rc.subr: Use the variable we defined to invoke setaudit(8)

Reported by: gtetlow
Fixes: 39ee24182b92 ("rc.subr: Support setting the audit user when starting services")
MFC after: 1 week

rc.subr: Support setting the audit user when starting services

When an unprivileged user restarts a service using, e.g., sudo, the
service runs with the audit user ID set to that of the unprivileged

rc.subr: Support setting the audit user when starting services

When an unprivileged user restarts a service using, e.g., sudo, the
service runs with the audit user ID set to that of the unprivileged
user. This can have surprising effects: for instance, a user that
restarts a jail that is running sshd will end up with their UID attached
to all audit logs associated with users who log in via that sshd
instance. (sshd will set the audit user, but this is disallowed in
jails by default.)

Add support for rc.conf directives which cause rc to override the audit
user. Specifically, make <name>_audit_user=foo cause the audit user to
be set to "foo" for service <name>. A plain audit_user=foo directive
causes all services to be started as foo.

Note, like other similar rc features, this feature is limited to rc
services which are run by executing a command. Shell functions can't be
wrapped this way.

Reviewed by: 0mp
MFC after: 2 weeks
Sponsored by: Modirum MDPay
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D53747

show more ...

rc.subr: Remove misguided cpuset usage

When running an rc command, if the target rc script defines
<command>_cmd, e.g., start_cmd=..., then the run_rc_command() executes
that instead of $command. I

rc.subr: Remove misguided cpuset usage

When running an rc command, if the target rc script defines
<command>_cmd, e.g., start_cmd=..., then the run_rc_command() executes
that instead of $command. In general it's a shell function, and
"cpuset -l <n> <shell function>" doesn't work.

Moreover, it doesn't really make sense to run cpuset for anything other
than start_cmd.

Other optional isolation mechanisms (e.g., <name>_fib,
<name>_chroot) are only used when invoking $command directly as part of
the "start" command. Make <name>_cpuset consistent with everything else
by removing these extraneous cpuset invocations.

Reviewed by: 0mp
MFC after: 2 weeks
Sponsored by: Modirum MDPay
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D53746

show more ...

rc.subr: Try to make svjc option handling a bit easier to read

Specifically, make this code fit in fewer columns:
- deindent cases to conform to the usual style,
- use a local variable to minimize d

rc.subr: Try to make svjc option handling a bit easier to read

Specifically, make this code fit in fewer columns:
- deindent cases to conform to the usual style,
- use a local variable to minimize duplication in each case.

No functional change intended.

Reviewed by: 0mp, netchild
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D53754

show more ...

rc.subr set dot_dir and dot_file in dot

Files read by '.' cannot workout for themselves where they are
or what they are called, so set dot_dir and dot_file to pass
this information to them.

Reviewe

rc.subr set dot_dir and dot_file in dot

Files read by '.' cannot workout for themselves where they are
or what they are called, so set dot_dir and dot_file to pass
this information to them.

Reviewed by: obrien, stevek
Differential Revision: https://reviews.freebsd.org/D53476

show more ...

rc.subr: Fix slow shutdown issue

Instead of sleeping after pwait returns, use its new -p option to
obtain the list of processes that still have not terminated.

MFC after: 3 days
PR: 290357
Fixes:

rc.subr: Fix slow shutdown issue

Instead of sleeping after pwait returns, use its new -p option to
obtain the list of processes that still have not terminated.

MFC after: 3 days
PR: 290357
Fixes: 5953e7c98427 ("rc.subr: Move the sleep in wait_for_pids")
Reviewed by: 0mp, markj
Differential Revision: https://reviews.freebsd.org/D53294

show more ...

rc.subr: Move the sleep in wait_for_pids

Instead of sleeping while constructing the list of PIDs to wait for,
sleep briefly after pwait to give init a chance to reap the processes
that just terminat

rc.subr: Move the sleep in wait_for_pids

Instead of sleeping while constructing the list of PIDs to wait for,
sleep briefly after pwait to give init a chance to reap the processes
that just terminated before we loop around and start probing them.

PR: 289630
Reviewed by: allanjude
Differential Revision: https://reviews.freebsd.org/D52619

show more ...

rc.subr: Fix wait_for_pids

It looks like this function was intended to loop and print an update
whenever at least one of the waited-for processes terminates. However,
the default behavior of pwait

rc.subr: Fix wait_for_pids

It looks like this function was intended to loop and print an update
whenever at least one of the waited-for processes terminates. However,
the default behavior of pwait is to block until none of the watched
processes exist. Use pwait -o instead so it only blocks until at least
one process terminates, and add a test.

Sponsored by: Klara, Inc.
Sponsored by: NetApp, Inc.
Reviewed by: siderop1_netapp.com, kevans
Differential Revision: https://reviews.freebsd.org/D51691

show more ...

rc.subr: Fix a typo in check_jail()'s description

MFC after: 3 days
Event: Berlin Hackathon 202507

rc: Use check_jail to check values of security.jail MIBs

PR: 282404
Reviewed by: markj, netchild
Approved by: markj (mentor)
MFC after: 2 weeks
Event: Berlin Hackathon 202507
Differential Revision

rc: Use check_jail to check values of security.jail MIBs

PR: 282404
Reviewed by: markj, netchild
Approved by: markj (mentor)
MFC after: 2 weeks
Event: Berlin Hackathon 202507
Differential Revision: https://reviews.freebsd.org/D47329

show more ...

Revert "rc: Disable pathname expansion when calling run_rc_command()"

At least nuageinit is broken after this commit, breaking some downstream
CI systems. It also disables globbing for rc.local scr

Revert "rc: Disable pathname expansion when calling run_rc_command()"

At least nuageinit is broken after this commit, breaking some downstream
CI systems. It also disables globbing for rc.local scripts, which is
likely to break users in surprising ways.

This reverts commit 4deb9760a9d84d5861ee45162ffebe83f13503b8.

show more ...

Revert "rc: Fix scripts that need pathname expansion"

The commit which motivated this is being reverted.

This reverts commit 7faddeb395b7976b44393db24f48ec47040eff07.

rc: Fix scripts that need pathname expansion

Reported by: Kenneth Raplee
Differential Revision: https://reviews.freebsd.org/D45855

rc: Disable pathname expansion when calling run_rc_command()

Variables for command-line options like $foo_flags can contain characters
that perform pathname expansions, such as '[', ']', and '*'. T

rc: Disable pathname expansion when calling run_rc_command()

Variables for command-line options like $foo_flags can contain characters
that perform pathname expansions, such as '[', ']', and '*'. They were
passed without escaping, and the matched entries in the working directory
affected the command-line options. This change turns off the expansion
when run_rc_command() is called.

While this changes the current behavior, an invocation of a service
program should not depend on entries in the working directory.

Differential Revision: https://reviews.freebsd.org/D45855

show more ...

svcj: correctly handle kernels without INET or INET6

If either INET or INET6 is not enabled in the kernel, then the jail(8)
options ip4=<new|inherit> resp. ip6=<new|inherit> are not available.
Detec

svcj: correctly handle kernels without INET or INET6

If either INET or INET6 is not enabled in the kernel, then the jail(8)
options ip4=<new|inherit> resp. ip6=<new|inherit> are not available.
Detect this case and don't try to provide those options, otherwise
svcjs will not start.

Do this automatically (without a warning) so that net_basic, which
includes both netv4 and netv6, continues to work as expected.

If _svcj_ipaddrs is explicitly configured with an address for an IP
version not supported by the kernel, issue a warning but continue to
start the service. This can result in the service being started with
fewer addresses than expected, but never more.

Reviewed by: netchild, des
Approved by: des (mentor)
Differential Revision: https://reviews.freebsd.org/D49976

show more ...

rc.subr: remove the dependency on bsdconfig

rc.subr uses sysrc(8) for the 'enable' and 'disable' commands, which
means the entire rc(8) stack depends on bsdconfig. Instead, provide a
minimal amount

rc.subr: remove the dependency on bsdconfig

rc.subr uses sysrc(8) for the 'enable' and 'disable' commands, which
means the entire rc(8) stack depends on bsdconfig. Instead, provide a
minimal amount of rc.conf-editing functionality in rc.subr and use it to
implement these commands.

Reviewed by: des, bapt
Approved by: des (mentor)
Differential Revision: https://reviews.freebsd.org/D50325

show more ...

svcj: add "routing" option

"routing" enables the jail allow.routing permission, which allows the jail to
modify the system routing table. this can be used to run routing daemons
(e.g., BIRD) in a s

svcj: add "routing" option

"routing" enables the jail allow.routing permission, which allows the jail to
modify the system routing table. this can be used to run routing daemons
(e.g., BIRD) in a service jail.

Reviewed by: jamie, des
Approved by: des (mentor)
Differential Revision: https://reviews.freebsd.org/D49844

show more ...

rc.subr: add 'settime' to svcj options

<svc>_svcj_options="settime" enables the jail allow.settime privilege,
which allows to set and slew the system clock. this allows NTP daemons
to run in a serv

rc.subr: add 'settime' to svcj options

<svc>_svcj_options="settime" enables the jail allow.settime privilege,
which allows to set and slew the system clock. this allows NTP daemons
to run in a service jail.

Reviewed by: jamie, kevans, des, #jails, #manpages
Approved by: kevans (mentor)
Differential Revision: https://reviews.freebsd.org/D49845

show more ...

rc.subr: add ${svc}_svcj_ipaddrs option

setting ${svc}_svcj_ipaddrs to a list of IP addresses causes rc.subr to
set ip6.addr and/or ip4.addr when starting the jail, restricting it to
those IP addres

rc.subr: add ${svc}_svcj_ipaddrs option

setting ${svc}_svcj_ipaddrs to a list of IP addresses causes rc.subr to
set ip6.addr and/or ip4.addr when starting the jail, restricting it to
those IP addresses rather than inheriting all IP addresses.

for example:

inetd_enable=YES
inetd_svcj=YES
inetd_svcj_options="net_basic"
inetd_svcj_ipaddrs="::1 127.0.0.1 2001:db8::1"

if not specified, the default value is unchanged (inherit all addresses
if networking is enabled).

Reviewed by: netchild

show more ...

rc.subr:rc_trace take advantage of sdot

Since we now have sdot, use it to get RC_LEVEL from rc.conf.d/rc_trace
also avoid logging execution of ':' when RC_LEVEL > 0

Reviewed by: stevek
Differential

rc.subr:rc_trace take advantage of sdot

Since we now have sdot, use it to get RC_LEVEL from rc.conf.d/rc_trace
also avoid logging execution of ':' when RC_LEVEL > 0

Reviewed by: stevek
Differential Revision: https://reviews.freebsd.org/D48856

show more ...

rc: Remove rc_fast_and_loose

The rc_fast_and_loose variable allowed rc(8) to start services
by sourcing them into rc's own shell environment. Normally, each rc
service script is started by being sou

rc: Remove rc_fast_and_loose

The rc_fast_and_loose variable allowed rc(8) to start services
by sourcing them into rc's own shell environment. Normally, each rc
service script is started by being sourced into its own subshell
instead. The feature was meant to speed up rc(8) by avoiding the extra
forking necessary to spawn subshells.

In practice, the feature has been broken for a long time now. One of the
reasons is that some rc service scripts call the exit builtin to return
non-zero error codes, which not only terminates the service subshell
but also rc(8) when rc_fast_and_loose is enabled. For example,
a system running any of the supported FreeBSD releases
with rc_fast_and_loose=yes would abort rc(8) as early as rc.d/hostid,
due to an "exit 0".

Fixing rc_fast_and_loose support would require rewriting some rc scripts
to support being sourced directly into rc(8) process. This would muddy
the code base and also would prove difficult to maintain long term
as this is simply not how rc(8) users write scripts. The potential
performance benefits are unlikely to be significant even for use cases
such as Morello under qemu.

Instead, remove support for rc_fast_and_loose completely from rc(8)
and inform users about the change.

PR: 282255
Reviewed by: brooks, christos, mhorne
Approved by: christos (mentor), markj (mentor)
MFC after: 2 weeks
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D47264

show more ...

rc.subr: Consistently use an absolute path for sysrc

MFC after: 2 weeks
Approved by: christos

rc.subr: fix typo "save_dot" -> "safe_dot"

Reviewed by: sjg
Approved by: kp
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org

rc.subr: fix typo "save_dot" -> "safe_dot"

Reviewed by: sjg
Approved by: kp
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46644

show more ...

rc.subr: ensure run_rc_script return code is not masked by DebugOff

Ensure that run_rc_script returns the true return code of the
rc command and not the return code of DebugOff

Reviewed by: sjg
App

rc.subr: ensure run_rc_script return code is not masked by DebugOff

Ensure that run_rc_script returns the true return code of the
rc command and not the return code of DebugOff

Reviewed by: sjg
Approved by: kp
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46626

show more ...

Move fetch of DEBUG_SH from kenv to rc

We only need to check kenv for DEBUG_SH once.
We also need to export DEBUG_SH to be useful.

Sponsored by: Juniper Networks, Inc.

Reviewed by: imp
Differentia

Move fetch of DEBUG_SH from kenv to rc

We only need to check kenv for DEBUG_SH once.
We also need to export DEBUG_SH to be useful.

Sponsored by: Juniper Networks, Inc.

Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D46219

show more ...