hardenedbsd/HardenedBSD
1
0
Fork 0
mirror of https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git synced 2024-11-14 14:21:18 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

netstat(1): teach netstat to attach to jails

Browse Source 
Add -j <jail> flag to netstat(1) to allow access to network information
from a jail.

MFC after:	1 week
Differential Revision: https://reviews.freebsd.org/D41446
This commit is contained in:
Doug Rabson 2023-08-14 09:01:28 +01:00
parent 77a999ef2f
commit 182e8ae26d
3 changed files with 128 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
usr.bin/netstat/Makefile
View File

@ -69,4 +69,9 @@ SRCS+= route_netlink.c
CFLAGS+=-DWITHOUT_NETLINK
.endif
.if ${MK_JAIL} != "no" && !defined(RESCUE)
CFLAGS+= -DJAIL
LIBADD+= jail
.endif
.include <bsd.prog.mk>

57
usr.bin/netstat/main.c
View File

@ -46,6 +46,9 @@ __FBSDID("$FreeBSD$");
#include <sys/param.h>
#include <sys/file.h>
#ifdef JAIL
#include <sys/jail.h>
#endif
#include <sys/protosw.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
@ -60,6 +63,9 @@ __FBSDID("$FreeBSD$");
#include <ctype.h>
#include <err.h>
#include <errno.h>
#ifdef JAIL
#include <jail.h>
#endif
#include <kvm.h>
#include <limits.h>
#include <netdb.h>
@ -233,6 +239,9 @@ int interval; /* repeat interval for i/f stats */
char *interface; /* desired i/f for stats, or NULL for all i/fs */
int unit; /* unit number for above */
#ifdef JAIL
char *jail_name; /* desired jail to operate in */
#endif
static int af; /* address family */
int live; /* true if we are examining a live system */
@ -245,6 +254,9 @@ main(int argc, char *argv[])
int fib = -1;
char *endptr;
bool first = true;
#ifdef JAIL
int jid;
#endif
af = AF_UNSPEC;
@ -252,7 +264,7 @@ main(int argc, char *argv[])
if (argc < 0)
exit(EXIT_FAILURE);
while ((ch = getopt(argc, argv, "46AaBbCcdF:f:ghI:iLlM:mN:nOoPp:Qq:RrSTsuWw:xz"))
while ((ch = getopt(argc, argv, "46AaBbCcdF:f:ghI:ij:LlM:mN:nOoPp:Qq:RrSTsuWw:xz"))
!= -1)
switch(ch) {
case '4':
@ -340,6 +352,15 @@ main(int argc, char *argv[])
case 'i':
iflag = 1;
break;
case 'j':
#ifdef JAIL
if (optarg == NULL)
usage();
jail_name = optarg;
#else
errx(1, "Jail support is not compiled in");
#endif
break;
case 'L':
Lflag = 1;
break;
@ -436,6 +457,16 @@ main(int argc, char *argv[])
}
#endif
#ifdef JAIL
if (jail_name != NULL) {
jid = jail_getid(jail_name);
if (jid == -1)
errx(1, "Jail not found");
if (jail_attach(jid) != 0)
errx(1, "Cannot attach to jail");
}
#endif
/*
* Discard setgid privileges if not the running kernel so that bad
* guys can't print interesting stuff from kernel memory.
@ -890,24 +921,24 @@ static void
usage(void)
{
(void)xo_error("%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n",
"usage: netstat [-46AaCcLnRSTWx] [-f protocol_family | -p protocol]\n"
"usage: netstat [-j jail] [-46AaCcLnRSTWx] [-f protocol_family | -p protocol]\n"
" [-M core] [-N system]",
" netstat -i | -I interface [-46abdhnW] [-f address_family]\n"
" netstat [-j jail] -i | -I interface [-46abdhnW] [-f address_family]\n"
" [-M core] [-N system]",
" netstat -w wait [-I interface] [-46d] [-M core] [-N system]\n"
" netstat [-j jail] -w wait [-I interface] [-46d] [-M core] [-N system]\n"
" [-q howmany]",
" netstat -s [-46sz] [-f protocol_family | -p protocol]\n"
" netstat [-j jail] -s [-46sz] [-f protocol_family | -p protocol]\n"
" [-M core] [-N system]",
" netstat -i | -I interface -s [-46s]\n"
" netstat [-j jail] -i | -I interface -s [-46s]\n"
" [-f protocol_family | -p protocol] [-M core] [-N system]",
" netstat -m [-M core] [-N system]",
" netstat -B [-z] [-I interface]",
" netstat -r [-46AnW] [-F fibnum] [-f address_family]\n"
" netstat [-j jail] -m [-M core] [-N system]",
" netstat [-j jail] -B [-z] [-I interface]",
" netstat [-j jail] -r [-46AnW] [-F fibnum] [-f address_family]\n"
" [-M core] [-N system]",
" netstat -rs [-s] [-M core] [-N system]",
" netstat -g [-46W] [-f address_family] [-M core] [-N system]",
" netstat -gs [-46s] [-f address_family] [-M core] [-N system]",
" netstat -Q");
" netstat [-j jail] -rs [-s] [-M core] [-N system]",
" netstat [-j jail] -g [-46W] [-f address_family] [-M core] [-N system]",
" netstat [-j jail] -gs [-46s] [-f address_family] [-M core] [-N system]",
" netstat [-j jail] -Q");
xo_finish();
exit(1);
}

79
usr.bin/netstat/netstat.1
View File

@ -38,16 +38,19 @@
.Bk -words
.Bl -tag -width "netstat"
.It Nm
.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl 46AaCLnPRSTWx
.Op Fl f Ar protocol_family | Fl p Ar protocol
.It Nm Fl i | I Ar interface
.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl 46abdhnW
.Op Fl f Ar address_family
.Op Fl M Ar core
.Op Fl N Ar system
.It Nm Fl w Ar wait
.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl I Ar interface
.Op Fl 46d
@ -55,46 +58,55 @@
.Op Fl N Ar system
.Op Fl q Ar howmany
.It Nm Fl s
.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl 46sz
.Op Fl f Ar protocol_family | Fl p Ar protocol
.Op Fl M Ar core
.Op Fl N Ar system
.It Nm Fl i | I Ar interface Fl s
.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl 46s
.Op Fl f Ar protocol_family | Fl p Ar protocol
.Op Fl M Ar core
.Op Fl N Ar system
.It Nm Fl m
.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl M Ar core
.Op Fl N Ar system
.It Nm Fl B
.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl z
.Op Fl I Ar interface
.It Nm Fl r
.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl 46nW
.Op Fl F Ar fibnum
.Op Fl f Ar address_family
.It Nm Fl rs
.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl s
.Op Fl M Ar core
.Op Fl N Ar system
.It Nm Fl g
.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl 46W
.Op Fl f Ar address_family
.It Nm Fl gs
.Op Fl j Ar jail
.Op Fl -libxo
.Op Fl 46s
.Op Fl f Ar address_family
.Op Fl M Ar core
.Op Fl N Ar system
.It Nm Fl Q
.Op Fl j Ar jail
.Op Fl -libxo
.El
.Ek
@ -111,6 +123,7 @@ command uses.
.Nm
.Op Fl 46AaCLnRSTWx
.Op Fl f Ar protocol_family | Fl p Ar protocol
.Op Fl j Ar jail
.Ek
.Xc
Display a list of active sockets
@ -238,6 +251,10 @@ Filter by
.Ar protocol .
See
.Sx GENERAL OPTIONS .
.It Fl j Ar jail
Run inside a jail.
See
.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
@ -247,6 +264,7 @@ See
.Op Fl f Ar address_family
.Op Fl M Ar core
.Op Fl N Ar system
.Op Fl j Ar jail
.Ek
.Xc
Show the state of all network interfaces or a single
@ -316,6 +334,10 @@ Filter by
.Ar protocol_family .
See
.Sx GENERAL OPTIONS .
.It Fl j Ar jail
Run inside a jail.
See
.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
@ -326,6 +348,7 @@ See
.Op Fl M Ar core
.Op Fl N Ar system
.Op Fl q Ar howmany
.Op Fl j Ar jail
.Ek
.Xc
At intervals of
@ -374,6 +397,10 @@ See
Exit after
.Ar howmany
outputs.
.It Fl j Ar jail
Run inside a jail.
See
.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
@ -383,6 +410,7 @@ outputs.
.Op Fl f Ar protocol_family | Fl p Ar protocol
.Op Fl M Ar core
.Op Fl N Ar system
.Op Fl j Ar jail
.Ek
.Xc
Display system-wide statistics for each network protocol.
@ -419,6 +447,10 @@ See
Use an alternative kernel image
See
.Sx GENERAL OPTIONS .
.It Fl j Ar jail
Run inside a jail.
See
.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
@ -428,6 +460,7 @@ See
.Op Fl f Ar protocol_family | Fl p Ar protocol
.Op Fl M Ar core
.Op Fl N Ar system
.Op Fl j Ar jail
.Ek
.Xc
Display per-interface statistics for each network protocol.
@ -470,6 +503,10 @@ See
Use an alternative kernel image
See
.Sx GENERAL OPTIONS .
.It Fl j Ar jail
Run inside a jail.
See
.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
@ -477,6 +514,7 @@ See
.Fl m
.Op Fl M Ar core
.Op Fl N Ar system
.Op Fl j Ar jail
.Ek
.Xc
Show statistics recorded by the memory management routines
@ -491,6 +529,10 @@ See
Use an alternative kernel image
See
.Sx GENERAL OPTIONS .
.It Fl j Ar jail
Run inside a jail.
See
.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
@ -498,6 +540,7 @@ See
.Fl B
.Op Fl z
.Op Fl I Ar interface
.Op Fl j Ar jail
.Ek
.Xc
Show statistics about
@ -534,6 +577,10 @@ For more information about these flags, please refer to
.Bl -tag -width indent
.It Fl z
Reset statistic counters after displaying them.
.It Fl j Ar jail
Run inside a jail.
See
.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
@ -544,6 +591,7 @@ Reset statistic counters after displaying them.
.Op Fl f Ar address_family
.Op Fl M Ar core
.Op Fl N Ar system
.Op Fl j Ar jail
.Ek
.Xc
Display the contents of routing tables.
@ -628,6 +676,10 @@ See
Use an alternative kernel image
See
.Sx GENERAL OPTIONS .
.It Fl j Ar jail
Run inside a jail.
See
.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
@ -636,6 +688,7 @@ See
.Op Fl s
.Op Fl M Ar core
.Op Fl N Ar system
.Op Fl j Ar jail
.Ek
.Xc
Display routing statistics.
@ -652,6 +705,10 @@ See
Use an alternative kernel image
See
.Sx GENERAL OPTIONS .
.It Fl j Ar jail
Run inside a jail.
See
.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
@ -661,6 +718,7 @@ See
.Op Fl f Ar address_family
.Op Fl M Ar core
.Op Fl N Ar system
.Op Fl j Ar jail
.Ek
.Xc
Display the contents of the multicast virtual interface tables,
@ -696,6 +754,10 @@ See
Use an alternative kernel image
See
.Sx GENERAL OPTIONS .
.It Fl j Ar jail
Run inside a jail.
See
.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
@ -705,6 +767,7 @@ See
.Op Fl f Ar address_family
.Op Fl M Ar core
.Op Fl N Ar system
.Op Fl j Ar jail
.Ek
.Xc
Show multicast routing statistics.
@ -734,11 +797,16 @@ See
Use an alternative kernel image
See
.Sx GENERAL OPTIONS .
.It Fl j Ar jail
Run inside a jail.
See
.Sx GENERAL OPTIONS .
.El
.It Xo
.Bk -words
.Nm
.Fl Q
.Op Fl j Ar jail
.Ek
.Xc
Show
@ -749,6 +817,10 @@ The flags field shows available ISR handlers:
.It Li C Ta Dv NETISR_SNP_FLAGS_M2CPUID Ta "Able to map mbuf to cpu id"
.It Li D Ta Dv NETISR_SNP_FLAGS_DRAINEDCPU Ta "Has queue drain handler"
.It Li F Ta Dv NETISR_SNP_FLAGS_M2FLOW Ta "Able to map mbuf to flow id"
.It Fl j Ar jail
Run inside a jail.
See
.Sx GENERAL OPTIONS .
.El
.El
.Ss GENERAL OPTIONS
@ -808,6 +880,13 @@ Wider output; expand address fields, etc, to avoid truncation.
Non-numeric values such as domain names may still be truncated; use the
.Fl n
option if necessary to avoid ambiguity.
.It Fl j Ar jail
Perform the actions inside the
.Ar jail .
This allows network state to be accessed even if the
.Cm netstat
binary is not available in the
.Ar jail .
.El
.Sh EXAMPLES
Show packet traffic information (packets, bytes, errors, packet drops, etc) for