misc/jailing/jail-functions

   1 #!/bin/bash
   2 #
   3 # --- T2-COPYRIGHT-NOTE-BEGIN ---
   4 # This copyright note is auto-generated by scripts/Create-CopyPatch.
   5 #
   6 # T2 SDE: misc/jailing/jail-functions
   7 # Copyright (C) 2004 - 2020 The T2 SDE Project
   8 # Copyright (C) 1998 - 2003 ROCK Linux Project
   9 #
  10 # More information can be found in the files COPYING and README.
  11 #
  12 # This program is free software; you can redistribute it and/or modify
  13 # it under the terms of the GNU General Public License as published by
  14 # the Free Software Foundation; version 2 of the License. A copy of the
  15 # GNU General Public License can be found in the file COPYING.
  16 # --- T2-COPYRIGHT-NOTE-END ---
  17
  18 jail_lib_needed() {
  19         ### $1 dirtree to search for +x files (usually $jail)
  20         ### $2 lib list file to add needed libs to
  21
  22         tmplib=`mktemp`
  23         cp $2 $tmplib
  24
  25         # Using ldd is not perfect (as I learned from Clifford) but
  26         # it's simple, usually works and extra libs and bins can be
  27         # hand added in specific_postmake
  28         find $1 -path $1/home -prune -o -perm +111 -type f -exec ldd {} \; |
  29                 grep -v 'not' | grep -v "$1" | cut -d' ' -f3 >> $tmplib
  30
  31         # Always needed
  32         echo /lib/libnss_files.so.2 >> $tmplib
  33         echo /lib/libnss_dns.so.2 >> $tmplib
  34
  35         # Sorting to remove duplications (very high)
  36         sort -u $tmplib > $2
  37
  38         rm -f $tmplib
  39         unset tmplib
  40 }
  41
  42
  43 jail_create() {
  44         ### Pseudo 00-dirtree
  45
  46         # Path for external binaries
  47         [ -a $root/$jail/bin ] || mkdir -p $root/$jail/bin
  48         # Path for external libraries
  49         [ -a $root/$jail/lib ] || mkdir -p $root/$jail/lib
  50         [ -a $root/$jail/etc ] || mkdir -p $root/$jail/etc
  51         [ -a $root/$jail/var ] || mkdir -p $root/$jail/var
  52         [ -a $root/$jail/tmp ] || mkdir -p $root/$jail/tmp
  53         chmod 1777 $root/$jail/tmp
  54         [ -a $root/$jail/dev ] || mkdir -p $root/$jail/dev
  55         [ -a $root/$jail/dev/null ] || mknod -m 666 $root/$jail/dev/null c 1 3
  56         [ -a $root/$jail/dev/random ] || mknod -m 444 $root/$jail/dev/random c 1 8
  57         [ -a $root/$jail/dev/urandom ] || mknod -m 444 $root/$jail/dev/urandom c 1 9
  58         [ -a $root/$docdir ] || mkdir -p $root/$docdir
  59
  60         ### END Pseudo 00-dirtree
  61
  62         ### Make some base etc configuration if not already present
  63
  64         if [ ! -f $root/$jail/etc/ld.so.conf ] ; then
  65                 cat <<- EOT > $root/$jail/etc/ld.so.conf
  66                         /lib
  67                         /usr/lib
  68                 EOT
  69         fi
  70         if [ ! -f $root/$jail/etc/nsswitch.conf ] ; then
  71                 cat <<- EOT > $root/$jail/etc/nsswitch.conf
  72                         passwd: files
  73                         group: files
  74                         shadow: files
  75                         hosts: files dns
  76                 EOT
  77         fi
  78
  79         ### END Make some base etc configuration
  80 }
  81
  82 jail_copy_needed_libs() {
  83         ### Copy needed libs in $root/$jail/lib if not already present
  84
  85         tmp=`mktemp`
  86         jail_lib_needed $root/$jail $tmp
  87         if [ "$SDECFG_JAILING_LIBSAFE" = 1 -a \
  88                         "$pkg_libsafe_support" = 1 ] ; then
  89                 echo "/lib/libsafe.so.2" >> $tmp
  90                 grep "/lib/libsafe.so.2" $root/$jail/etc/ld.so.preload > \
  91                         /dev/null 2>&1 || echo "/lib/libsafe.so.2" >> \
  92                         $root/$jail/etc/ld.so.preload
  93         fi
  94         for x in `grep -v $jail $tmp` ; do
  95                 [ -f $root/$jail/lib/${x##*/} ] || cp -vf $x $root/$jail/lib
  96         done
  97         rm -f $tmp
  98         unset tmp x
  99
 100         ldconfig -r $root/$jail
 101
 102         ### END Copy needed libs
 103 }
 104
 105
 106 # Ensure given users are present in jail and if not add them
 107 # needed groups are added too.
 108 jail_ensure_users() {
 109         if [ "$jail" ] ; then
 110                 for user_name in "$@" ; do
 111                         if ! grep "^$user_name:" $root/$jail/etc/passwd \
 112                                         > /dev/null 2>&1 ; then
 113                                 # Add group to jail
 114                                 grep "^$user_name:" /etc/passwd >> \
 115                                         $root/$jail/etc/passwd || true
 116                                 jail_ensure_gids `grep "^$user_name:" /etc/passwd | cut -d":" -f4`
 117                         fi
 118                 done
 119         fi
 120         unset user_name
 121 }
 122
 123
 124 # Ensure given groups gid are present in jail and if not add them.
 125 jail_ensure_groups() {
 126         if [ "$jail" ] ; then
 127                 for group_name in "$@" ; do
 128                         if ! grep "^$group_name:" $root/$jail/etc/group \
 129                                         > /dev/null 2>&1 ; then
 130                                 # Add group to jail
 131                                 grep "^$group_name:" /etc/group >> \
 132                                         $root/$jail/etc/group || true
 133                         fi
 134                 done
 135         fi
 136         unset group_name
 137 }
 138
 139
 140 # Ensure given groups gid are present in jail and if not add them.
 141 jail_ensure_gids() {
 142         if [ "$jail" ] ; then
 143                 for gid in "$@" ; do
 144                         if ! grep ":$gid:" $root/$jail/etc/group \
 145                                         > /dev/null 2>&1 ; then
 146                                 # Add group to jail
 147                                 grep ":$gid:" /etc/group >> \
 148                                         $root/$jail/etc/group || true
 149                         fi
 150                 done
 151         fi
 152         unset gid
 153 }
 154
 155
 156 # This function sets the 'confopt' and some other variables.
 157 #
 158 jail_set_confopt() {
 159         if [ "$destvar" ] ; then
 160                 prefix=$root/usr
 161                 sysconfdir="$root/etc"
 162                 localstatedir="$root/var"
 163         else
 164                 prefix="$root/$jail/usr"
 165                 sysconfdir="$root/$jail/etc"
 166                 localstatedir="$root/$jail/var"
 167         fi
 168
 169         bindir="$prefix/bin"
 170         sbindir="$prefix/sbin"
 171         libdir="$prefix/lib"
 172         docdir="$prefix/doc/$pkg"
 173         datadir="$prefix/share"
 174         infodir="$prefix/info"
 175         mandir="$prefix/man"
 176         includedir="$root/include"
 177
 178         confopt="--prefix=$prefix"
 179         confopt="$confopt --bindir=\$bindir"
 180         confopt="$confopt --sbindir=\$sbindir"
 181         confopt="$confopt --libdir=\$libdir"
 182         confopt="$confopt --datadir=\$datadir"
 183         confopt="$confopt --infodir=\$infodir"
 184         confopt="$confopt --mandir=\$mandir"
 185         confopt="$confopt --sysconfdir=\$sysconfdir"
 186         confopt="$confopt --localstatedir=\$localstatedir"
 187         confopt="$confopt --includedir=\$includedir"
 188
 189         if [ "$SDECFG_CONFIGURE_OPTS" ] ; then
 190                 confopt="$confopt $SDECFG_CONFIGURE_OPTS"
 191         fi
 192
 193         if [ "$SDECFG_DEBUG" = 0 ] ; then
 194                 confopt="$confopt --disable-debug"
 195         else
 196                 confopt="$confopt --enable-debug"
 197         fi
 198
 199         if ! atstage native || [ "$SDECFG_DISABLE_NLS" = 1 ] ; then
 200                 confopt="${confopt//--enable-nls/} --disable-nls"
 201         fi
 202
 203         confopt="$confopt \$extraconfopt"
 204         confopt="$confopt --build=\$arch_build --host=\$arch_target"
 205 }
 206