rc.d: add a service jails config to all base system services

This gives more permissions to services (e.g. network access to services which require this) when they are started as an automatic service jail. The sshd patch is important for the sshd-related functionality as described in the man-page in the service jails part. The location of the added env vars is supposed to allow overriding them in rc.conf, and to hard-disable the use of svcj for some parts where it doesn't make sense or will not work. Only a subset of all of the services are fully tested (I'm running this since more than a year with various services started as service jails). The untested parts should be most of the time ok, in some edge-cases more permissions are needed inside the service jail. Differential Revision: https://reviews.freebsd.org/D40371
HardenedBSD · May 22, 2024 · f99f0ee · f99f0ee
1 parent 2efbd48
commit f99f0ee
Show file tree

Hide file tree

Showing 166 changed files with 598 additions and 39 deletions.
diff --git a/libexec/rc/rc.d/accounting b/libexec/rc/rc.d/accounting
@@ -76,4 +76,8 @@ accounting_rotate_log()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: jail can't manipulate accounting
+accounting_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/adjkerntz b/libexec/rc/rc.d/adjkerntz
@@ -14,4 +14,8 @@ start_cmd="adjkerntz -i"
 stop_cmd=":"
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: jail can't modify kerntz
+adjkerntz_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/apm b/libexec/rc/rc.d/apm
@@ -43,4 +43,8 @@ apm_status()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+apm_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/apmd b/libexec/rc/rc.d/apmd
@@ -34,4 +34,8 @@ apmd_prestart()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+apmd_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/auditd b/libexec/rc/rc.d/auditd
@@ -32,4 +32,8 @@ auditd_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+auditd_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/auditdistd b/libexec/rc/rc.d/auditdistd
@@ -17,5 +17,7 @@ command="/usr/sbin/${name}"
 required_files="/etc/security/${name}.conf"
 extra_commands="reload"
 
+: ${auditdistd_svcj_options:="net_basic"}
+
 load_rc_config $name
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/automount b/libexec/rc/rc.d/automount
@@ -28,4 +28,8 @@ automount_stop()
 }
 
 load_rc_config $name
+
+# mounting shall not be performed in a svcj
+automount_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/automountd b/libexec/rc/rc.d/automountd
@@ -17,4 +17,8 @@ command="/usr/sbin/${name}"
 required_modules="autofs"
 
 load_rc_config $name
+
+# mounting shall not be performed in a svcj
+automountd_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/autounmountd b/libexec/rc/rc.d/autounmountd
@@ -16,4 +16,8 @@ pidfile="/var/run/${name}.pid"
 command="/usr/sbin/${name}"
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+autounmountd_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/bgfsck b/libexec/rc/rc.d/bgfsck
@@ -46,4 +46,8 @@ bgfsck_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj
+bgfsck_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/blacklistd b/libexec/rc/rc.d/blacklistd
@@ -40,5 +40,8 @@ rcvar="blacklistd_enable"
 command="/usr/sbin/${name}"
 required_files="/etc/blacklistd.conf"
 
+# no svcj options needed
+: ${blacklistd_svcj_options:=""}
+
 load_rc_config $name
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/bluetooth b/libexec/rc/rc.d/bluetooth
@@ -317,5 +317,8 @@ bluetooth_stop()
 load_rc_config $name
 hccontrol="${bluetooth_hccontrol:-/usr/sbin/hccontrol}"
 
+# doesn't make sense to run in a svcj: nojail keyword
+bluetooth_svcj="NO"
+
 run_rc_command $*
 
diff --git a/libexec/rc/rc.d/bootparams b/libexec/rc/rc.d/bootparams
@@ -15,5 +15,7 @@ rcvar="bootparamd_enable"
 required_files="/etc/bootparams"
 command="/usr/sbin/${name}"
 
+: ${bootparamd_svcj_options:="net_basic"}
+
 load_rc_config $name
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/bridge b/libexec/rc/rc.d/bridge
@@ -90,4 +90,8 @@ bridge_stop()
 iflist=$2
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+bridge_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/bsnmpd b/libexec/rc/rc.d/bsnmpd
@@ -13,6 +13,8 @@ desc="Simple and extensible SNMP daemon"
 rcvar="bsnmpd_enable"
 command="/usr/sbin/${name}"
 
+: ${bsnmpd_svcj_options:="net_basic"}
+
 load_rc_config $name
 pidfile="${bsnmpd_pidfile:-/var/run/snmpd.pid}"
 command_args="-p ${pidfile}"

diff --git a/libexec/rc/rc.d/bthidd b/libexec/rc/rc.d/bthidd
@@ -50,4 +50,7 @@ if evdev_enabled; then
 fi
 required_files="${config}"
 
+# doesn't make sense to run in a svcj: nojail keyword
+bthidd_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/ccd b/libexec/rc/rc.d/ccd
@@ -21,4 +21,8 @@ ccd_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+ccd_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/cfumass b/libexec/rc/rc.d/cfumass
@@ -145,4 +145,8 @@ cfumass_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+cfumass_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/cleanvar b/libexec/rc/rc.d/cleanvar
@@ -43,4 +43,8 @@ cleanvar_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj
+cleanvar_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/cleartmp b/libexec/rc/rc.d/cleartmp
@@ -57,4 +57,8 @@ cleartmp_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj
+cleartmp_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/cron b/libexec/rc/rc.d/cron
@@ -16,6 +16,11 @@ command="/usr/sbin/${name}"
 pidfile="/var/run/${name}.pid"
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: in the generic case it may need
+# access to more than a jails allows
+cron_svcj="NO"
+
 if checkyesno cron_dst
 then
 	cron_flags="$cron_flags -s"

diff --git a/libexec/rc/rc.d/ctld b/libexec/rc/rc.d/ctld
@@ -19,4 +19,8 @@ required_modules="ctl"
 extra_commands="reload"
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+ctld_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/ddb b/libexec/rc/rc.d/ddb
@@ -35,4 +35,7 @@ load_rc_config $name
 required_files="${ddb_config}"
 command_args="${ddb_config}"
 
+# doesn't make sense to run in a svcj: privileged operation
+ddb_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/defaultroute b/libexec/rc/rc.d/defaultroute
@@ -70,4 +70,8 @@ defaultroute_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+defaultroute_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/devd b/libexec/rc/rc.d/devd
@@ -38,4 +38,8 @@ devd_prestart()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: executing potential privileged operations
+devd_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/devfs b/libexec/rc/rc.d/devfs
@@ -68,4 +68,8 @@ read_devfs_conf()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: may need more permissions
+devfs_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/devmatch b/libexec/rc/rc.d/devmatch
@@ -78,4 +78,8 @@ devmatch_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: privileged operations
+devmatch_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/dhclient b/libexec/rc/rc.d/dhclient
@@ -59,6 +59,9 @@ dhclient_prestart()
 load_rc_config $name
 load_rc_config network
 
+# dhclient_prestart is not compatible with svcj
+dhclient_svcj="NO"
+
 if [ -z $ifn ] ; then
 	# only complain if a command was specified but no interface
 	if [ -n "$1" ] ; then

diff --git a/libexec/rc/rc.d/dmesg b/libexec/rc/rc.d/dmesg
@@ -23,4 +23,8 @@ do_dmesg()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj
+dmesg_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/dnctl b/libexec/rc/rc.d/dnctl
@@ -16,6 +16,9 @@ start_cmd="${name}_start"
 required_files="$dnctl_rules"
 required_modules="dummynet"
 
+# doesn't make sense to run in a svcj: config setting
+dnctl_svcj="NO"
+
 dnctl_start()
 {
 	startmsg -n "Enabling ${name}"

diff --git a/libexec/rc/rc.d/dumpon b/libexec/rc/rc.d/dumpon
@@ -97,4 +97,8 @@ dumpon_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+dumpon_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/fsck b/libexec/rc/rc.d/fsck
@@ -91,4 +91,8 @@ fsck_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj
+fsck_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/ftp-proxy b/libexec/rc/rc.d/ftp-proxy
@@ -13,6 +13,8 @@ desc="Internet File Transfer Protocol proxy daemon"
 rcvar="ftpproxy_enable"
 command="/usr/sbin/ftp-proxy"
 
+: ${ftpproxy_svcj_options:="net_basic"}
+
 load_rc_config $name
 
 #

diff --git a/libexec/rc/rc.d/ftpd b/libexec/rc/rc.d/ftpd
@@ -13,13 +13,11 @@ desc="Internet File Transfer Protocol daemon"
 rcvar="ftpd_enable"
 command="/usr/libexec/${name}"
 pidfile="/var/run/${name}.pid"
-start_precmd=ftpd_prestart
 
-ftpd_prestart()
-{
-	rc_flags="-D ${rc_flags}"
-	return 0
-}
+: ${ftpd_svcj_options:="net_basic"}
 
 load_rc_config $name
+
+flags="-D ${flags} ${rc_flags}"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/geli b/libexec/rc/rc.d/geli
@@ -121,4 +121,8 @@ geli_stop()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+geli_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/geli2 b/libexec/rc/rc.d/geli2
@@ -55,4 +55,8 @@ geli2_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+geli2_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/ggated b/libexec/rc/rc.d/ggated
@@ -14,6 +14,9 @@ pidfile="/var/run/${name}.pid"
 load_rc_config $name
 required_files="${ggated_config}"
 
+# XXX?: doesn't make sense to run in a svcj: low-level access
+ggated_svcj="NO"
+
 command_args="${ggated_config}"
 
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/gptboot b/libexec/rc/rc.d/gptboot
@@ -73,4 +73,8 @@ gptboot_report()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+gptboot_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/growfs b/libexec/rc/rc.d/growfs
@@ -306,4 +306,8 @@ growfs_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+growfs_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/growfs_fstab b/libexec/rc/rc.d/growfs_fstab
@@ -58,4 +58,8 @@ growfs_fstab_start()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: config setting
+growfs_fstab_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/gssd b/libexec/rc/rc.d/gssd
@@ -13,5 +13,7 @@ name=gssd
 desc="Generic Security Services Daemon"
 rcvar=gssd_enable
 
+: ${gssd_svcj_options:="net_basic nfsd"}
+
 load_rc_config $name
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/hastd b/libexec/rc/rc.d/hastd
@@ -26,4 +26,8 @@ hastd_stop_precmd()
 }
 
 load_rc_config $name
+
+# doesn't make sense to run in a svcj: nojail keyword
+hastd_svcj="NO"
+
 run_rc_command "$1"
diff --git a/libexec/rc/rc.d/hcsecd b/libexec/rc/rc.d/hcsecd
@@ -21,4 +21,7 @@ config="${hcsecd_config:-/etc/bluetooth/${name}.conf}"
 command_args="-f ${config}"
 required_files="${config}"
 
+# doesn't make sense to run in a svcj: nojail keyword
+hcsecd_svcj="NO"
+
 run_rc_command "$1"