Page MenuHomeFreeBSD
Differential D40188

Add ".include" directive to jail.conf
ClosedPublic
Actions

Authored by jamie on May 21 2023, 12:14 AM.
Tags
Referenced Files
F108397314: D40188.id122175.diff
Fri, Jan 24, 11:22 AM
Unknown Object (File)
Wed, Jan 1, 6:51 PM
Unknown Object (File)
Dec 25 2024, 3:29 AM
Unknown Object (File)
Dec 8 2024, 1:43 PM
Unknown Object (File)
Dec 6 2024, 3:09 AM
Unknown Object (File)
Dec 6 2024, 2:07 AM
Unknown Object (File)
Nov 27 2024, 9:43 PM
Unknown Object (File)
Oct 18 2024, 8:57 AM
View All Files
Subscribers
agh_riseup.net
antranigv_freebsd.am
crest_freebsd_rlwinm.de
dvl
emaste
guest-patmaddox
ihor_antonovs.family
View All 10 Subscribers

Details

Reviewers
antranigv_freebsd.am
Group Reviewers
Jails
Commits
rGe82a62943529: jail: add ".include" directive to jail.conf
Summary

Allow jail config files to include other files, via the ".include" directive (the leading dot is to ensure it doesn't clash with jail or parameter names). The include filename may be a glob, which allowed for config dirfectories such as /etc/jail.conf.d.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

jamie created this revision.May 21 2023, 12:14 AM
Herald added a subscriber: imp. · View Herald TranscriptMay 21 2023, 12:14 AM
jamie requested review of this revision.May 21 2023, 12:14 AM
jamie mentioned this in D39011: Enable jail(8) to parse all config files.May 21 2023, 12:23 AM
agh_riseup.net added a subscriber: agh_riseup.net.May 21 2023, 12:37 AM
ihor_antonovs.family added a subscriber: ihor_antonovs.family.May 21 2023, 12:38 AM

@jamie please re-generate the diff with -U9999 and re-upload it. This is necessary to have context available. (Annoying Phab limitation when diffs are uploaded manually)

Example:

git diff -U99999 | wl-copy
jamie updated this revision to Diff 122177.May 21 2023, 12:46 AM

New and improved diff :-)

ihor_antonovs.family added a comment.May 21 2023, 1:01 AM

I like this approach.
It blurs the line between UCL and jail format (IMHO making future transition to UCL smoother), and makes include more explicit (and less magical comparing to D40188)

The I have not read the code thoughtfully yet, will do so over the next day or two.

meka_tilda.center added a comment.May 21 2023, 7:49 AM

I you use git format-patch -1 -U9999 and apply it with git am <patch>, you get the whole commit with the message. Not strictly needed, but makes life easier.

usr.sbin/jail/config.c
274

Initialize all glob_t vars to zero/NULL.

guest-patmaddox added a subscriber: guest-patmaddox.May 21 2023, 5:02 PM
otis added a subscriber: otis.May 22 2023, 11:12 AM

Haven't looked closely yet, but: are circular includes handled correctly?

dvl added a subscriber: dvl.May 22 2023, 11:03 PM
In D40188#915159, @otis wrote:

Haven't looked closely yet, but: are circular includes handled correctly?

This is what I came here to ask.

ihor_antonovs.family added a comment.May 23 2023, 1:00 AM
In D40188#915660, @dvl wrote:
In D40188#915159, @otis wrote:

Haven't looked closely yet, but: are circular includes handled correctly?

This is what I came here to ask.

Theoretically this is easy to handle. All it takes is a map/list of absolute file paths that the parser has already seen. If a new path encountered - include, if a known one encountered - skip.

ihor_antonovs.family added a comment.May 23 2023, 1:04 AM

It doesn't look like the patch in it's current state handles this circular includes.

usr.sbin/jail/config.c
295

Checking if the file was already included would need to happen somewhere here.

jamie added a comment.May 23 2023, 3:45 AM

True, they're not handled. I took my include inspiration from newsyslog (which has includes that also support globbing), and there it's also just a simple matter or running whatever it's told to include. It's kind of a footgun situation, where it's generally good enough to trust the administrator not to make such a loop. I did it for depend loops, but only because that's kind of elemental in building an acyclic directed graph.

I imagine it wouldn't be incredibly hard to handle, though it's a bit more than just tracking filenames, since I do at least a cursory job of resolving relative names, and because the same file may be included in different contexts (within different jails). But hashing a jail/dev/inode tuple might do the trick.

jamie updated this revision to Diff 122676.May 31 2023, 7:05 PM

Simple include-loop prevention with via a maximum depth counter.

crest_freebsd_rlwinm.de added a subscriber: crest_freebsd_rlwinm.de.Jun 1 2023, 11:49 AM

Just a small nitpick: I would prefer a macro #define MAX_INCLUDE_DEPTH 32 or constant static const unsigned int max_include_depth = 32; somewhere above the include_config() in config.c instead of the literal to improve readability.

jamie added a comment.Jun 1 2023, 2:58 PM
In D40188#919081, @crest_freebsd_rlwinm.de wrote:

Just a small nitpick: I would prefer a macro #define MAX_INCLUDE_DEPTH 32

True, let's not let bad habits creep in.

ihor_antonovs.family mentioned this in D38826: Fix multiple rc.d/jail and jail.conf.d issues.Jun 4 2023, 12:34 AM
jamie updated this revision to Diff 122817.Jun 4 2023, 4:29 AM

I've committed the "jails can include jails" and "use the recursive parser" bits separately. This new diff is just the part that handles the includes.

jamie marked an inline comment as done.Jun 4 2023, 4:29 AM
jamie marked an inline comment as done.Jun 7 2023, 12:16 AM
jamie accepted this revision as: Jails.Jun 7 2023, 12:23 AM

Commited in eb5bfdd06565. I forgot to add the review to the commit message :-/

antranigv_freebsd.am accepted this revision.Oct 16 2023, 12:28 PM
antranigv_freebsd.am added a subscriber: antranigv_freebsd.am.
In D40188#920799, @jamie wrote:

Commited in eb5bfdd06565. I forgot to add the review to the commit message :-/

In that case, I guess we have to mark it as "Accept Revision"?

This revision is now accepted and ready to land.Oct 16 2023, 12:28 PM
antranigv_freebsd.am closed this revision.Oct 16 2023, 12:30 PM

Oh and we also have to close it, because it did land! ugh Phabricator is very Project-Management-y :)

emaste added a subscriber: emaste.Oct 16 2023, 1:59 PM
In D40188#920799, @jamie wrote:

Commited in eb5bfdd06565. I forgot to add the review to the commit message :-/

eb5bfdd06565 is tcp: Add and update cubic module variable names

This should be e82a62943529d1a7c1fcec39aec13eba69c671d6 I think?

emaste added a commit: rGe82a62943529: jail: add ".include" directive to jail.conf.Oct 16 2023, 1:59 PM

Revision Contents
Changeset List

PathSize
usr.sbin/
jail/
86 lines
17 lines
27 lines
47 lines

Diff 122817

View Options

usr.sbin/jail/config.c

Loading...
View Options

usr.sbin/jail/jail.conf.5

Loading...
View Options

usr.sbin/jail/jailp.h

Loading...
View Options

usr.sbin/jail/jailparse.y

Loading...