Created
June 18, 2014 15:19
-
-
Save dreamcat4/3edde2764770e9938499 to your computer and use it in GitHub Desktop.
qjail-3.3 + devfs_ruleset (-b -B) + sysvipc (-y -Y) + man page update (for Upstream)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff -rupN qjail-3.3/qjail qjail-3.3-patches-with-man.qjail.8/qjail | |
--- qjail-3.3/qjail 2014-05-09 15:13:46.000000000 +0100 | |
+++ qjail-3.3-patches-with-man.qjail.8/qjail 2014-06-18 12:57:31.000000000 +0100 | |
@@ -59,7 +59,7 @@ syntax_archive="Syntax: qjail archive [- | |
syntax_delete="Syntax: qjail delete [-z zone] [-A] [jailname...]" | |
syntax_restore="Syntax: qjail restore [-z zone] [-s] [jailname...]" | |
syntax_config="Syntax: qjail config [-z zone] [-c newnic] [-f value]\n\ | |
- [-A -d -h -k -K -l -L -m -M -q -Q -r -R -v -V -x -X]\n\ | |
+ [-A -d -h -k -K -b -B -y -Y -l -L -m -M -q -Q -r -R -v -V -x -X]\n\ | |
[-n newname] [-p value] [-s value] [-w value]\n\ | |
[-4 newIPv4...] [-6 newIPv6...] jailname" | |
syntax_update="Syntax: qjail update [-z zone] [-b] [-p] [-l on|off]" | |
@@ -341,6 +341,8 @@ passed_deffile=$1 | |
echo "vnet=\"${vnet}\"" | |
echo "vinterface=\"${vnet_interface}\"" | |
echo "rsockets=\"${allow_raw_sockets}\"" | |
+ echo "devfs_ruleset=\"${devfs_ruleset}\"" | |
+ echo "sysvipc=\"${allow_sysvipc}\"" | |
echo "quotas=\"${allow_quotas}\"" | |
echo "nullfs=\"${allow_mount_nullfs}\"" | |
echo "zfs=\"${allow_mount_zfs}\"" | |
@@ -383,6 +385,7 @@ read-definition () { | |
unset nic_devicename fstab securelevel cpuset_id | |
unset exec_fib vnet vnet_interface allow_raw_sockets | |
unset allow_quotas allow_mount_nullfs allow_mount_zfs | |
+ unset allow_sysvipc devfs_ruleset | |
unset devicelink device device_md_number | |
unset deffile poststart_ssh | |
unset image imagetype | |
@@ -410,6 +413,8 @@ read-definition () { | |
eval vnet=\"\${vnet}\" | |
eval vnet_interface=\"\${vinterface}\" | |
eval allow_raw_sockets=\"\${rsockets}\" | |
+ eval devfs_ruleset=\"\${devfs_ruleset}\" | |
+ eval allow_sysvipc=\"\${sysvipc}\" | |
eval allow_quotas=\"\${quotas}\" | |
eval allow_mount_nullfs=\"\${nullfs}\" | |
eval allow_mount_zfs=\"\${zfs}\" | |
@@ -477,6 +482,12 @@ build_config_def () { | |
[ ${allow_raw_sockets} ] && \ | |
echo "allow.raw_sockets;" | |
+ [ ${devfs_ruleset} ] && \ | |
+ echo "devfs_ruleset = \"${devfs_ruleset}\";" | |
+ | |
+ [ ${allow_sysvipc} ] && \ | |
+ echo "allow.sysvipc;" | |
+ | |
[ ${allow_quotas} ] && \ | |
echo "allow.quotas;" | |
@@ -2848,7 +2859,7 @@ config () { | |
flag_count=0 | |
- shift; while getopts c:f:4:6:n:p:s:w:z:AdhkKlLmMrRqQvVxX arg; \ | |
+ shift; while getopts c:f:4:6:n:p:s:w:z:AdhkKb:ByYlLmMrRqQvVxX arg; \ | |
do case ${arg} in | |
c) new_nic=${OPTARG}; flag_count=$(( $flag_count + 1 ));; | |
f) fib=${OPTARG}; flag_count=$(( $flag_count + 1 ));; | |
@@ -2864,6 +2875,10 @@ config () { | |
h) create_ssh="YES"; flag_count=$(( $flag_count + 1 ));; | |
k) rawsockets="YES"; flag_count=$(( $flag_count + 1 ));; | |
K) rawsockets="NO"; flag_count=$(( $flag_count + 1 ));; | |
+ b) devfsruleset=${OPTARG}; flag_count=$(( $flag_count + 1 ));; | |
+ B) devfsruleset="NO"; flag_count=$(( $flag_count + 1 ));; | |
+ y) sysv="YES"; flag_count=$(( $flag_count + 1 ));; | |
+ Y) sysv="NO"; flag_count=$(( $flag_count + 1 ));; | |
l) nullfs="YES"; flag_count=$(( $flag_count + 1 ));; | |
L) nullfs="NO"; flag_count=$(( $flag_count + 1 ));; | |
m) man_start="YES"; flag_count=$(( $flag_count + 1 ));; | |
@@ -3458,6 +3473,41 @@ config () { | |
post_msg "Successful disabled allow.raw_sockets for ${jailname}" | |
continue | |
fi | |
+ | |
+ if [ -n "${devfsruleset}" ]; then | |
+ if [ "${devfsruleset}" = "NO" ]; then | |
+ unset devfs_ruleset | |
+ write-definition "${deffile}" | |
+ post_msg "Successfully disabled devfs_ruleset for ${jailname}" | |
+ continue | |
+ else | |
+ # Check that the value is a positive integer | |
+ if [ "${devfsruleset}" -ge 0 2> /dev/null ]; then | |
+ devfs_ruleset="${devfsruleset}" | |
+ write-definition "${deffile}" | |
+ post_msg "Successfully set devfs_ruleset for ${jailname}" | |
+ continue | |
+ else | |
+ post_msg "Error: devfs_rulset should be a positive number e.g. 10, 20" | |
+ post_msg "and defined in: /etc/defaults/devfs.rules or /etc/devfs.rules." | |
+ kill "Type 'man devfs.rules' for more information." | |
+ fi | |
+ fi | |
+ fi | |
+ | |
+ if [ "${sysv}" = "YES" ]; then | |
+ allow_sysvipc="allow.sysvipc" | |
+ write-definition "${deffile}" | |
+ post_msg "Successfully enabled allow.sysvipc for ${jailname}" | |
+ continue | |
+ fi | |
+ | |
+ if [ "${sysv}" = "NO" ]; then | |
+ unset allow_sysvipc | |
+ write-definition "${deffile}" | |
+ post_msg "Successfully disabled allow.sysvipc for ${jailname}" | |
+ continue | |
+ fi | |
if [ "${quota}" = "YES" ]; then | |
allow_quotas="allow.quotas" | |
diff -rupN qjail-3.3/qjail.8 qjail-3.3-patches-with-man.qjail.8/qjail.8 | |
--- qjail-3.3/qjail.8 2014-04-29 20:40:34.000000000 +0100 | |
+++ qjail-3.3-patches-with-man.qjail.8/qjail.8 2014-06-18 16:11:13.000000000 +0100 | |
@@ -29,7 +29,7 @@ delete [-z zone] [-A] [jailname...] | |
restore [-z zone] [-s] [jailname...] | |
.Nm | |
config [-z zone] [-c newnic] [-n newname] | |
- [-A -d -h -k -K -l -L -m -M -q -Q -r -R -v -V -x -X] | |
+ [-A -d -h -k -K -b -B -y -Y -l -L -m -M -q -Q -r -R -v -V -x -X] | |
[-f value] [-p value] [-s value] [-w value] | |
[-4 newIPv4...] [-6 newIPv6...] jailname | |
.Nm | |
@@ -850,6 +850,39 @@ this option. Recommend using dig or whoi | |
public access. | |
.It Fl K | |
Upper case K disables the allow.raw_sockets per-jail option. | |
+.It Fl b | |
+.hy 0 | |
+Lower case b enables the devfs_ruleset per-jail option. | |
+The number of the devfs ruleset that is enforced for mounting | |
+devfs in this jail. Devfs rules and rulesets cannot be viewed or | |
+modified from inside a running jail. | |
+ | |
+BE CAREFUL! A value of zero means no ruleset is enforced and full | |
+access is granted to all devices. Any fictional value where the | |
+specified ruleset is not defined will also be treated as 0 and | |
+grant full access to all devices. | |
+ | |
+In particular, access to raw disk devices inside of a jail may | |
+permit processes to bypass the jail sandbox by modifying files | |
+outside of a jail. | |
+ | |
+See devfs(8) for information on how to create devfs rulesets to | |
+limit access and expose only appropriate device nodes to a jail. | |
+You should always start from the basic jail ruleset of 4, as seen | |
+in /etc/defaults/devfs.rules. Documented in devfs.rules(5). | |
+.It Fl B | |
+Upper case B disables the devfs_ruleset per-jail option and reverts | |
+the jail to the default devfs ruleset for jails, ruleset #4. | |
+.It Fl y | |
+.hy 0 | |
+Lower case y enables the allow.sysvipc per-jail option. | |
+Grant processes within the jail access to System V IPC (semaphores). | |
+ | |
+Enabling sysvipc reduces jail security in respect to shared memory. | |
+This feature should not be used unless absolutely necessary when no | |
+other option is available. Documented in ipcs(1). | |
+.It Fl Y | |
+Upper case Y disables the allow.sysvipc per-jail option. | |
.It Fl l | |
.hy 0 | |
Lower case l enables the allow.mount.nullfs per-jail option. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment