static int
print_jail(int pflags, int jflags)
{
char *nname;
char **param_values;
int i, ai, jid, count, n, spc;
char ipbuf[INET6_ADDRSTRLEN];
jid = jailparam_get(params, nparams, jflags);
if (jid < 0)
return jid;
if (pflags & PRINT_VERBOSE) {
printf("%6d %-29.29s %.74s\n"
"%6s %-29.29s %.74s\n"
"%6s %-6d\n",
*(int *)params[0].jp_value,
(char *)params[1].jp_value,
(char *)params[2].jp_value,
"",
(char *)params[3].jp_value,
*(int *)params[4].jp_value ? "DYING" : "ACTIVE",
"",
*(int *)params[5].jp_value);
n = 6;
#ifdef INET
if (ip4_ok && !strcmp(params[n].jp_name, "ip4.addr")) {
count = params[n].jp_valuelen / sizeof(struct in_addr);
for (ai = 0; ai < count; ai++)
if (inet_ntop(AF_INET,
&((struct in_addr *)params[n].jp_value)[ai],
ipbuf, sizeof(ipbuf)) == NULL)
err(1, "inet_ntop");
else
printf("%6s %-15.15s\n", "", ipbuf);
n++;
}
#endif
#ifdef INET6
if (ip6_ok && !strcmp(params[n].jp_name, "ip6.addr")) {
count = params[n].jp_valuelen / sizeof(struct in6_addr);
for (ai = 0; ai < count; ai++)
if (inet_ntop(AF_INET6,
&((struct in6_addr *)
params[n].jp_value)[ai],
ipbuf, sizeof(ipbuf)) == NULL)
err(1, "inet_ntop");
else
printf("%6s %s\n", "", ipbuf);
n++;
}
#endif
} else if (pflags & PRINT_DEFAULT)
printf("%6d %-15.15s %-29.29s %.74s\n",
*(int *)params[0].jp_value,
#ifdef INET
(!ip4_ok || params[1].jp_valuelen == 0) ? "-"
: inet_ntoa(*(struct in_addr *)params[1].jp_value),
#else
"-",
#endif
(char *)params[2-!ip4_ok].jp_value,
(char *)params[3-!ip4_ok].jp_value);
else {
param_values = alloca(nparams * sizeof(*param_values));
for (i = 0; i < nparams; i++) {
if (!(params[i].jp_flags & JP_USER))
continue;
param_values[i] = jailparam_export(params + i);
if (param_values[i] == NULL)
errx(1, "%s", jail_errmsg);
}
for (i = spc = 0; i < nparams; i++) {
if (!(params[i].jp_flags & JP_USER))
continue;
if ((pflags & PRINT_SKIP) &&
((!(params[i].jp_ctltype &
(CTLFLAG_WR | CTLFLAG_TUN))) ||
(param_parent[i] >= 0 &&
*(int *)params[param_parent[i]].jp_value !=
JAIL_SYS_NEW)))
continue;
if (spc)
putchar(' ');
else
spc = 1;
if (pflags & PRINT_NAMEVAL) {
/*
* Generally "name=value", but for booleans
* either "name" or "noname".
*/
if (params[i].jp_flags &
(JP_BOOL | JP_NOBOOL)) {
if (*(int *)params[i].jp_value)
printf("%s", params[i].jp_name);
else {
nname = (params[i].jp_flags &
JP_NOBOOL) ?
nononame(params[i].jp_name)
: noname(params[i].jp_name);
printf("%s", nname);
free(nname);
}
continue;
}
printf("%s=", params[i].jp_name);
}
if (params[i].jp_valuelen == 0) {
if (pflags & PRINT_QUOTED)
printf("\"\"");
else if (!(pflags & PRINT_NAMEVAL))
putchar('-');
} else
quoted_print(param_values[i]);
}
putchar('\n');
for (i = 0; i < nparams; i++)
if (params[i].jp_flags & JP_USER)
free(param_values[i]);
}
return (jid);
}
int
main(int argc, char **argv)
{
login_cap_t *lcap = NULL;
struct passwd *pwd = NULL;
gid_t *groups;
size_t sysvallen;
int ch, cmdarg, i, jail_set_flags, jid, ngroups, sysval;
int hflag, iflag, Jflag, lflag, rflag, uflag, Uflag;
long ngroups_max;
unsigned pi;
char *jailname, *securelevel, *username, *JidFile;
char enforce_statfs[4];
static char *cleanenv;
const char *shell, *p = NULL;
FILE *fp;
hflag = iflag = Jflag = lflag = rflag = uflag = Uflag =
jail_set_flags = 0;
cmdarg = jid = -1;
jailname = securelevel = username = JidFile = cleanenv = NULL;
fp = NULL;
ngroups_max = sysconf(_SC_NGROUPS_MAX) + 1;
if ((groups = malloc(sizeof(gid_t) * ngroups_max)) == NULL)
err(1, "malloc");
while ((ch = getopt(argc, argv, "cdhilmn:r:s:u:U:J:")) != -1) {
switch (ch) {
case 'd':
jail_set_flags |= JAIL_DYING;
break;
case 'h':
hflag = 1;
break;
case 'i':
iflag = 1;
break;
case 'J':
JidFile = optarg;
Jflag = 1;
break;
case 'n':
jailname = optarg;
break;
case 's':
securelevel = optarg;
break;
case 'u':
username = optarg;
uflag = 1;
break;
case 'U':
username = optarg;
Uflag = 1;
break;
case 'l':
lflag = 1;
break;
case 'c':
jail_set_flags |= JAIL_CREATE;
break;
case 'm':
jail_set_flags |= JAIL_UPDATE;
break;
case 'r':
jid = jail_getid(optarg);
if (jid < 0)
errx(1, "%s", jail_errmsg);
rflag = 1;
break;
default:
usage();
}
}
argc -= optind;
argv += optind;
if (rflag) {
if (argc > 0 || iflag || Jflag || lflag || uflag || Uflag)
usage();
if (jail_remove(jid) < 0)
err(1, "jail_remove");
exit (0);
}
if (argc == 0)
usage();
if (uflag && Uflag)
usage();
if (lflag && username == NULL)
usage();
if (uflag)
GET_USER_INFO;
#ifdef INET6
ip6_ok = feature_present("inet6");
#endif
#ifdef INET
ip4_ok = feature_present("inet");
#endif
if (jailname)
set_param("name", jailname);
if (securelevel)
set_param("securelevel", securelevel);
if (jail_set_flags) {
for (i = 0; i < argc; i++) {
if (!strncmp(argv[i], "command=", 8)) {
cmdarg = i;
argv[cmdarg] += 8;
jail_set_flags |= JAIL_ATTACH;
break;
}
if (hflag) {
#ifdef INET
if (!strncmp(argv[i], "ip4.addr=", 9)) {
add_ip_addr(&ip4_addr, argv[i] + 9);
break;
}
#endif
#ifdef INET6
if (!strncmp(argv[i], "ip6.addr=", 9)) {
add_ip_addr(&ip6_addr, argv[i] + 9);
break;
}
#endif
if (!strncmp(argv[i], "host.hostname=", 14))
add_ip_addrinfo(0, argv[i] + 14);
}
set_param(NULL, argv[i]);
}
} else {
if (argc < 4 || argv[0][0] != '/')
errx(1, "%s\n%s",
"no -c or -m, so this must be an old-style command.",
"But it doesn't look like one.");
set_param("path", argv[0]);
set_param("host.hostname", argv[1]);
if (hflag)
add_ip_addrinfo(0, argv[1]);
#if defined(INET6) || defined(INET)
if (argv[2][0] != '\0')
#ifdef INET6
add_ip_addr46(argv[2]);
#else
add_ip_addr(&ip4_addr, argv[2]);
#endif
#endif
cmdarg = 3;
/* Emulate the defaults from security.jail.* sysctls */
sysvallen = sizeof(sysval);
if (sysctlbyname("security.jail.jailed", &sysval, &sysvallen,
NULL, 0) == 0 && sysval == 0) {
for (pi = 0; pi < sizeof(perm_sysctl) /
sizeof(perm_sysctl[0]); pi++) {
sysvallen = sizeof(sysval);
if (sysctlbyname(perm_sysctl[pi][0],
&sysval, &sysvallen, NULL, 0) == 0)
set_param(perm_sysctl[pi]
[sysval ? 2 : 1], NULL);
}
sysvallen = sizeof(sysval);
if (sysctlbyname("security.jail.enforce_statfs",
&sysval, &sysvallen, NULL, 0) == 0) {
snprintf(enforce_statfs,
sizeof(enforce_statfs), "%d", sysval);
set_param("enforce_statfs", enforce_statfs);
}
}
}
#ifdef INET
if (ip4_addr != NULL)
set_param("ip4.addr", ip4_addr);
#endif
#ifdef INET6
if (ip6_addr != NULL)
set_param("ip6.addr", ip6_addr);
#endif
if (Jflag) {
fp = fopen(JidFile, "w");
if (fp == NULL)
errx(1, "Could not create JidFile: %s", JidFile);
}
jid = jailparam_set(params, nparams,
jail_set_flags ? jail_set_flags : JAIL_CREATE | JAIL_ATTACH);
if (jid < 0)
errx(1, "%s", jail_errmsg);
if (iflag) {
printf("%d\n", jid);
fflush(stdout);
}
if (Jflag) {
if (jail_set_flags) {
fprintf(fp, "jid=%d", jid);
for (i = 0; i < nparams; i++)
if (strcmp(params[i].jp_name, "jid")) {
fprintf(fp, " %s",
(char *)params[i].jp_name);
if (param_values[i]) {
putc('=', fp);
quoted_print(fp,
param_values[i]);
}
}
fprintf(fp, "\n");
} else {
for (i = 0; i < nparams; i++)
if (!strcmp(params[i].jp_name, "path"))
break;
#if defined(INET6) && defined(INET)
fprintf(fp, "%d\t%s\t%s\t%s%s%s\t%s\n",
jid, i < nparams
? (char *)params[i].jp_value : argv[0],
argv[1], ip4_addr ? ip4_addr : "",
ip4_addr && ip4_addr[0] && ip6_addr && ip6_addr[0]
? "," : "", ip6_addr ? ip6_addr : "", argv[3]);
#elif defined(INET6)
fprintf(fp, "%d\t%s\t%s\t%s\t%s\n",
jid, i < nparams
? (char *)params[i].jp_value : argv[0],
argv[1], ip6_addr ? ip6_addr : "", argv[3]);
#elif defined(INET)
fprintf(fp, "%d\t%s\t%s\t%s\t%s\n",
jid, i < nparams
? (char *)params[i].jp_value : argv[0],
argv[1], ip4_addr ? ip4_addr : "", argv[3]);
#endif
}
(void)fclose(fp);
}
if (cmdarg < 0)
exit(0);
if (username != NULL) {
if (Uflag)
GET_USER_INFO;
if (lflag) {
p = getenv("TERM");
environ = &cleanenv;
}
if (setgroups(ngroups, groups) != 0)
err(1, "setgroups");
if (setgid(pwd->pw_gid) != 0)
err(1, "setgid");
if (setusercontext(lcap, pwd, pwd->pw_uid,
LOGIN_SETALL & ~LOGIN_SETGROUP & ~LOGIN_SETLOGIN) != 0)
err(1, "setusercontext");
login_close(lcap);
}
if (lflag) {
if (*pwd->pw_shell)
shell = pwd->pw_shell;
else
shell = _PATH_BSHELL;
if (chdir(pwd->pw_dir) < 0)
errx(1, "no home directory");
setenv("HOME", pwd->pw_dir, 1);
setenv("SHELL", shell, 1);
setenv("USER", pwd->pw_name, 1);
if (p)
setenv("TERM", p, 1);
}
execvp(argv[cmdarg], argv + cmdarg);
err(1, "execvp: %s", argv[cmdarg]);
}
