hardenedbsd/HardenedBSD
1
0
Fork 0
mirror of https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git synced 2025-01-11 17:04:19 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
b15110fb0d
HardenedBSD/libexec/rc/rc.d/ppp
Alexander Leidinger f99f0ee14e rc.d: add a service jails config to all base system services 
This gives more permissions to services (e.g. network access to
services which require this) when they are started as an automatic
service jail.

The sshd patch is important for the sshd-related functionality as
described in the man-page in the service jails part.

The location of the added env vars is supposed to allow overriding them
in rc.conf, and to hard-disable the use of svcj for some parts where it
doesn't make sense or will not work.

Only a subset of all of the services are fully tested (I'm running this
since more than a year with various services started as service jails).
The untested parts should be most of the time ok, in some edge-cases
more permissions are needed inside the service jail.
Differential Revision:	https://reviews.freebsd.org/D40371
2024-05-22 15:41:49 +02:00

139 lines
2.3 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
#
#
# PROVIDE: ppp
# REQUIRE: netif
# KEYWORD: nojail
. /etc/rc.subr
name="ppp"
desc="Point to Point Protocol"
rcvar="ppp_enable"
command="/usr/sbin/${name}"
start_cmd="ppp_start"
stop_cmd="ppp_stop"
start_postcmd="ppp_poststart"
ppp_start_profile()
{
local _ppp_profile _ppp_mode _ppp_nat _ppp_unit
local _ppp_profile_cleaned _punct _punct_c
_ppp_profile=$1
_ppp_profile_cleaned=$1
_punct=". - / +"
for _punct_c in $_punct; do
_ppp_profile_cleaned=`ltr ${_ppp_profile_cleaned} ${_punct_c} '_'`
done
# Check for ppp profile mode override.
#
eval _ppp_mode=\$ppp_${_ppp_profile_cleaned}_mode
if [ -z "$_ppp_mode" ]; then
_ppp_mode=$ppp_mode
fi
# Check for ppp profile nat override.
#
eval _ppp_nat=\$ppp_${_ppp_profile_cleaned}_nat
if [ -z "$_ppp_nat" ]; then
_ppp_nat=$ppp_nat
fi
# Establish ppp mode.
#
if [ "${_ppp_mode}" != "ddial" -a "${_ppp_mode}" != "direct" \
-a "${_ppp_mode}" != "dedicated" \
-a "${_ppp_mode}" != "background" ]; then
_ppp_mode="auto"
fi
rc_flags="-quiet -${_ppp_mode}"
# Switch on NAT mode?
#
case ${_ppp_nat} in
[Yy][Ee][Ss])
rc_flags="$rc_flags -nat"
;;
esac
# Check for hard wired unit
eval _ppp_unit=\$ppp_${_ppp_profile_cleaned}_unit
if [ -n "${_ppp_unit}" ]; then
_ppp_unit="-unit${_ppp_unit}"
fi
rc_flags="$rc_flags $_ppp_unit"
# Run!
#
su -m $ppp_user -c "$command ${rc_flags} ${_ppp_profile}"
}
ppp_start()
{
local _ppp_profile _p
_ppp_profile=$*
if [ -z "${_ppp_profile}" ]; then
_ppp_profile=$ppp_profile
fi
startmsg -n "Starting PPP profile:"
for _p in $_ppp_profile; do
startmsg -n " $_p"
ppp_start_profile $_p
done
startmsg "."
}
ppp_poststart()
{
# Re-Sync ipfilter and pf so they pick up any new network interfaces
#
if [ -f /etc/rc.d/ipfilter ]; then
/etc/rc.d/ipfilter quietresync
fi
if [ -f /etc/rc.d/pf ]; then
/etc/rc.d/pf quietresync
fi
}
ppp_stop_profile() {
local _ppp_profile
_ppp_profile=$1
/bin/pkill -f "^${command}.*[[:space:]]${_ppp_profile}\$" || \
echo -n "(not running)"
}
ppp_stop() {
local _ppp_profile _p
_ppp_profile=$*
if [ -z "${_ppp_profile}" ]; then
_ppp_profile=$ppp_profile
fi
echo -n "Stopping PPP profile:"
for _p in $_ppp_profile; do
echo -n " $_p"
ppp_stop_profile $_p
done
echo "."
}
load_rc_config $name
# doesn't make sense to run in a svcj: nojail keyword
ppp_svcj="NO"
run_rc_command $*
Reference in New Issue View Git Blame Copy Permalink