static int print_jail(int pflags, int jflags) { char *nname; char **param_values; int i, ai, jid, count, n, spc; char ipbuf[INET6_ADDRSTRLEN]; jid = jailparam_get(params, nparams, jflags); if (jid < 0) return jid; if (pflags & PRINT_VERBOSE) { printf("%6d %-29.29s %.74s\n" "%6s %-29.29s %.74s\n" "%6s %-6d\n", *(int *)params[0].jp_value, (char *)params[1].jp_value, (char *)params[2].jp_value, "", (char *)params[3].jp_value, *(int *)params[4].jp_value ? "DYING" : "ACTIVE", "", *(int *)params[5].jp_value); n = 6; #ifdef INET if (ip4_ok && !strcmp(params[n].jp_name, "ip4.addr")) { count = params[n].jp_valuelen / sizeof(struct in_addr); for (ai = 0; ai < count; ai++) if (inet_ntop(AF_INET, &((struct in_addr *)params[n].jp_value)[ai], ipbuf, sizeof(ipbuf)) == NULL) err(1, "inet_ntop"); else printf("%6s %-15.15s\n", "", ipbuf); n++; } #endif #ifdef INET6 if (ip6_ok && !strcmp(params[n].jp_name, "ip6.addr")) { count = params[n].jp_valuelen / sizeof(struct in6_addr); for (ai = 0; ai < count; ai++) if (inet_ntop(AF_INET6, &((struct in6_addr *) params[n].jp_value)[ai], ipbuf, sizeof(ipbuf)) == NULL) err(1, "inet_ntop"); else printf("%6s %s\n", "", ipbuf); n++; } #endif } else if (pflags & PRINT_DEFAULT) printf("%6d %-15.15s %-29.29s %.74s\n", *(int *)params[0].jp_value, #ifdef INET (!ip4_ok || params[1].jp_valuelen == 0) ? "-" : inet_ntoa(*(struct in_addr *)params[1].jp_value), #else "-", #endif (char *)params[2-!ip4_ok].jp_value, (char *)params[3-!ip4_ok].jp_value); else { param_values = alloca(nparams * sizeof(*param_values)); for (i = 0; i < nparams; i++) { if (!(params[i].jp_flags & JP_USER)) continue; param_values[i] = jailparam_export(params + i); if (param_values[i] == NULL) errx(1, "%s", jail_errmsg); } for (i = spc = 0; i < nparams; i++) { if (!(params[i].jp_flags & JP_USER)) continue; if ((pflags & PRINT_SKIP) && ((!(params[i].jp_ctltype & (CTLFLAG_WR | CTLFLAG_TUN))) || (param_parent[i] >= 0 && *(int *)params[param_parent[i]].jp_value != JAIL_SYS_NEW))) continue; if (spc) putchar(' '); else spc = 1; if (pflags & PRINT_NAMEVAL) { /* * Generally "name=value", but for booleans * either "name" or "noname". */ if (params[i].jp_flags & (JP_BOOL | JP_NOBOOL)) { if (*(int *)params[i].jp_value) printf("%s", params[i].jp_name); else { nname = (params[i].jp_flags & JP_NOBOOL) ? nononame(params[i].jp_name) : noname(params[i].jp_name); printf("%s", nname); free(nname); } continue; } printf("%s=", params[i].jp_name); } if (params[i].jp_valuelen == 0) { if (pflags & PRINT_QUOTED) printf("\"\""); else if (!(pflags & PRINT_NAMEVAL)) putchar('-'); } else quoted_print(param_values[i]); } putchar('\n'); for (i = 0; i < nparams; i++) if (params[i].jp_flags & JP_USER) free(param_values[i]); } return (jid); }
int main(int argc, char **argv) { login_cap_t *lcap = NULL; struct passwd *pwd = NULL; gid_t *groups; size_t sysvallen; int ch, cmdarg, i, jail_set_flags, jid, ngroups, sysval; int hflag, iflag, Jflag, lflag, rflag, uflag, Uflag; long ngroups_max; unsigned pi; char *jailname, *securelevel, *username, *JidFile; char enforce_statfs[4]; static char *cleanenv; const char *shell, *p = NULL; FILE *fp; hflag = iflag = Jflag = lflag = rflag = uflag = Uflag = jail_set_flags = 0; cmdarg = jid = -1; jailname = securelevel = username = JidFile = cleanenv = NULL; fp = NULL; ngroups_max = sysconf(_SC_NGROUPS_MAX) + 1; if ((groups = malloc(sizeof(gid_t) * ngroups_max)) == NULL) err(1, "malloc"); while ((ch = getopt(argc, argv, "cdhilmn:r:s:u:U:J:")) != -1) { switch (ch) { case 'd': jail_set_flags |= JAIL_DYING; break; case 'h': hflag = 1; break; case 'i': iflag = 1; break; case 'J': JidFile = optarg; Jflag = 1; break; case 'n': jailname = optarg; break; case 's': securelevel = optarg; break; case 'u': username = optarg; uflag = 1; break; case 'U': username = optarg; Uflag = 1; break; case 'l': lflag = 1; break; case 'c': jail_set_flags |= JAIL_CREATE; break; case 'm': jail_set_flags |= JAIL_UPDATE; break; case 'r': jid = jail_getid(optarg); if (jid < 0) errx(1, "%s", jail_errmsg); rflag = 1; break; default: usage(); } } argc -= optind; argv += optind; if (rflag) { if (argc > 0 || iflag || Jflag || lflag || uflag || Uflag) usage(); if (jail_remove(jid) < 0) err(1, "jail_remove"); exit (0); } if (argc == 0) usage(); if (uflag && Uflag) usage(); if (lflag && username == NULL) usage(); if (uflag) GET_USER_INFO; #ifdef INET6 ip6_ok = feature_present("inet6"); #endif #ifdef INET ip4_ok = feature_present("inet"); #endif if (jailname) set_param("name", jailname); if (securelevel) set_param("securelevel", securelevel); if (jail_set_flags) { for (i = 0; i < argc; i++) { if (!strncmp(argv[i], "command=", 8)) { cmdarg = i; argv[cmdarg] += 8; jail_set_flags |= JAIL_ATTACH; break; } if (hflag) { #ifdef INET if (!strncmp(argv[i], "ip4.addr=", 9)) { add_ip_addr(&ip4_addr, argv[i] + 9); break; } #endif #ifdef INET6 if (!strncmp(argv[i], "ip6.addr=", 9)) { add_ip_addr(&ip6_addr, argv[i] + 9); break; } #endif if (!strncmp(argv[i], "host.hostname=", 14)) add_ip_addrinfo(0, argv[i] + 14); } set_param(NULL, argv[i]); } } else { if (argc < 4 || argv[0][0] != '/') errx(1, "%s\n%s", "no -c or -m, so this must be an old-style command.", "But it doesn't look like one."); set_param("path", argv[0]); set_param("host.hostname", argv[1]); if (hflag) add_ip_addrinfo(0, argv[1]); #if defined(INET6) || defined(INET) if (argv[2][0] != '\0') #ifdef INET6 add_ip_addr46(argv[2]); #else add_ip_addr(&ip4_addr, argv[2]); #endif #endif cmdarg = 3; /* Emulate the defaults from security.jail.* sysctls */ sysvallen = sizeof(sysval); if (sysctlbyname("security.jail.jailed", &sysval, &sysvallen, NULL, 0) == 0 && sysval == 0) { for (pi = 0; pi < sizeof(perm_sysctl) / sizeof(perm_sysctl[0]); pi++) { sysvallen = sizeof(sysval); if (sysctlbyname(perm_sysctl[pi][0], &sysval, &sysvallen, NULL, 0) == 0) set_param(perm_sysctl[pi] [sysval ? 2 : 1], NULL); } sysvallen = sizeof(sysval); if (sysctlbyname("security.jail.enforce_statfs", &sysval, &sysvallen, NULL, 0) == 0) { snprintf(enforce_statfs, sizeof(enforce_statfs), "%d", sysval); set_param("enforce_statfs", enforce_statfs); } } } #ifdef INET if (ip4_addr != NULL) set_param("ip4.addr", ip4_addr); #endif #ifdef INET6 if (ip6_addr != NULL) set_param("ip6.addr", ip6_addr); #endif if (Jflag) { fp = fopen(JidFile, "w"); if (fp == NULL) errx(1, "Could not create JidFile: %s", JidFile); } jid = jailparam_set(params, nparams, jail_set_flags ? jail_set_flags : JAIL_CREATE | JAIL_ATTACH); if (jid < 0) errx(1, "%s", jail_errmsg); if (iflag) { printf("%d\n", jid); fflush(stdout); } if (Jflag) { if (jail_set_flags) { fprintf(fp, "jid=%d", jid); for (i = 0; i < nparams; i++) if (strcmp(params[i].jp_name, "jid")) { fprintf(fp, " %s", (char *)params[i].jp_name); if (param_values[i]) { putc('=', fp); quoted_print(fp, param_values[i]); } } fprintf(fp, "\n"); } else { for (i = 0; i < nparams; i++) if (!strcmp(params[i].jp_name, "path")) break; #if defined(INET6) && defined(INET) fprintf(fp, "%d\t%s\t%s\t%s%s%s\t%s\n", jid, i < nparams ? (char *)params[i].jp_value : argv[0], argv[1], ip4_addr ? ip4_addr : "", ip4_addr && ip4_addr[0] && ip6_addr && ip6_addr[0] ? "," : "", ip6_addr ? ip6_addr : "", argv[3]); #elif defined(INET6) fprintf(fp, "%d\t%s\t%s\t%s\t%s\n", jid, i < nparams ? (char *)params[i].jp_value : argv[0], argv[1], ip6_addr ? ip6_addr : "", argv[3]); #elif defined(INET) fprintf(fp, "%d\t%s\t%s\t%s\t%s\n", jid, i < nparams ? (char *)params[i].jp_value : argv[0], argv[1], ip4_addr ? ip4_addr : "", argv[3]); #endif } (void)fclose(fp); } if (cmdarg < 0) exit(0); if (username != NULL) { if (Uflag) GET_USER_INFO; if (lflag) { p = getenv("TERM"); environ = &cleanenv; } if (setgroups(ngroups, groups) != 0) err(1, "setgroups"); if (setgid(pwd->pw_gid) != 0) err(1, "setgid"); if (setusercontext(lcap, pwd, pwd->pw_uid, LOGIN_SETALL & ~LOGIN_SETGROUP & ~LOGIN_SETLOGIN) != 0) err(1, "setusercontext"); login_close(lcap); } if (lflag) { if (*pwd->pw_shell) shell = pwd->pw_shell; else shell = _PATH_BSHELL; if (chdir(pwd->pw_dir) < 0) errx(1, "no home directory"); setenv("HOME", pwd->pw_dir, 1); setenv("SHELL", shell, 1); setenv("USER", pwd->pw_name, 1); if (p) setenv("TERM", p, 1); } execvp(argv[cmdarg], argv + cmdarg); err(1, "execvp: %s", argv[cmdarg]); }