"$1\";" + fi + ;; + *) + _name1=jail_${_jv}_${_name} + _name2=jail_${_name} + eval _tmpargs=\"\${$_name1:-\${$_name2:-$_def}}\" + if [ -n "$_tmpargs" ]; then + echo " $_param = \"$_tmpargs\";" + fi + ;; + esac +} + +# parse_options _j _jv +# Parse options and create a temporary configuration file if necessary. +# +parse_options() +{ + local _j _jv _p + _j=$1 + _jv=$2 + + _confwarn=0 + if [ -z "$_j" ]; then + warn "parse_options: you must specify a jail" + return + fi + eval _jconf=\"\${jail_${_jv}_conf:-/etc/jail.${_j}.conf}\" + eval _rootdir=\"\$jail_${_jv}_rootdir\" + eval _hostname=\"\$jail_${_jv}_hostname\" + if [ -z "$_rootdir" -o \ + -z "$_hostname" ]; then + if [ -r "$_jconf" ]; then + _conf="$_jconf" + return 0 + elif [ -r "$jail_conf" ]; then + _conf="$jail_conf" + return 0 + else + warn "Invalid configuration for $_j " \ + "(no jail.conf, no hostname, or no path). " \ + "Jail $_j was ignored." + fi + return 1 + fi + eval _ip=\"\$jail_${_jv}_ip\" + if [ -z "$_ip" ] && ! check_kern_features vimage; then + warn "no ipaddress specified and no vimage support. " \ + "Jail $_j was ignored." + return 1 + fi + _conf=/var/run/jail.${_j}.conf + # + # To relieve confusion, show a warning message. + # + _confwarn=1 + if [ -r "$jail_conf" -o -r "$_jconf" ]; then + if ! checkyesno jail_parallel_start; then + warn "$_conf is created and used for jail $_j." + fi + fi + /usr/bin/install -m 0644 -o root -g wheel /dev/null $_conf || return 1 + + eval : \${jail_${_jv}_flags:=${jail_flags}} + eval _exec=\"\$jail_${_jv}_exec\" + eval _exec_start=\"\$jail_${_jv}_exec_start\" + eval _exec_stop=\"\$jail_${_jv}_exec_stop\" + if [ -n "${_exec}" ]; then + # simple/backward-compatible execution + _exec_start="${_exec}" + _exec_stop="" + else + # flexible execution + if [ -z "${_exec_start}" ]; then + _exec_start="/bin/sh /etc/rc" + if [ -z "${_exec_stop}" ]; then + _exec_stop="/bin/sh /etc/rc.shutdown" + fi + fi + fi + eval _interface=\"\${jail_${_jv}_interface:-${jail_interface}}\" + eval _parameters=\"\${jail_${_jv}_parameters:-${jail_parameters}}\" + eval _fstab=\"\${jail_${_jv}_fstab:-${jail_fstab:-/etc/fstab.$_j}}\" + ( + date +"# Generated by rc.d/jail at %Y-%m-%d %H:%M:%S" + echo "$_j {" + extract_var $_jv hostname host.hostname - "" + extract_var $_jv rootdir path - "" + if [ -n "$_ip" ]; then + extract_var $_jv interface interface - "" + jail_handle_ips_option $_ip $_interface + alias=0 + while : ; do + eval _x=\"\$jail_${_jv}_ip_multi${alias}\" + [ -z "$_x" ] && break + + jail_handle_ips_option $_x $_interface + alias=$(($alias + 1)) + done + case $need_dad_wait in + 1) + # Sleep to let DAD complete before + # starting services. + echo " exec.start += \"sleep " \ + $(($(${SYSCTL_N} net.inet6.ip6.dad_count) + 1)) \ + "\";" + ;; + esac + # These are applicable only to non-vimage jails. + extract_var $_jv fib exec.fib - "" + extract_var $_jv socket_unixiproute_only \ + allow.raw_sockets NY YES + else + echo " vnet;" + extract_var $_jv vnet_interface vnet.interface @ "" + fi + + echo " exec.clean;" + echo " exec.system_user = \"root\";" + echo " exec.jail_user = \"root\";" + extract_var $_jv exec_prestart exec.prestart 0 "" + extract_var $_jv exec_poststart exec.poststart 0 "" + extract_var $_jv exec_prestop exec.prestop 0 "" + extract_var $_jv exec_poststop exec.poststop 0 "" + + echo " exec.start += \"$_exec_start\";" + extract_var $_jv exec_afterstart exec.start 0 "" + echo " exec.stop = \"$_exec_stop\";" + + extract_var $_jv consolelog exec.consolelog - \ + /var/log/jail_${_j}_console.log + + if [ -r $_fstab ]; then + echo " mount.fstab = \"$_fstab\";" + fi + + eval : \${jail_${_jv}_devfs_enable:=${jail_devfs_enable:-NO}} + if checkyesno jail_${_jv}_devfs_enable; then + echo " mount.devfs;" + eval _ruleset=\${jail_${_jv}_devfs_ruleset:-${jail_devfs_ruleset}} + case $_ruleset in + "") ;; + [0-9]*) echo " devfs_ruleset = \"$_ruleset\";" ;; + devfsrules_jail) + # XXX: This is the default value, + # Let jail(8) to use the default because + # mount(8) only accepts an integer. + # This should accept a ruleset name. + ;; + *) warn "devfs_ruleset must be an integer." ;; + esac + fi + eval : \${jail_${_jv}_fdescfs_enable:=${jail_fdescfs_enable:-NO}} + if checkyesno jail_${_jv}_fdescfs_enable; then + echo " mount.fdescfs;" + fi + eval : \${jail_${_jv}_procfs_enable:=${jail_procfs_enable:-NO}} + if checkyesno jail_${_jv}_procfs_enable; then + echo " mount.procfs;" + fi + + eval : \${jail_${_jv}_mount_enable:=${jail_mount_enable:-NO}} + if checkyesno jail_${_jv}_mount_enable; then + echo " allow.mount;" + fi + + extract_var $_jv set_hostname_allow allow.set_hostname YN NO + extract_var $_jv sysvipc_allow allow.sysvipc YN NO + extract_var $_jv osreldate osreldate + extract_var $_jv osrelease osrelease + for _p in $_parameters; do + echo " ${_p%\;};" + done + echo "}" + ) >> $_conf + + return 0 +} + +# jail_extract_address argument iface +# The second argument is the string from one of the _ip +# or the _multi variables. In case of a comma separated list +# only one argument must be passed in at a time. +# The function alters the _type, _iface, _addr and _mask variables. +# +jail_extract_address() +{ + local _i _interface + _i=$1 + _interface=$2 + + if [ -z "${_i}" ]; then + warn "jail_extract_address: called without input" + return + fi + + # Check if we have an interface prefix given and split into + # iFace and rest. + case "${_i}" in + *\|*) # ifN|.. prefix there + _iface=${_i%%|*} + _r=${_i##*|} + ;; + *) _iface="" + _r=${_i} + ;; + esac + + # In case the IP has no interface given, check if we have a global one. + _iface=${_iface:-${_interface}} + + # Set address, cut off any prefix/netmask/prefixlen. + _addr=${_r} + _addr=${_addr%%[/ ]*} + + # Theoretically we can return here if interface is not set, + # as we only care about the _mask if we call ifconfig. + # This is not done because we may want to santize IP addresses + # based on _type later, and optionally change the type as well. + + # Extract the prefix/netmask/prefixlen part by cutting off the address. + _mask=${_r} + _mask=`expr "${_mask}" : "${_addr}\(.*\)"` + + # Identify type {inet,inet6}. + case "${_addr}" in + *\.*\.*\.*) _type="inet" ;; + *:*) _type="inet6" ;; + *) warn "jail_extract_address: type not identified" + ;; + esac + + # Handle the special /netmask instead of /prefix or + # "netmask xxx" case for legacy IP. + # We do NOT support shortend class-full netmasks. + if [ "${_type}" = "inet" ]; then + case "${_mask}" in + /*\.*\.*\.*) _mask=" netmask ${_mask#/}" ;; + *) ;; + esac + + # In case _mask is still not set use /32. + _mask=${_mask:-/32} + + elif [ "${_type}" = "inet6" ]; then + # In case _mask is not set for IPv6, use /128. + _mask=${_mask:-/128} + fi +} + +# jail_handle_ips_option input iface +# Handle a single argument imput which can be a comma separated +# list of addresses (theoretically with an option interface and +# prefix/netmask/prefixlen). +# +jail_handle_ips_option() +{ + local _x _type _i _defif + _x=$1 + _defif=$2 + + if [ -z "${_x}" ]; then + # No IP given. This can happen for the primary address + # of each address family. + return + fi + + # Loop, in case we find a comma separated list, we need to handle + # each argument on its own. + while [ ${#_x} -gt 0 ]; do + case "${_x}" in + *,*) # Extract the first argument and strip it off the list. + _i=`expr "${_x}" : '^\([^,]*\)'` + _x=`expr "${_x}" : "^[^,]*,\(.*\)"` + ;; + *) _i=${_x} + _x="" + ;; + esac + + _type="" + _addr="" + _mask="" + _iface="" + jail_extract_address $_i $_defif + + # make sure we got an address. + case $_addr in + "") continue ;; + *) ;; + esac + + # Append address to list of addresses for the jail command. + case $_type in + inet) + echo " ip4.addr += \"${_iface:+${_iface}|}${_addr}${_mask}\";" + ;; + inet6) + echo " ip6.addr += \"${_iface:+${_iface}|}${_addr}${_mask}\";" + need_dad_wait=1 + ;; + esac + done +} + +jail_config() +{ + local _j _jv + + case $1 in + _ALL) return ;; + esac + for _j in $@; do + _j=$(echo $_j | tr /. _) + _jv=$(echo -n $_j | tr -c '[:alnum:]' _) + if parse_options $_j $_jv; then + echo "$_j: parameters are in $_conf." + fi + done +} + +jail_console() +{ + local _j _jv _cmd + + # One argument that is not _ALL. + case $#:$1 in + 0:*|1:_ALL) err 3 "Specify a jail name." ;; + 1:*) ;; + esac + _j=$(echo $1 | tr /. _) + _jv=$(echo -n $1 | tr -c '[:alnum:]' _) + shift + case $# in + 0) eval _cmd=\${jail_${_jv}_consolecmd:-$jail_consolecmd} ;; + *) _cmd=$@ ;; + esac + $jail_jexec $_j $_cmd +} + +jail_status() +{ + + $jail_jls -N +} + +jail_start() +{ + local _j _jv _jid _id _name + + if [ $# = 0 ]; then + return + fi + echo -n 'Starting jails:' + case $1 in + _ALL) + command=$jail_program + rc_flags=$jail_flags + command_args="-f $jail_conf -c" + if ! checkyesno jail_parallel_start; then + command_args="$command_args -p1" + fi + _tmp=`mktemp -t jail` || exit 3 + if $command $rc_flags $command_args >> $_tmp 2>&1; then + $jail_jls jid name | while read _id _name; do + echo -n " $_name" + echo $_id > /var/run/jail_${_name}.id + done + else + cat $_tmp + fi + rm -f $_tmp + echo '.' + return + ;; + esac + if checkyesno jail_parallel_start; then + # + # Start jails in parallel and then check jail id when + # jail_parallel_start is YES. + # + for _j in $@; do + _j=$(echo $_j | tr /. _) + _jv=$(echo -n $_j | tr -c '[:alnum:]' _) + parse_options $_j $_jv || continue + + eval rc_flags=\${jail_${_jv}_flags:-$jail_flags} + eval command=\${jail_${_jv}_program:-$jail_program} + command_args="-i -f $_conf -c $_j" + ( + _tmp=`mktemp -t jail_${_j}` || exit 3 + if $command $rc_flags $command_args \ + >> $_tmp 2>&1 /var/run/jail_${_j}.id + else + echo " cannot start jail " \ + "\"${_hostname:-${_j}}\": " + cat $_tmp + fi + rm -f $_tmp + ) & + done + wait + else + # + # Start jails one-by-one when jail_parallel_start is NO. + # + for _j in $@; do + _j=$(echo $_j | tr /. _) + _jv=$(echo -n $_j | tr -c '[:alnum:]' _) + parse_options $_j $_jv || continue + + eval rc_flags=\${jail_${_jv}_flags:-$jail_flags} + eval command=\${jail_${_jv}_program:-$jail_program} + command_args="-i -f $_conf -c $_j" + _tmp=`mktemp -t jail` || exit 3 + if $command $rc_flags $command_args \ + >> $_tmp 2>&1 /var/run/jail_${_j}.id + else + echo " cannot start jail " \ + "\"${_hostname:-${_j}}\": " + cat $_tmp + fi + rm -f $_tmp + done + fi + echo '.' +} + +jail_stop() +{ + local _j _jv + + if [ $# = 0 ]; then + return + fi + echo -n 'Stopping jails:' + case $1 in + _ALL) + command=$jail_program + rc_flags=$jail_flags + command_args="-f $jail_conf -r" + if checkyesno jail_reverse_stop; then + $jail_jls name | tail -r + else + $jail_jls name + fi | while read _j; do + echo -n " $_j" + _tmp=`mktemp -t jail` || exit 3 + $command $rc_flags $command_args $_j >> $_tmp 2>&1 + if $jail_jls -j $_j > /dev/null 2>&1; then + cat $_tmp + else + rm -f /var/run/jail_${_j}.id + fi + rm -f $_tmp + done + echo '.' + return + ;; + esac + checkyesno jail_reverse_stop && set -- $(reverse_list $@) + for _j in $@; do + _j=$(echo $_j | tr /. _) + _jv=$(echo -n $_j | tr -c '[:alnum:]' _) + parse_options $_j $_jv || continue + if ! $jail_jls -j $_j > /dev/null 2>&1; then + continue + fi + eval command=\${jail_${_jv}_program:-$jail_program} + echo -n " ${_hostname:-${_j}}" + _tmp=`mktemp -t jail` || exit 3 + $command -q -f $_conf -r $_j >> $_tmp 2>&1 + if $jail_jls -j $_j > /dev/null 2>&1; then + cat $_tmp + else + rm -f /var/run/jail_${_j}.id + fi + rm -f $_tmp + done + echo '.' +} + +jail_warn() +{ + + # To relieve confusion, show a warning message. + case $_confwarn in + 1) warn "Per-jail configuration via jail_* variables " \ + "is obsolete. Please consider migrating to $jail_conf." + ;; + esac +} + +load_rc_config $name +case $# in +1) run_rc_command $@ ${jail_list:-_ALL} ;; +*) jail_reverse_stop="no" + run_rc_command $@ ;; +esac diff -ruN ezjail-3.4.2_org/ezjail.sh ezjail-3.4.2/ezjail.sh --- ezjail-3.4.2_org/ezjail.sh 2015-04-14 18:10:53.000000000 -0400 +++ ezjail-3.4.2/ezjail.sh 2017-04-27 10:13:31.584882000 -0400 @@ -100,8 +100,21 @@ ezjail_pass="${ezjail_pass} ${ezjail}" done - # Pass control to jail script which does the actual work - [ "${ezjail_pass}" ] && sh /etc/rc.d/jail one${action%crypto} ${ezjail_pass} + # Pass control to jail script which does the actual work. + # + # 4/27/2017 The legacy rc.conf method is depreciated and support for it + # will be removed in an comming release of Freebsd. The /etc/rc.d/jail script + # contains the on-the-fly conversion from the legacy rc.conf method used + # by ezjail to the jail.conf method. This conversion code is what is planed + # to be removed. To negate the need of rewritting the ezjail-admin script + # to internally use the jail.conf method this simple hack is being used + # instead. The /etc/rc.d/jail script is copied to the ezjail port source, + # renamed ezjail.jail and the following line of code changed to use it + # instead of the OS one, so when the legacy rc.conf method is removed from + # the OS /etc/rc.d/jail script it will not effect ezjail operation. + # + #[ "${ezjail_pass}" ] && sh /etc/rc.d/jail one${action%crypto} ${ezjail_pass} + [ "${ezjail_pass}" ] && sh /usr/local/bin/ezjail.jail one${action%crypto} ${ezjail_pass} # Configure settings that need to be done after the jail has been started if [ "${action%crypto}" = "start" -o "${action}" = "restart" ]; then