usr.sbin/jail/config.c

139743Simp/*-
39212Sgibbs * Copyright (c) 2011 James Gritton
39212Sgibbs * All rights reserved.
39212Sgibbs *
39212Sgibbs * Redistribution and use in source and binary forms, with or without
39212Sgibbs * modification, are permitted provided that the following conditions
39212Sgibbs * are met:
39212Sgibbs * 1. Redistributions of source code must retain the above copyright
39212Sgibbs *    notice, this list of conditions and the following disclaimer.
39212Sgibbs * 2. Redistributions in binary form must reproduce the above copyright
39212Sgibbs *    notice, this list of conditions and the following disclaimer in the
39212Sgibbs *    documentation and/or other materials provided with the distribution.
39212Sgibbs *
39212Sgibbs * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
39212Sgibbs * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
39212Sgibbs * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
39212Sgibbs * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
39212Sgibbs * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
39212Sgibbs * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
39212Sgibbs * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
39212Sgibbs * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
39212Sgibbs * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
39212Sgibbs * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
39212Sgibbs * SUCH DAMAGE.
39212Sgibbs */
39212Sgibbs
39212Sgibbs#include <sys/cdefs.h>
50477Speter__FBSDID("$FreeBSD: stable/10/usr.sbin/jail/config.c 256387 2013-10-12 17:46:13Z hrs $");
39212Sgibbs
39212Sgibbs#include <sys/types.h>
39212Sgibbs#include <sys/errno.h>
39212Sgibbs#include <sys/socket.h>
39212Sgibbs#include <sys/sysctl.h>
39212Sgibbs
39212Sgibbs#include <arpa/inet.h>
47412Sgibbs#include <netinet/in.h>
114216Skan
55206Speter#include <err.h>
39212Sgibbs#include <netdb.h>
39212Sgibbs#include <stdio.h>
39212Sgibbs#include <stdlib.h>
39212Sgibbs#include <string.h>
195534Sscottl#include <unistd.h>
39212Sgibbs
39212Sgibbs#include "jailp.h"
39212Sgibbs
39212Sgibbsstruct ipspec {
39212Sgibbs	const char	*name;
39212Sgibbs	unsigned	flags;
39212Sgibbs};
39212Sgibbs
39212Sgibbsextern FILE *yyin;
39212Sgibbsextern int yynerrs;
39212Sgibbs
39212Sgibbsextern int yyparse(void);
39212Sgibbs
39212Sgibbsstruct cfjails cfjails = TAILQ_HEAD_INITIALIZER(cfjails);
39212Sgibbs
39212Sgibbsstatic void free_param(struct cfparams *pp, struct cfparam *p);
39212Sgibbsstatic void free_param_strings(struct cfparam *p);
39212Sgibbs
63455Sgibbsstatic const struct ipspec intparams[] = {
63455Sgibbs    [IP_ALLOW_DYING] =		{"allow.dying",		PF_INTERNAL | PF_BOOL},
63455Sgibbs    [IP_COMMAND] =		{"command",		PF_INTERNAL},
63455Sgibbs    [IP_DEPEND] =		{"depend",		PF_INTERNAL},
246713Skib    [IP_EXEC_CLEAN] =		{"exec.clean",		PF_INTERNAL | PF_BOOL},
39212Sgibbs    [IP_EXEC_CONSOLELOG] =	{"exec.consolelog",	PF_INTERNAL},
216088Sken    [IP_EXEC_FIB] =		{"exec.fib",		PF_INTERNAL | PF_INT},
39212Sgibbs    [IP_EXEC_JAIL_USER] =	{"exec.jail_user",	PF_INTERNAL},
39212Sgibbs    [IP_EXEC_POSTSTART] =	{"exec.poststart",	PF_INTERNAL},
39212Sgibbs    [IP_EXEC_POSTSTOP] =	{"exec.poststop",	PF_INTERNAL},
39212Sgibbs    [IP_EXEC_PRESTART] =	{"exec.prestart",	PF_INTERNAL},
246713Skib    [IP_EXEC_PRESTOP] =		{"exec.prestop",	PF_INTERNAL},
246713Skib    [IP_EXEC_START] =		{"exec.start",		PF_INTERNAL},
246713Skib    [IP_EXEC_STOP] =		{"exec.stop",		PF_INTERNAL},
246713Skib    [IP_EXEC_SYSTEM_JAIL_USER]=	{"exec.system_jail_user",
246713Skib							PF_INTERNAL | PF_BOOL},
246713Skib    [IP_EXEC_SYSTEM_USER] =	{"exec.system_user",	PF_INTERNAL},
39212Sgibbs    [IP_EXEC_TIMEOUT] =		{"exec.timeout",	PF_INTERNAL | PF_INT},
39212Sgibbs#if defined(INET) || defined(INET6)
39212Sgibbs    [IP_INTERFACE] =		{"interface",		PF_INTERNAL},
39212Sgibbs    [IP_IP_HOSTNAME] =		{"ip_hostname",		PF_INTERNAL | PF_BOOL},
39212Sgibbs#endif
39212Sgibbs    [IP_MOUNT] =		{"mount",		PF_INTERNAL | PF_REV},
39212Sgibbs    [IP_MOUNT_DEVFS] =		{"mount.devfs",		PF_INTERNAL | PF_BOOL},
39212Sgibbs    [IP_MOUNT_FDESCFS] =	{"mount.fdescfs",	PF_INTERNAL | PF_BOOL},
39212Sgibbs    [IP_MOUNT_FSTAB] =		{"mount.fstab",		PF_INTERNAL},
39212Sgibbs    [IP_STOP_TIMEOUT] =		{"stop.timeout",	PF_INTERNAL | PF_INT},
39212Sgibbs    [IP_VNET_INTERFACE] =	{"vnet.interface",	PF_INTERNAL},
39212Sgibbs#ifdef INET
39212Sgibbs    [IP__IP4_IFADDR] =		{"ip4.addr",	PF_INTERNAL | PF_CONV | PF_REV},
39212Sgibbs#endif
39212Sgibbs#ifdef INET6
39212Sgibbs    [IP__IP6_IFADDR] =		{"ip6.addr",	PF_INTERNAL | PF_CONV | PF_REV},
58111Sn_hibma#endif
39212Sgibbs    [IP__MOUNT_FROM_FSTAB] =	{"mount.fstab",	PF_INTERNAL | PF_CONV | PF_REV},
39212Sgibbs    [IP__OP] =			{NULL,			PF_CONV},
39212Sgibbs    [KP_ALLOW_CHFLAGS] =	{"allow.chflags",	0},
56145Smjacob    [KP_ALLOW_MOUNT] =		{"allow.mount",		0},
56145Smjacob    [KP_ALLOW_RAW_SOCKETS] =	{"allow.raw_sockets",	0},
56145Smjacob    [KP_ALLOW_SET_HOSTNAME]=	{"allow.set_hostname",	0},
248520Skib    [KP_ALLOW_SOCKET_AF] =	{"allow.socket_af",	0},
39212Sgibbs    [KP_ALLOW_SYSVIPC] =	{"allow.sysvipc",	0},
56145Smjacob    [KP_DEVFS_RULESET] =	{"devfs_ruleset",	0},
56145Smjacob    [KP_ENFORCE_STATFS] =	{"enforce_statfs",	0},
56145Smjacob    [KP_HOST_HOSTNAME] =	{"host.hostname",	0},
260387Sscottl#ifdef INET
260387Sscottl    [KP_IP4_ADDR] =		{"ip4.addr",		0},
260387Sscottl#endif
39212Sgibbs#ifdef INET6
39212Sgibbs    [KP_IP6_ADDR] =		{"ip6.addr",		0},
255870Sscottl#endif
255870Sscottl    [KP_JID] =			{"jid",			0},
292348Sken    [KP_NAME] =			{"name",		0},
292348Sken    [KP_PATH] =			{"path",		0},
292348Sken    [KP_PERSIST] =		{"persist",		0},
255870Sscottl    [KP_SECURELEVEL] =		{"securelevel",		0},
255870Sscottl    [KP_VNET] =			{"vnet",		0},
39212Sgibbs};
39212Sgibbs
46581Sken/*
46581Sken * Parse the jail configuration file.
46581Sken */
46581Skenvoid
46581Skenload_config(void)
46581Sken{
49925Sgibbs	struct cfjails wild;
49925Sgibbs	struct cfparams opp;
39212Sgibbs	struct cfjail *j, *tj, *wj;
46581Sken	struct cfparam *p, *vp, *tp;
46581Sken	struct cfstring *s, *vs, *ns;
49925Sgibbs	struct cfvar *v;
46581Sken	char *ep;
46581Sken	size_t varoff;
46581Sken	int did_self, jseq, pgen;
46581Sken
46581Sken	if (!strcmp(cfname, "-")) {
46581Sken		cfname = "STDIN";
46581Sken		yyin = stdin;
46581Sken	} else {
203108Smav		yyin = fopen(cfname, "r");
46581Sken		if (!yyin)
46581Sken			err(1, "%s", cfname);
46581Sken	}
46581Sken	if (yyparse() || yynerrs)
46581Sken		exit(1);
46581Sken
46581Sken	/* Separate the wildcard jails out from the actual jails. */
46581Sken	jseq = 0;
46581Sken	TAILQ_INIT(&wild);
46581Sken	TAILQ_FOREACH_SAFE(j, &cfjails, tq, tj) {
46581Sken		j->seq = ++jseq;
47412Sgibbs		if (wild_jail_name(j->name))
47412Sgibbs			requeue(j, &wild);
47412Sgibbs	}
47412Sgibbs
223081Sgibbs	TAILQ_FOREACH(j, &cfjails, tq) {
223081Sgibbs		/* Set aside the jail's parameters. */
260387Sscottl		TAILQ_INIT(&opp);
260387Sscottl		TAILQ_CONCAT(&opp, &j->params, tq);
260387Sscottl		/*
39212Sgibbs		 * The jail name implies its "name" or "jid" parameter,
46581Sken		 * though they may also be explicitly set later on.
46581Sken		 */
46581Sken		add_param(j, NULL,
46581Sken		    strtol(j->name, &ep, 10) && !*ep ? KP_JID : KP_NAME,
49925Sgibbs		    j->name);
46581Sken		/*
46581Sken		 * Collect parameters for the jail, global parameters/variables,
46581Sken		 * and any matching wildcard jails.
46581Sken		 */
46581Sken		did_self = 0;
46581Sken		TAILQ_FOREACH(wj, &wild, tq) {
46581Sken			if (j->seq < wj->seq && !did_self) {
46581Sken				TAILQ_FOREACH(p, &opp, tq)
39212Sgibbs					add_param(j, p, 0, NULL);
39212Sgibbs				did_self = 1;
39212Sgibbs			}
46581Sken			if (wild_jail_match(j->name, wj->name))
46581Sken				TAILQ_FOREACH(p, &wj->params, tq)
39212Sgibbs					add_param(j, p, 0, NULL);
39212Sgibbs		}
39212Sgibbs		if (!did_self)
46581Sken			TAILQ_FOREACH(p, &opp, tq)
46581Sken				add_param(j, p, 0, NULL);
39212Sgibbs
39212Sgibbs		/* Resolve any variable substitutions. */
39212Sgibbs		pgen = 0;
39212Sgibbs		TAILQ_FOREACH(p, &j->params, tq) {
195534Sscottl		    p->gen = ++pgen;
195534Sscottl		find_vars:
39212Sgibbs		    TAILQ_FOREACH(s, &p->val, tq) {
196008Smjacob			varoff = 0;
196008Smjacob			while ((v = STAILQ_FIRST(&s->vars))) {
196008Smjacob				TAILQ_FOREACH(vp, &j->params, tq)
196008Smjacob					if (!strcmp(vp->name, v->name))
196008Smjacob						break;
196008Smjacob				if (!vp) {
196008Smjacob					jail_warnx(j,
196008Smjacob					    "%s: variable \"%s\" not found",
196008Smjacob					    p->name, v->name);
208582Smjacob				bad_var:
216088Sken					j->flags |= JF_FAILED;
216088Sken					TAILQ_FOREACH(vp, &j->params, tq)
216088Sken						if (vp->gen == pgen)
208582Smjacob							vp->flags |= PF_BAD;
208582Smjacob					goto free_var;
208582Smjacob				}
208582Smjacob				if (vp->flags & PF_BAD)
39212Sgibbs					goto bad_var;
46581Sken				if (vp->gen == pgen) {
46581Sken					jail_warnx(j, "%s: variable loop",
74840Sken					    v->name);
46581Sken					goto bad_var;
39212Sgibbs				}
39212Sgibbs				TAILQ_FOREACH(vs, &vp->val, tq)
46581Sken					if (!STAILQ_EMPTY(&vs->vars)) {
46581Sken						vp->gen = pgen;
49925Sgibbs						TAILQ_REMOVE(&j->params, vp,
46581Sken						    tq);
46581Sken						TAILQ_INSERT_BEFORE(p, vp, tq);
46581Sken						p = vp;
49925Sgibbs						goto find_vars;
46581Sken					}
46581Sken				vs = TAILQ_FIRST(&vp->val);
196008Smjacob				if (TAILQ_NEXT(vs, tq) != NULL &&
196008Smjacob				    (s->s[0] != '\0' ||
196008Smjacob				     STAILQ_NEXT(v, tq))) {
196008Smjacob					jail_warnx(j, "%s: array cannot be "
46581Sken					    "substituted inline",
196008Smjacob					    p->name);
46581Sken					goto bad_var;
302376Struckman				}
302376Struckman				s->s = erealloc(s->s, s->len + vs->len + 1);
39212Sgibbs				memmove(s->s + v->pos + varoff + vs->len,
39212Sgibbs				    s->s + v->pos + varoff,
46581Sken				    s->len - (v->pos + varoff) + 1);
39212Sgibbs				memcpy(s->s + v->pos + varoff, vs->s, vs->len);
39212Sgibbs				varoff += vs->len;
46581Sken				s->len += vs->len;
46581Sken				while ((vs = TAILQ_NEXT(vs, tq))) {
46581Sken					ns = emalloc(sizeof(struct cfstring));
46581Sken					ns->s = estrdup(vs->s);
49925Sgibbs					ns->len = vs->len;
46581Sken					STAILQ_INIT(&ns->vars);
46581Sken					TAILQ_INSERT_AFTER(&p->val, s, ns, tq);
44499Sgibbs					s = ns;
49925Sgibbs				}
49925Sgibbs			free_var:
49925Sgibbs				free(v->name);
49925Sgibbs				STAILQ_REMOVE_HEAD(&s->vars, tq);
74840Sken				free(v);
74840Sken			}
74840Sken		    }
74840Sken		}
74840Sken
74840Sken		/* Free the jail's original parameter list and any variables. */
74840Sken		while ((p = TAILQ_FIRST(&opp)))
195534Sscottl			free_param(&opp, p);
235897Smav		TAILQ_FOREACH_SAFE(p, &j->params, tq, tp)
74840Sken			if (p->flags & PF_VAR)
74840Sken				free_param(&j->params, p);
74840Sken	}
74840Sken	while ((wj = TAILQ_FIRST(&wild))) {
74840Sken		free(wj->name);
74840Sken		while ((p = TAILQ_FIRST(&wj->params)))
74840Sken			free_param(&wj->params, p);
74840Sken		TAILQ_REMOVE(&wild, wj, tq);
74840Sken	}
74840Sken}
154593Smjacob
154593Smjacob/*
195534Sscottl * Create a new jail record.
196352Smav */
255915Snwhitehornstruct cfjail *
74840Skenadd_jail(void)
74840Sken{
220644Smav	struct cfjail *j;
220644Smav
220644Smav	j = emalloc(sizeof(struct cfjail));
220644Smav	memset(j, 0, sizeof(struct cfjail));
220644Smav	TAILQ_INIT(&j->params);
220644Smav	STAILQ_INIT(&j->dep[DEP_FROM]);
220644Smav	STAILQ_INIT(&j->dep[DEP_TO]);
220644Smav	j->queue = &cfjails;
154593Smjacob	TAILQ_INSERT_TAIL(&cfjails, j, tq);
154593Smjacob	return j;
154593Smjacob}
154593Smjacob
74840Sken/*
39212Sgibbs * Add a parameter to a jail.
60938Sjake */
60938Sjakevoid
60938Sjakeadd_param(struct cfjail *j, const struct cfparam *p, enum intparam ipnum,
60938Sjake    const char *value)
39212Sgibbs{
39212Sgibbs	struct cfstrings nss;
39212Sgibbs	struct cfparam *dp, *np;
39212Sgibbs	struct cfstring *s, *ns;
39212Sgibbs	struct cfvar *v, *nv;
168752Sscottl	const char *name;
39212Sgibbs	char *cs, *tname;
39212Sgibbs	unsigned flags;
39212Sgibbs
39212Sgibbs	if (j == NULL) {
39212Sgibbs		/* Create a single anonymous jail if one doesn't yet exist. */
39212Sgibbs		j = TAILQ_LAST(&cfjails, cfjails);
39212Sgibbs		if (j == NULL)
39212Sgibbs			j = add_jail();
39212Sgibbs	}
39212Sgibbs	TAILQ_INIT(&nss);
39212Sgibbs	if (p != NULL) {
39212Sgibbs		name = p->name;
255870Sscottl		flags = p->flags;
255870Sscottl		/*
255870Sscottl		 * Make a copy of the parameter's string list,
255870Sscottl		 * which may be freed if it's overridden later.
255870Sscottl		 */
255870Sscottl		TAILQ_FOREACH(s, &p->val, tq) {
39212Sgibbs			ns = emalloc(sizeof(struct cfstring));
130200Sscottl			ns->s = estrdup(s->s);
39212Sgibbs			ns->len = s->len;
39212Sgibbs			STAILQ_INIT(&ns->vars);
130200Sscottl			STAILQ_FOREACH(v, &s->vars, tq) {
39212Sgibbs				nv = emalloc(sizeof(struct cfvar));
39212Sgibbs				nv->name = strdup(v->name);
130200Sscottl				nv->pos = v->pos;
39212Sgibbs				STAILQ_INSERT_TAIL(&ns->vars, nv, tq);
130200Sscottl			}
130200Sscottl			TAILQ_INSERT_TAIL(&nss, ns, tq);
39212Sgibbs		}
39212Sgibbs	} else {
39212Sgibbs		flags = PF_APPEND;
255870Sscottl		if (ipnum != IP__NULL) {
130200Sscottl			name = intparams[ipnum].name;
255870Sscottl			flags |= intparams[ipnum].flags;
39212Sgibbs		} else if ((cs = strchr(value, '='))) {
39212Sgibbs			tname = alloca(cs - value + 1);
255870Sscottl			strlcpy(tname, value, cs - value + 1);
255870Sscottl			name = tname;
255870Sscottl			value = cs + 1;
39212Sgibbs		} else {
39212Sgibbs			name = value;
39212Sgibbs			value = NULL;
39212Sgibbs		}
39212Sgibbs		if (value != NULL) {
195534Sscottl			ns = emalloc(sizeof(struct cfstring));
56145Smjacob			ns->s = estrdup(value);
195534Sscottl			ns->len = strlen(value);
39212Sgibbs			STAILQ_INIT(&ns->vars);
199178Smav			TAILQ_INSERT_TAIL(&nss, ns, tq);
39212Sgibbs		}
39212Sgibbs	}
39212Sgibbs
47412Sgibbs	/* See if this parameter has already been added. */
47412Sgibbs	if (ipnum != IP__NULL)
47412Sgibbs		dp = j->intparams[ipnum];
47412Sgibbs	else
47412Sgibbs		TAILQ_FOREACH(dp, &j->params, tq)
273078Smav			if (!(dp->flags & PF_CONV) && equalopts(dp->name, name))
273078Smav				break;
47412Sgibbs	if (dp != NULL) {
47412Sgibbs		/* Found it - append or replace. */
47412Sgibbs		if (strcmp(dp->name, name)) {
47412Sgibbs			free(dp->name);
47434Sgibbs			dp->name = estrdup(name);
47434Sgibbs		}
47434Sgibbs		if (!(flags & PF_APPEND) || TAILQ_EMPTY(&nss))
47434Sgibbs			free_param_strings(dp);
47434Sgibbs		TAILQ_CONCAT(&dp->val, &nss, tq);
47412Sgibbs		dp->flags |= flags;
47412Sgibbs	} else {
39212Sgibbs		/* Not found - add it. */
39212Sgibbs		np = emalloc(sizeof(struct cfparam));
39212Sgibbs		np->name = estrdup(name);
39212Sgibbs		TAILQ_INIT(&np->val);
39212Sgibbs		TAILQ_CONCAT(&np->val, &nss, tq);
39212Sgibbs		np->flags = flags;
39212Sgibbs		np->gen = 0;
39212Sgibbs		TAILQ_INSERT_TAIL(&j->params, np, tq);
39212Sgibbs		if (ipnum != IP__NULL)
39212Sgibbs			j->intparams[ipnum] = np;
39212Sgibbs		else
39212Sgibbs			for (ipnum = IP__NULL + 1; ipnum < IP_NPARAM; ipnum++)
39212Sgibbs				if (!(intparams[ipnum].flags & PF_CONV) &&
39212Sgibbs				    equalopts(name, intparams[ipnum].name)) {
39212Sgibbs					j->intparams[ipnum] = np;
39212Sgibbs					np->flags |= intparams[ipnum].flags;
39212Sgibbs					break;
39212Sgibbs				}
39212Sgibbs	}
39212Sgibbs}
39212Sgibbs
39212Sgibbs/*
39212Sgibbs * Return if a boolean parameter exists and is true.
39212Sgibbs */
39212Sgibbsint
39212Sgibbsbool_param(const struct cfparam *p)
39212Sgibbs{
39212Sgibbs	const char *cs;
39212Sgibbs
39212Sgibbs	if (p == NULL)
39212Sgibbs		return 0;
39212Sgibbs	cs = strrchr(p->name, '.');
39212Sgibbs	return !strncmp(cs ? cs + 1 : p->name, "no", 2) ^
39212Sgibbs	    (TAILQ_EMPTY(&p->val) ||
39212Sgibbs	     !strcasecmp(TAILQ_LAST(&p->val, cfstrings)->s, "true") ||
39212Sgibbs	     (strtol(TAILQ_LAST(&p->val, cfstrings)->s, NULL, 10)));
39212Sgibbs}
39212Sgibbs
39212Sgibbs/*
39212Sgibbs * Set an integer if a parameter if it exists.
39212Sgibbs */
39212Sgibbsint
223081Sgibbsint_param(const struct cfparam *p, int *ip)
39212Sgibbs{
39212Sgibbs	if (p == NULL || TAILQ_EMPTY(&p->val))
39212Sgibbs		return 0;
223081Sgibbs	*ip = strtol(TAILQ_LAST(&p->val, cfstrings)->s, NULL, 10);
223081Sgibbs	return 1;
223081Sgibbs}
223081Sgibbs
223081Sgibbs/*
39212Sgibbs * Return the string value of a scalar parameter if it exists.
223081Sgibbs */
223081Sgibbsconst char *
223081Sgibbsstring_param(const struct cfparam *p)
223081Sgibbs{
223081Sgibbs	return (p && !TAILQ_EMPTY(&p->val)
223081Sgibbs	    ? TAILQ_LAST(&p->val, cfstrings)->s : NULL);
223081Sgibbs}
223081Sgibbs
39212Sgibbs/*
39212Sgibbs * Check syntax and values of internal parameters.  Set some internal
39212Sgibbs * parameters based on the values of others.
39212Sgibbs */
39212Sgibbsint
39212Sgibbscheck_intparams(struct cfjail *j)
39212Sgibbs{
39212Sgibbs	struct cfparam *p;
39212Sgibbs	struct cfstring *s;
39212Sgibbs	FILE *f;
39212Sgibbs	const char *val;
39212Sgibbs	char *cs, *ep, *ln;
39212Sgibbs	size_t lnlen;
39212Sgibbs	int error;
39212Sgibbs#if defined(INET) || defined(INET6)
39212Sgibbs	struct addrinfo hints;
39212Sgibbs	struct addrinfo *ai0, *ai;
39212Sgibbs	const char *hostname;
39212Sgibbs	int gicode, defif, prefix;
39212Sgibbs#endif
39212Sgibbs#ifdef INET
39212Sgibbs	struct in_addr addr4;
39212Sgibbs	int ip4ok;
39212Sgibbs	char avalue4[INET_ADDRSTRLEN];
39212Sgibbs#endif
39212Sgibbs#ifdef INET6
39212Sgibbs	struct in6_addr addr6;
39212Sgibbs	int ip6ok;
39212Sgibbs	char avalue6[INET6_ADDRSTRLEN];
39212Sgibbs#endif
39212Sgibbs
39212Sgibbs	error = 0;
39212Sgibbs	/* Check format of boolan and integer values. */
39212Sgibbs	TAILQ_FOREACH(p, &j->params, tq) {
39212Sgibbs		if (!TAILQ_EMPTY(&p->val) && (p->flags & (PF_BOOL | PF_INT))) {
39212Sgibbs			val = TAILQ_LAST(&p->val, cfstrings)->s;
39212Sgibbs			if (p->flags & PF_BOOL) {
39212Sgibbs				if (strcasecmp(val, "false") &&
39212Sgibbs				    strcasecmp(val, "true") &&
39212Sgibbs				    ((void)strtol(val, &ep, 10), *ep)) {
39212Sgibbs					jail_warnx(j,
39212Sgibbs					    "%s: unknown boolean value \"%s\"",
39212Sgibbs					    p->name, val);
39212Sgibbs					error = -1;
46581Sken				}
46581Sken			} else {
46581Sken				(void)strtol(val, &ep, 10);
46581Sken				if (ep == val || *ep) {
46581Sken					jail_warnx(j,
39212Sgibbs					    "%s: non-integer value \"%s\"",
39212Sgibbs					    p->name, val);
39212Sgibbs					error = -1;
39212Sgibbs				}
195534Sscottl			}
39212Sgibbs		}
195534Sscottl	}
46581Sken
39212Sgibbs#if defined(INET) || defined(INET6)
39212Sgibbs	/*
39212Sgibbs	 * The ip_hostname parameter looks up the hostname, and adds parameters
39212Sgibbs	 * for any IP addresses it finds.
39212Sgibbs	 */
39212Sgibbs	if (((j->flags & JF_OP_MASK) != JF_STOP ||
39212Sgibbs	    j->intparams[IP_INTERFACE] != NULL) &&
39212Sgibbs	    bool_param(j->intparams[IP_IP_HOSTNAME]) &&
39212Sgibbs	    (hostname = string_param(j->intparams[KP_HOST_HOSTNAME]))) {
39212Sgibbs		j->intparams[IP_IP_HOSTNAME] = NULL;
39212Sgibbs		/*
39212Sgibbs		 * Silently ignore unsupported address families from
39212Sgibbs		 * DNS lookups.
39212Sgibbs		 */
39212Sgibbs#ifdef INET
39212Sgibbs		ip4ok = feature_present("inet");
39212Sgibbs#endif
39212Sgibbs#ifdef INET6
39212Sgibbs		ip6ok = feature_present("inet6");
39212Sgibbs#endif
39212Sgibbs		if (
39212Sgibbs#if defined(INET) && defined(INET6)
39212Sgibbs		    ip4ok || ip6ok
39212Sgibbs#elif defined(INET)
39212Sgibbs		    ip4ok
39212Sgibbs#elif defined(INET6)
39212Sgibbs		    ip6ok
39212Sgibbs#endif
39212Sgibbs			 ) {
39212Sgibbs			/* Look up the hostname (or get the address) */
39212Sgibbs			memset(&hints, 0, sizeof(hints));
39212Sgibbs			hints.ai_socktype = SOCK_STREAM;
39212Sgibbs			hints.ai_family =
39212Sgibbs#if defined(INET) && defined(INET6)
39212Sgibbs			    ip4ok ? (ip6ok ? PF_UNSPEC : PF_INET) :  PF_INET6;
39212Sgibbs#elif defined(INET)
39212Sgibbs			    PF_INET;
39212Sgibbs#elif defined(INET6)
39212Sgibbs			    PF_INET6;
39212Sgibbs#endif
39212Sgibbs			gicode = getaddrinfo(hostname, NULL, &hints, &ai0);
39212Sgibbs			if (gicode != 0) {
39212Sgibbs				jail_warnx(j, "host.hostname %s: %s", hostname,
39212Sgibbs				    gai_strerror(gicode));
39212Sgibbs				error = -1;
39212Sgibbs			} else {
39212Sgibbs				/*
39212Sgibbs				 * Convert the addresses to ASCII so jailparam
39212Sgibbs				 * can convert them back.  Errors are not
39212Sgibbs				 * expected here.
39212Sgibbs				 */
39212Sgibbs				for (ai = ai0; ai; ai = ai->ai_next)
39212Sgibbs					switch (ai->ai_family) {
39212Sgibbs#ifdef INET
39212Sgibbs					case AF_INET:
39212Sgibbs						memcpy(&addr4,
39212Sgibbs						    &((struct sockaddr_in *)
39212Sgibbs						    (void *)ai->ai_addr)->
39212Sgibbs						    sin_addr, sizeof(addr4));
39212Sgibbs						if (inet_ntop(AF_INET,
39212Sgibbs						    &addr4, avalue4,
39212Sgibbs						    INET_ADDRSTRLEN) == NULL)
39212Sgibbs							err(1, "inet_ntop");
39212Sgibbs						add_param(j, NULL, KP_IP4_ADDR,
39212Sgibbs						    avalue4);
39212Sgibbs						break;
39212Sgibbs#endif
39212Sgibbs#ifdef INET6
39212Sgibbs					case AF_INET6:
39212Sgibbs						memcpy(&addr6,
39212Sgibbs						    &((struct sockaddr_in6 *)
39212Sgibbs						    (void *)ai->ai_addr)->
39212Sgibbs						    sin6_addr, sizeof(addr6));
255870Sscottl						if (inet_ntop(AF_INET6,
39212Sgibbs						    &addr6, avalue6,
39212Sgibbs						    INET6_ADDRSTRLEN) == NULL)
39212Sgibbs							err(1, "inet_ntop");
39212Sgibbs						add_param(j, NULL, KP_IP6_ADDR,
39212Sgibbs						    avalue6);
39212Sgibbs						break;
39212Sgibbs#endif
195534Sscottl					}
39212Sgibbs				freeaddrinfo(ai0);
53258Sken			}
39212Sgibbs		}
39212Sgibbs	}
39212Sgibbs
39212Sgibbs	/*
39212Sgibbs	 * IP addresses may include an interface to set that address on,
39212Sgibbs	 * and a netmask/suffix for that address.
39212Sgibbs	 */
39212Sgibbs	defif = string_param(j->intparams[IP_INTERFACE]) != NULL;
53258Sken#ifdef INET
39212Sgibbs	if (j->intparams[KP_IP4_ADDR] != NULL) {
39212Sgibbs		TAILQ_FOREACH(s, &j->intparams[KP_IP4_ADDR]->val, tq) {
39212Sgibbs			cs = strchr(s->s, '|');
255870Sscottl			if (cs || defif)
39212Sgibbs				add_param(j, NULL, IP__IP4_IFADDR, s->s);
39212Sgibbs			if (cs) {
41644Sgibbs				strcpy(s->s, cs + 1);
118105Snjl				s->len -= cs + 1 - s->s;
159311Smjacob			}
248519Skib			if ((cs = strchr(s->s, '/'))) {
248519Skib				prefix = strtol(cs + 1, &ep, 10);
253549Sken				if (*ep == '.'
39212Sgibbs				    ? inet_pton(AF_INET, cs + 1, &addr4) != 1
39212Sgibbs				    : *ep || prefix < 0 || prefix > 32) {
39212Sgibbs					jail_warnx(j,
74840Sken					    "ip4.addr: bad netmask \"%s\"", cs);
74840Sken					error = -1;
74840Sken				}
196008Smjacob				*cs = '\0';
77708Smjacob				s->len = cs - s->s;
77708Smjacob			}
77708Smjacob		}
77708Smjacob	}
77708Smjacob#endif
77708Smjacob#ifdef INET6
196008Smjacob	if (j->intparams[KP_IP6_ADDR] != NULL) {
154593Smjacob		TAILQ_FOREACH(s, &j->intparams[KP_IP6_ADDR]->val, tq) {
154593Smjacob			cs = strchr(s->s, '|');
154593Smjacob			if (cs || defif)
77708Smjacob				add_param(j, NULL, IP__IP6_IFADDR, s->s);
74840Sken			if (cs) {
39212Sgibbs				strcpy(s->s, cs + 1);
39212Sgibbs				s->len -= cs + 1 - s->s;
39212Sgibbs			}
39212Sgibbs			if ((cs = strchr(s->s, '/'))) {
255870Sscottl				prefix = strtol(cs + 1, &ep, 10);
255870Sscottl				if (*ep || prefix < 0 || prefix > 128) {
39212Sgibbs					jail_warnx(j,
39212Sgibbs					    "ip6.addr: bad prefixlen \"%s\"",
39212Sgibbs					    cs);
39212Sgibbs					error = -1;
39212Sgibbs				}
39212Sgibbs				*cs = '\0';
39212Sgibbs				s->len = cs - s->s;
39212Sgibbs			}
39212Sgibbs		}
39212Sgibbs	}
39212Sgibbs#endif
39212Sgibbs#endif
39212Sgibbs
46581Sken	/*
74840Sken	 * Read mount.fstab file(s), and treat each line as its own mount
74840Sken	 * parameter.
74840Sken	 */
74840Sken	if (j->intparams[IP_MOUNT_FSTAB] != NULL) {
74840Sken		TAILQ_FOREACH(s, &j->intparams[IP_MOUNT_FSTAB]->val, tq) {
74840Sken			if (s->len == 0)
77708Smjacob				continue;
154593Smjacob			f = fopen(s->s, "r");
77708Smjacob			if (f == NULL) {
74840Sken				jail_warnx(j, "mount.fstab: %s: %s",
195534Sscottl				    s->s, strerror(errno));
210471Smav				error = -1;
210471Smav				continue;
210471Smav			}
210471Smav			while ((ln = fgetln(f, &lnlen))) {
39212Sgibbs				if ((cs = memchr(ln, '#', lnlen - 1)))
39212Sgibbs					lnlen = cs - ln + 1;
47412Sgibbs				if (ln[lnlen - 1] == '\n' ||
47412Sgibbs				    ln[lnlen - 1] == '#')
47412Sgibbs					ln[lnlen - 1] = '\0';
47412Sgibbs				else {
47412Sgibbs					cs = alloca(lnlen + 1);
47412Sgibbs					strlcpy(cs, ln, lnlen + 1);
216088Sken					ln = cs;
216088Sken				}
216088Sken				add_param(j, NULL, IP__MOUNT_FROM_FSTAB, ln);
216088Sken			}
216088Sken			fclose(f);
216088Sken		}
216088Sken	}
216088Sken	if (error)
216088Sken		failed(j);
216088Sken	return error;
216088Sken}
216088Sken
216088Sken/*
216088Sken * Import parameters into libjail's binary jailparam format.
216088Sken */
216088Skenint
216088Skenimport_params(struct cfjail *j)
216088Sken{
216088Sken	struct cfparam *p;
216088Sken	struct cfstring *s, *ts;
216088Sken	struct jailparam *jp;
216088Sken	char *value, *cs;
216088Sken	size_t vallen;
216088Sken	int error;
216088Sken
216088Sken	error = 0;
39212Sgibbs	j->njp = 0;
39212Sgibbs	TAILQ_FOREACH(p, &j->params, tq)
39212Sgibbs		if (!(p->flags & PF_INTERNAL))
39212Sgibbs			j->njp++;
39212Sgibbs	j->jp = jp = emalloc(j->njp * sizeof(struct jailparam));
39212Sgibbs	TAILQ_FOREACH(p, &j->params, tq) {
39212Sgibbs		if (p->flags & PF_INTERNAL)
39212Sgibbs			continue;
39212Sgibbs		if (jailparam_init(jp, p->name) < 0) {
39212Sgibbs			error = -1;
39212Sgibbs			jail_warnx(j, "%s", jail_errmsg);
39212Sgibbs			jp++;
39212Sgibbs			continue;
39212Sgibbs		}
39212Sgibbs		if (TAILQ_EMPTY(&p->val))
39212Sgibbs			value = NULL;
39212Sgibbs		else if (!jp->jp_elemlen ||
39212Sgibbs			 !TAILQ_NEXT(TAILQ_FIRST(&p->val), tq)) {
39212Sgibbs			/*
39212Sgibbs			 * Scalar parameters silently discard multiple (array)
39212Sgibbs			 * values, keeping only the last value added.  This
39212Sgibbs			 * lets values added from the command line append to
39212Sgibbs			 * arrays wthout pre-checking the type.
39212Sgibbs			 */
39212Sgibbs			value = TAILQ_LAST(&p->val, cfstrings)->s;
39212Sgibbs		} else {
39212Sgibbs			/*
39212Sgibbs			 * Convert arrays into comma-separated strings, which
39212Sgibbs			 * jailparam_import will then convert back into arrays.
39212Sgibbs			 */
39212Sgibbs			vallen = 0;
39212Sgibbs			TAILQ_FOREACH(s, &p->val, tq)
39212Sgibbs				vallen += s->len + 1;
39212Sgibbs			value = alloca(vallen);
39212Sgibbs			cs = value;
39212Sgibbs			TAILQ_FOREACH_SAFE(s, &p->val, tq, ts) {
39212Sgibbs				memcpy(cs, s->s, s->len);
40417Sgibbs				cs += s->len + 1;
40417Sgibbs				cs[-1] = ',';
40417Sgibbs			}
40417Sgibbs			value[vallen - 1] = '\0';
40417Sgibbs		}
40417Sgibbs		if (jailparam_import(jp, value) < 0) {
49925Sgibbs			error = -1;
49925Sgibbs			jail_warnx(j, "%s", jail_errmsg);
39212Sgibbs		}
39212Sgibbs		jp++;
312850Smav	}
312850Smav	if (error) {
312850Smav		jailparam_free(j->jp, j->njp);
312850Smav		free(j->jp);
312850Smav		j->jp = NULL;
312850Smav		failed(j);
312850Smav	}
195534Sscottl	return error;
195534Sscottl}
195534Sscottl
195534Sscottl/*
195534Sscottl * Check if options are equal (with or without the "no" prefix).
195534Sscottl */
195534Sscottlint
195534Sscottlequalopts(const char *opt1, const char *opt2)
195534Sscottl{
195534Sscottl	char *p;
195534Sscottl
195534Sscottl	/* "opt" vs. "opt" or "noopt" vs. "noopt" */
195534Sscottl	if (strcmp(opt1, opt2) == 0)
195534Sscottl		return (1);
195534Sscottl	/* "noopt" vs. "opt" */
195534Sscottl	if (strncmp(opt1, "no", 2) == 0 && strcmp(opt1 + 2, opt2) == 0)
195534Sscottl		return (1);
195534Sscottl	/* "opt" vs. "noopt" */
195534Sscottl	if (strncmp(opt2, "no", 2) == 0 && strcmp(opt1, opt2 + 2) == 0)
195534Sscottl		return (1);
195534Sscottl	while ((p = strchr(opt1, '.')) != NULL &&
195534Sscottl	    !strncmp(opt1, opt2, ++p - opt1)) {
39212Sgibbs		opt2 += p - opt1;
39212Sgibbs		opt1 = p;
39212Sgibbs		/* "foo.noopt" vs. "foo.opt" */
39212Sgibbs		if (strncmp(opt1, "no", 2) == 0 && strcmp(opt1 + 2, opt2) == 0)
39212Sgibbs			return (1);
56145Smjacob		/* "foo.opt" vs. "foo.noopt" */
55328Smjacob		if (strncmp(opt2, "no", 2) == 0 && strcmp(opt1, opt2 + 2) == 0)
55328Smjacob			return (1);
56145Smjacob	}
39212Sgibbs	return (0);
39212Sgibbs}
312845Smav
312845Smav/*
312845Smav * See if a jail name matches a wildcard.
312845Smav */
312845Smavint
312845Smavwild_jail_match(const char *jname, const char *wname)
312845Smav{
39212Sgibbs	const char *jc, *jd, *wc, *wd;
39212Sgibbs
39212Sgibbs	/*
39212Sgibbs	 * A non-final "*" component in the wild name matches a single jail
39212Sgibbs	 * component, and a final "*" matches one or more jail components.
39212Sgibbs	 */
39212Sgibbs	for (jc = jname, wc = wname;
39212Sgibbs	     (jd = strchr(jc, '.')) && (wd = strchr(wc, '.'));
39212Sgibbs	     jc = jd + 1, wc = wd + 1)
203108Smav		if (strncmp(jc, wc, jd - jc + 1) && strncmp(wc, "*.", 2))
39212Sgibbs			return 0;
39212Sgibbs	return (!strcmp(jc, wc) || !strcmp(wc, "*"));
39212Sgibbs}
39212Sgibbs
39212Sgibbs/*
39212Sgibbs * Return if a jail name is a wildcard.
39212Sgibbs */
238886Smavint
223081Sgibbswild_jail_name(const char *wname)
196008Smjacob{
39212Sgibbs	const char *wc;
39212Sgibbs
39212Sgibbs	for (wc = strchr(wname, '*'); wc; wc = strchr(wc + 1, '*'))
39212Sgibbs		if ((wc == wname || wc[-1] == '.') &&
39212Sgibbs		    (wc[1] == '\0' || wc[1] == '.'))
39212Sgibbs			return 1;
39212Sgibbs	return 0;
39212Sgibbs}
39212Sgibbs
39212Sgibbs/*
39212Sgibbs * Free a parameter record and all its strings and variables.
39212Sgibbs */
39212Sgibbsstatic void
39212Sgibbsfree_param(struct cfparams *pp, struct cfparam *p)
39212Sgibbs{
39212Sgibbs	free(p->name);
196008Smjacob	free_param_strings(p);
196008Smjacob	TAILQ_REMOVE(pp, p, tq);
196008Smjacob	free(p);
196008Smjacob}
196008Smjacob
196008Smjacobstatic void
196008Smjacobfree_param_strings(struct cfparam *p)
196008Smjacob{
196008Smjacob	struct cfstring *s;
196008Smjacob	struct cfvar *v;
196008Smjacob
196008Smjacob	while ((s = TAILQ_FIRST(&p->val))) {
196008Smjacob		free(s->s);
196008Smjacob		while ((v = STAILQ_FIRST(&s->vars))) {
196008Smjacob			free(v->name);
196008Smjacob			STAILQ_REMOVE_HEAD(&s->vars, tq);
196008Smjacob			free(v);
196008Smjacob		}
196008Smjacob		TAILQ_REMOVE(&p->val, s, tq);
196008Smjacob		free(s);
39212Sgibbs	}
39212Sgibbs}
39212Sgibbs