Attachment 194658 Details for Bug 229266 – Uses jail_getid(3) or equivalent for: cpuset, ipfw, libugidfw, sockstat

[patch] Uses jail_getid(3) or equivalent for: cpuset, ipfw, libugidfw, sockstat

jailid.diff (text/plain), 7.12 KB, created by Jamie Gritton on 2018-06-26 18:38:01 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jamie Gritton

Created: 2018-06-26 18:38:01 UTC

Size: 7.12 KB

patch

obsolete

>Index: lib/libugidfw/ugidfw.c
>===================================================================
>--- lib/libugidfw/ugidfw.c	(revision 335668)
>+++ lib/libugidfw/ugidfw.c	(working copy)
>@@ -34,9 +34,11 @@
>  */
> #include <sys/param.h>
> #include <sys/errno.h>
>+#include <sys/jail.h>
> #include <sys/time.h>
> #include <sys/sysctl.h>
> #include <sys/ucred.h>
>+#include <sys/uio.h>
> #include <sys/mount.h>
> 
> #include <security/mac_bsdextended/mac_bsdextended.h>
>@@ -600,16 +602,45 @@
> }
> 
> static int
>+bsde_get_jailid(const char *name, size_t buflen, char *errstr)
>+{
>+	char *ep;
>+	int jid;
>+	struct iovec jiov[4];
>+
>+	/* Copy jail_getid(3) instead of messing with library dependancies */
>+	jid = strtoul(name, &ep, 10);
>+	if (*name && !*ep)
>+		return jid;
>+	jiov[0].iov_base = __DECONST(char *, "name");
>+	jiov[0].iov_len = sizeof("name");
>+	jiov[1].iov_len = strlen(name) + 1;
>+	jiov[1].iov_base = alloca(jiov[1].iov_len);
>+	strcpy(jiov[1].iov_base, name);
>+	if (errstr && buflen) {
>+		jiov[2].iov_base = __DECONST(char *, "errmsg");
>+		jiov[2].iov_len = sizeof("errmsg");
>+		jiov[3].iov_base = errstr;
>+		jiov[3].iov_len = buflen;
>+		errstr[0] = 0;
>+		jid = jail_get(jiov, 4, 0);
>+		if (jid < 0 && !errstr[0])
>+			snprintf(errstr, buflen, "jail_get: %s",
>+			    strerror(errno));
>+	} else
>+		jid = jail_get(jiov, 2, 0);
>+	return jid;
>+}
>+
>+static int
> bsde_parse_subject(int argc, char *argv[],
>     struct mac_bsdextended_subject *subject, size_t buflen, char *errstr)
> {
> 	int not_seen, flags;
> 	int current, neg, nextnot;
>-	char *endp;
> 	uid_t uid_min, uid_max;
> 	gid_t gid_min, gid_max;
> 	int jid = 0;
>-	long value;
> 
> 	current = 0;
> 	flags = 0;
>@@ -668,13 +699,9 @@
> 				snprintf(errstr, buflen, "one jail only");
> 				return (-1);
> 			}
>-			value = strtol(argv[current+1], &endp, 10);
>-			if (*endp != '\0') {
>-				snprintf(errstr, buflen, "invalid jid: '%s'",
>-				    argv[current+1]);
>+			jid = bsde_get_jailid(argv[current+1], buflen, errstr);
>+			if (jid < 0)
> 				return (-1);
>-			}
>-			jid = value;
> 			flags |= MBS_PRISON_DEFINED;
> 			if (nextnot) {
> 				neg ^= MBS_PRISON_DEFINED;
>Index: sbin/ipfw/Makefile
>===================================================================
>--- sbin/ipfw/Makefile	(revision 335668)
>+++ sbin/ipfw/Makefile	(working copy)
>@@ -13,7 +13,7 @@
> CFLAGS+=-DPF
> .endif
> 
>-LIBADD=	util
>+LIBADD=	jail util
> MAN=	ipfw.8
> 
> .include <bsd.prog.mk>
>Index: sbin/ipfw/ipfw.8
>===================================================================
>--- sbin/ipfw/ipfw.8	(revision 335668)
>+++ sbin/ipfw/ipfw.8	(working copy)
>@@ -1,7 +1,7 @@
> .\"
> .\" $FreeBSD$
> .\"
>-.Dd May 9, 2018
>+.Dd June 26, 2018
> .Dt IPFW 8
> .Os
> .Sh NAME
>@@ -1535,10 +1535,10 @@
> A
> .Ar group
> may be specified by name or number.
>-.It Cm jail Ar prisonID
>+.It Cm jail Ar prison
> Matches all TCP or UDP packets sent by or received for the
>-jail whos prison ID is
>-.Ar prisonID .
>+jail whos prison ID or name is
>+.Ar prison .
> .It Cm icmptypes Ar types
> Matches ICMP packets whose ICMP type is in the list
> .Ar types .
>Index: sbin/ipfw/ipfw2.c
>===================================================================
>--- sbin/ipfw/ipfw2.c	(revision 335668)
>+++ sbin/ipfw/ipfw2.c	(working copy)
>@@ -32,6 +32,7 @@
> #include <err.h>
> #include <errno.h>
> #include <grp.h>
>+#include <jail.h>
> #include <netdb.h>
> #include <pwd.h>
> #include <stdio.h>
>@@ -4581,13 +4582,12 @@
> 		case TOK_JAIL:
> 			NEED1("jail requires argument");
> 		    {
>-			char *end;
> 			int jid;
> 
> 			cmd->opcode = O_JAIL;
>-			jid = (int)strtol(*av, &end, 0);
>-			if (jid < 0 || *end != '\0')
>-				errx(EX_DATAERR, "jail requires prison ID");
>+			jid = jail_getid(*av);
>+			if (jid < 0)
>+				errx(EX_DATAERR, "%s", jail_errmsg);
> 			cmd32->d[0] = (uint32_t)jid;
> 			cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
> 			av++;
>Index: usr.bin/cpuset/Makefile
>===================================================================
>--- usr.bin/cpuset/Makefile	(revision 335668)
>+++ usr.bin/cpuset/Makefile	(working copy)
>@@ -2,4 +2,6 @@
> 
> PROG=   cpuset
> 
>+LIBADD= jail
>+
> .include <bsd.prog.mk>
>Index: usr.bin/cpuset/cpuset.1
>===================================================================
>--- usr.bin/cpuset/cpuset.1	(revision 335668)
>+++ usr.bin/cpuset/cpuset.1	(working copy)
>@@ -25,7 +25,7 @@
> .\"
> .\" $FreeBSD$
> .\"
>-.Dd February 26, 2018
>+.Dd June 26, 2018
> .Dt CPUSET 1
> .Os
> .Sh NAME
>@@ -56,7 +56,7 @@
> .Nm
> .Fl g
> .Op Fl cir
>-.Op Fl d Ar domain | Fl j Ar jailid | Fl p Ar pid | Fl t Ar tid | Fl s Ar setid | Fl x Ar irq
>+.Op Fl d Ar domain | Fl j Ar jail | Fl p Ar pid | Fl t Ar tid | Fl s Ar setid | Fl x Ar irq
> .Sh DESCRIPTION
> The
> .Nm
>@@ -68,7 +68,7 @@
> .Nm
> requires a target to modify or query.
> The target may be specified as a command, process id, thread id, a
>-cpuset id, an irq, a jail id, or a NUMA domain.
>+cpuset id, an irq, a jail, or a NUMA domain.
> Using
> .Fl g
> the target's set id or mask may be queried.
>@@ -136,8 +136,8 @@
> When used with the
> .Fl g
> option print the id rather than the valid mask of the target.
>-.It Fl j Ar jailid
>-Specifies a jail id as the target of the operation.
>+.It Fl j Ar jail
>+Specifies a jail id or name as the target of the operation.
> .It Fl l Ar cpu-list
> Specifies a list of CPUs to apply to a target.
> Specification may include
>Index: usr.bin/cpuset/cpuset.c
>===================================================================
>--- usr.bin/cpuset/cpuset.c	(revision 335668)
>+++ usr.bin/cpuset/cpuset.c	(working copy)
>@@ -42,6 +42,7 @@
> #include <ctype.h>
> #include <err.h>
> #include <errno.h>
>+#include <jail.h>
> #include <limits.h>
> #include <stdio.h>
> #include <stdlib.h>
>@@ -320,7 +321,9 @@
> 		case 'j':
> 			jflag = 1;
> 			which = CPU_WHICH_JAIL;
>-			id = atoi(optarg);
>+			id = jail_getid(optarg);
>+			if (id < 0)
>+				errx(EXIT_FAILURE, "%s", jail_errmsg);
> 			break;
> 		case 'l':
> 			lflag = 1;
>Index: usr.bin/sockstat/Makefile
>===================================================================
>--- usr.bin/sockstat/Makefile	(revision 335668)
>+++ usr.bin/sockstat/Makefile	(working copy)
>@@ -2,4 +2,6 @@
> 
> PROG=		sockstat
> 
>+LIBADD=		jail
>+
> .include <bsd.prog.mk>
>Index: usr.bin/sockstat/sockstat.1
>===================================================================
>--- usr.bin/sockstat/sockstat.1	(revision 335668)
>+++ usr.bin/sockstat/sockstat.1	(working copy)
>@@ -27,7 +27,7 @@
> .\"
> .\" $FreeBSD$
> .\"
>-.Dd January 23, 2018
>+.Dd June 26, 2018
> .Dt SOCKSTAT 1
> .Os
> .Sh NAME
>@@ -58,8 +58,8 @@
> (IPv6) sockets.
> .It Fl c
> Show connected sockets.
>-.It Fl j Ar jid
>-Show only sockets belonging to the specified jail ID.
>+.It Fl j Ar jail
>+Show only sockets belonging to the specified jail ID or name.
> .It Fl L
> Only show Internet sockets if the local and foreign addresses are not
> in the loopback network prefix
>Index: usr.bin/sockstat/sockstat.c
>===================================================================
>--- usr.bin/sockstat/sockstat.c	(revision 335668)
>+++ usr.bin/sockstat/sockstat.c	(working copy)
>@@ -57,6 +57,7 @@
> #include <ctype.h>
> #include <err.h>
> #include <errno.h>
>+#include <jail.h>
> #include <netdb.h>
> #include <pwd.h>
> #include <stdarg.h>
>@@ -1263,7 +1264,9 @@
> 			opt_c = 1;
> 			break;
> 		case 'j':
>-			opt_j = atoi(optarg);
>+			opt_j = jail_getid(optarg);
>+			if (opt_j < 0)
>+				errx(1, "%s", jail_errmsg);
> 			break;
> 		case 'L':
> 			opt_L = 1;

Actions: View | Diff

Attachments on bug 229266: 194658