Allow jail names (not just IDs) to be specified for: cpuset(1), ipfw(8),

sockstat(1), ugidfw(8) These are the last of the jail-aware userland utilities that didn't work with names. PR: 229266 MFC after: 3 days Differential Revision: D16047
svn path=/head/; revision=335921
2024-07-23 11:16:33 +00:00 · 2018-07-03 23:47:20 +00:00 · 2018-07-03 23:47:20 +00:00 · de68a3200a · 2020-12-20 02:59:44 +00:00
parent 1abd10a2ea
commit de68a3200a
10 changed files with 64 additions and 27 deletions
--- a/lib/libugidfw/ugidfw.c
+++ b/lib/libugidfw/ugidfw.c
@ -34,9 +34,11 @@
 */
 #include <sys/param.h>
 #include <sys/errno.h>
+#include <sys/jail.h>
 #include <sys/time.h>
 #include <sys/sysctl.h>
 #include <sys/ucred.h>
+#include <sys/uio.h>
 #include <sys/mount.h>

 #include <security/mac_bsdextended/mac_bsdextended.h>
@ -599,17 +601,46 @@ bsde_parse_gidrange(char *spec, gid_t *min, gid_t *max,
 	return (0);
 }

+static int
+bsde_get_jailid(const char *name, size_t buflen, char *errstr)
+{
+	char *ep;
+	int jid;
+	struct iovec jiov[4];
+
+	/* Copy jail_getid(3) instead of messing with library dependancies */
+	jid = strtoul(name, &ep, 10);
+	if (*name && !*ep)
+		return jid;
+	jiov[0].iov_base = __DECONST(char *, "name");
+	jiov[0].iov_len = sizeof("name");
+	jiov[1].iov_len = strlen(name) + 1;
+	jiov[1].iov_base = alloca(jiov[1].iov_len);
+	strcpy(jiov[1].iov_base, name);
+	if (errstr && buflen) {
+		jiov[2].iov_base = __DECONST(char *, "errmsg");
+		jiov[2].iov_len = sizeof("errmsg");
+		jiov[3].iov_base = errstr;
+		jiov[3].iov_len = buflen;
+		errstr[0] = 0;
+		jid = jail_get(jiov, 4, 0);
+		if (jid < 0 && !errstr[0])
+			snprintf(errstr, buflen, "jail_get: %s",
+			    strerror(errno));
+	} else
+		jid = jail_get(jiov, 2, 0);
+	return jid;
+}
+
 static int
 bsde_parse_subject(int argc, char *argv[],
    struct mac_bsdextended_subject *subject, size_t buflen, char *errstr)
 {
 	int not_seen, flags;
 	int current, neg, nextnot;
-	char *endp;
 	uid_t uid_min, uid_max;
 	gid_t gid_min, gid_max;
 	int jid = 0;
-	long value;

 	current = 0;
 	flags = 0;
@ -668,13 +699,9 @@ bsde_parse_subject(int argc, char *argv[],
 				snprintf(errstr, buflen, "one jail only");
 				return (-1);
 			}
-			value = strtol(argv[current+1], &endp, 10);
-			if (*endp != '\0') {
-				snprintf(errstr, buflen, "invalid jid: '%s'",
-				    argv[current+1]);
+			jid = bsde_get_jailid(argv[current+1], buflen, errstr);
+			if (jid < 0)
 				return (-1);
-			}
-			jid = value;
 			flags |= MBS_PRISON_DEFINED;
 			if (nextnot) {
 				neg ^= MBS_PRISON_DEFINED;
--- a/sbin/ipfw/Makefile
+++ b/sbin/ipfw/Makefile
@ -13,7 +13,7 @@ SRCS+=	altq.c
 CFLAGS+=-DPF
 .endif

-LIBADD=	util
+LIBADD=	jail util
 MAN=	ipfw.8

 .include <bsd.prog.mk>
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@ -1,7 +1,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd June 28, 2018
+.Dd July 3, 2018
 .Dt IPFW 8
 .Os
 .Sh NAME
@ -1535,10 +1535,10 @@ Matches all TCP or UDP packets sent by or received for a
 A
 .Ar group
 may be specified by name or number.
-.It Cm jail Ar prisonID
+.It Cm jail Ar jail
 Matches all TCP or UDP packets sent by or received for the
-jail whos prison ID is
-.Ar prisonID .
+jail whose ID or name is
+.Ar jail .
 .It Cm icmptypes Ar types
 Matches ICMP packets whose ICMP type is in the list
 .Ar types .
--- a/sbin/ipfw/ipfw2.c
+++ b/sbin/ipfw/ipfw2.c
@ -32,6 +32,7 @@
 #include <err.h>
 #include <errno.h>
 #include <grp.h>
+#include <jail.h>
 #include <netdb.h>
 #include <pwd.h>
 #include <stdio.h>
@ -4581,13 +4582,12 @@ compile_rule(char *av[], uint32_t *rbuf, int *rbufsize, struct tidx *tstate)
 		case TOK_JAIL:
 			NEED1("jail requires argument");
 		    {
-			char *end;
 			int jid;

 			cmd->opcode = O_JAIL;
-			jid = (int)strtol(*av, &end, 0);
-			if (jid < 0 || *end != '\0')
-				errx(EX_DATAERR, "jail requires prison ID");
+			jid = jail_getid(*av);
+			if (jid < 0)
+				errx(EX_DATAERR, "%s", jail_errmsg);
 			cmd32->d[0] = (uint32_t)jid;
 			cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
 			av++;
--- a/usr.bin/cpuset/Makefile
+++ b/usr.bin/cpuset/Makefile
@ -2,4 +2,6 @@

 PROG=   cpuset

+LIBADD=	jail
+
 .include <bsd.prog.mk>
--- a/usr.bin/cpuset/cpuset.1
+++ b/usr.bin/cpuset/cpuset.1
@ -25,7 +25,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd February 26, 2018
+.Dd July 3, 2018
 .Dt CPUSET 1
 .Os
 .Sh NAME
@ -56,7 +56,7 @@
 .Nm
 .Fl g
 .Op Fl cir
-.Op Fl d Ar domain | Fl j Ar jailid | Fl p Ar pid | Fl t Ar tid | Fl s Ar setid | Fl x Ar irq
+.Op Fl d Ar domain | Fl j Ar jail | Fl p Ar pid | Fl t Ar tid | Fl s Ar setid | Fl x Ar irq
 .Sh DESCRIPTION
 The
 .Nm
@ -68,7 +68,7 @@ available processors and memory domains in the system.
 .Nm
 requires a target to modify or query.
 The target may be specified as a command, process id, thread id, a
-cpuset id, an irq, a jail id, or a NUMA domain.
+cpuset id, an irq, a jail, or a NUMA domain.
 Using
 .Fl g
 the target's set id or mask may be queried.
@ -136,8 +136,8 @@ the id of the target.
 When used with the
 .Fl g
 option print the id rather than the valid mask of the target.
-.It Fl j Ar jailid
-Specifies a jail id as the target of the operation.
+.It Fl j Ar jail
+Specifies a jail id or name as the target of the operation.
 .It Fl l Ar cpu-list
 Specifies a list of CPUs to apply to a target.
 Specification may include
--- a/usr.bin/cpuset/cpuset.c
+++ b/usr.bin/cpuset/cpuset.c
@ -42,6 +42,7 @@ __FBSDID("$FreeBSD$");
 #include <ctype.h>
 #include <err.h>
 #include <errno.h>
+#include <jail.h>
 #include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
@ -320,7 +321,9 @@ main(int argc, char *argv[])
 		case 'j':
 			jflag = 1;
 			which = CPU_WHICH_JAIL;
-			id = atoi(optarg);
+			id = jail_getid(optarg);
+			if (id < 0)
+				errx(EXIT_FAILURE, "%s", jail_errmsg);
 			break;
 		case 'l':
 			lflag = 1;
--- a/usr.bin/sockstat/Makefile
+++ b/usr.bin/sockstat/Makefile
@ -2,4 +2,6 @@

 PROG=		sockstat

+LIBADD=		jail
+
 .include <bsd.prog.mk>
--- a/usr.bin/sockstat/sockstat.1
+++ b/usr.bin/sockstat/sockstat.1
@ -27,7 +27,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd January 23, 2018
+.Dd July 3, 2018
 .Dt SOCKSTAT 1
 .Os
 .Sh NAME
@ -58,8 +58,8 @@ Show
 (IPv6) sockets.
 .It Fl c
 Show connected sockets.
-.It Fl j Ar jid
-Show only sockets belonging to the specified jail ID.
+.It Fl j Ar jail
+Show only sockets belonging to the specified jail ID or name.
 .It Fl L
 Only show Internet sockets if the local and foreign addresses are not
 in the loopback network prefix
--- a/usr.bin/sockstat/sockstat.c
+++ b/usr.bin/sockstat/sockstat.c
@ -57,6 +57,7 @@ __FBSDID("$FreeBSD$");
 #include <ctype.h>
 #include <err.h>
 #include <errno.h>
+#include <jail.h>
 #include <netdb.h>
 #include <pwd.h>
 #include <stdarg.h>
@ -1263,7 +1264,9 @@ main(int argc, char *argv[])
 			opt_c = 1;
 			break;
 		case 'j':
-			opt_j = atoi(optarg);
+			opt_j = jail_getid(optarg);
+			if (opt_j < 0)
+				errx(1, "%s", jail_errmsg);
 			break;
 		case 'L':
 			opt_L = 1;