git: 46f18ecf8d3c - main - rc: Use check_jail to check values of security.jail MIBs

Sat, 12 Jul 2025 09:24:34 -0700 

The branch main has been updated by 0mp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=46f18ecf8d3cdda1cd433841c44a4c1268ab9721

commit 46f18ecf8d3cdda1cd433841c44a4c1268ab9721
Author:     Mateusz Piotrowski <0...@freebsd.org>
AuthorDate: 2025-07-12 16:20:32 +0000
Commit:     Mateusz Piotrowski <0...@freebsd.org>
CommitDate: 2025-07-12 16:20:32 +0000

    rc: Use check_jail to check values of security.jail MIBs
    
    PR:             282404
    Reviewed by:    markj, netchild
    Approved by:    markj (mentor)
    MFC after:      2 weeks
    Event:          Berlin Hackathon 202507
    Differential Revision:  https://reviews.freebsd.org/D47329
---
 libexec/rc/rc            | 4 ++--
 libexec/rc/rc.d/hostname | 4 ++--
 libexec/rc/rc.d/routing  | 2 +-
 libexec/rc/rc.d/zfs      | 8 ++++----
 libexec/rc/rc.d/zfsbe    | 2 +-
 libexec/rc/rc.shutdown   | 4 ++--
 libexec/rc/rc.subr       | 2 +-
 7 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/libexec/rc/rc b/libexec/rc/rc
index 5ed47d6eac20..db3c3e20ab44 100644
--- a/libexec/rc/rc
+++ b/libexec/rc/rc
@@ -83,9 +83,9 @@ fi
 trap "_rc_conf_loaded=false; load_rc_config" ALRM
 
 skip="-s nostart"
-if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then
+if check_jail jailed; then
        skip="$skip -s nojail"
-       if [ `/sbin/sysctl -n security.jail.vnet` -ne 1 ]; then
+       if ! check_jail vnet; then
                skip="$skip -s nojailvnet"
        fi
 fi
diff --git a/libexec/rc/rc.d/hostname b/libexec/rc/rc.d/hostname
index 8b26c4f60633..0bc31ccd787e 100755
--- a/libexec/rc/rc.d/hostname
+++ b/libexec/rc/rc.d/hostname
@@ -42,8 +42,8 @@ hostname_start()
        # If we are not inside a jail, set the host name.
        # If we are inside a jail, set the host name if it is permitted.
        #
-       if [ `$SYSCTL_N security.jail.jailed` -eq 1 ]; then
-               if [ `$SYSCTL_N security.jail.set_hostname_allowed` -eq 0 ]; 
then
+       if check_jail jailed; then
+               if ! check_jail set_hostname_allowed; then
                        return
                fi
        else
diff --git a/libexec/rc/rc.d/routing b/libexec/rc/rc.d/routing
index 893acb83cf4a..dd75604125a3 100755
--- a/libexec/rc/rc.d/routing
+++ b/libexec/rc/rc.d/routing
@@ -331,7 +331,7 @@ _check_dynamicrouting()
 
        # copied from /etc/rc
        skip="-s nostart"
-       if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then
+       if check_jail jailed; then
                skip="$skip -s nojail"
        fi
        [ -n "$local_startup" ] && find_local_scripts_new
diff --git a/libexec/rc/rc.d/zfs b/libexec/rc/rc.d/zfs
index 26bf3046444b..f88f65c2ec18 100755
--- a/libexec/rc/rc.d/zfs
+++ b/libexec/rc/rc.d/zfs
@@ -18,7 +18,7 @@ required_modules="zfs"
 
 zfs_start_jail()
 {
-       if [ `$SYSCTL_N security.jail.mount_allowed` -eq 1 ]; then
+       if check_jail mount_allowed; then
                zfs mount -a
        fi
 }
@@ -34,7 +34,7 @@ zfs_start_main()
 
 zfs_start()
 {
-       if [ `$SYSCTL_N security.jail.jailed` -eq 1 ]; then
+       if check_jail jailed; then
                zfs_start_jail
        else
                zfs_start_main
@@ -54,7 +54,7 @@ zfs_poststart()
 
 zfs_stop_jail()
 {
-       if [ `$SYSCTL_N security.jail.mount_allowed` -eq 1 ]; then
+       if check_jail mount_allowed; then
                zfs unmount -a
        fi
 }
@@ -67,7 +67,7 @@ zfs_stop_main()
 
 zfs_stop()
 {
-       if [ `$SYSCTL_N security.jail.jailed` -eq 1 ]; then
+       if check_jail jailed; then
                zfs_stop_jail
        else
                zfs_stop_main
diff --git a/libexec/rc/rc.d/zfsbe b/libexec/rc/rc.d/zfsbe
index f61f3bf097f0..22d53f219679 100755
--- a/libexec/rc/rc.d/zfsbe
+++ b/libexec/rc/rc.d/zfsbe
@@ -64,7 +64,7 @@ activate_bootonce()
 
 be_start()
 {
-       if [ `$SYSCTL_N security.jail.jailed` -eq 1 ]; then
+       if check_jail jailed; then
                :
        else
                mount -p | while read _dev _mp _type _rest; do
diff --git a/libexec/rc/rc.shutdown b/libexec/rc/rc.shutdown
index 18f67f5ca124..3dfd7a7e0936 100644
--- a/libexec/rc/rc.shutdown
+++ b/libexec/rc/rc.shutdown
@@ -83,9 +83,9 @@ fi
 # and perform the operation
 #
 rcorder_opts="-k shutdown"
-if [ `/sbin/sysctl -n security.jail.jailed` -eq 1 ]; then
+if check_jail jailed; then
        rcorder_opts="$rcorder_opts -s nojail"
-       if [ `/sbin/sysctl -n security.jail.vnet` -ne 1 ]; then
+       if ! check_jail vnet; then
                rcorder_opts="$rcorder_opts -s nojailvnet"
        fi
 fi
diff --git a/libexec/rc/rc.subr b/libexec/rc/rc.subr
index 2eaf336b5220..e4ed5de6cde6 100644
--- a/libexec/rc/rc.subr
+++ b/libexec/rc/rc.subr
@@ -1689,7 +1689,7 @@ $_cpusetcmd $command $rc_flags $command_args"
                start)
                        # We cannot use protect(1) inside jails.
                        if [ -n "$_oomprotect" ] && [ -f "${PROTECT}" ] &&
-                           [ "$(sysctl -n security.jail.jailed)" -eq 0 ]; then
+                           ! check_jail jailed; then
                                [ -z "${rc_pid}" ] && eval $_pidcmd
                                case $_oomprotect in
                                [Aa][Ll][Ll])

Reply via email to