BastilleBSD/bastille
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

Execute template hooks using Bastille subcommands

Browse Source
This commit is contained in:
Chris Wells
2020-05-24 20:41:11 -04:00
parent b515565bde
commit 42bafe7619
2 changed files with 80 additions and 189 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
usr/local/share/bastille/limits.sh
View File

@@ -30,6 +30,7 @@
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
. /usr/local/share/bastille/colors.pre.sh
. /usr/local/etc/bastille/bastille.conf
usage() {
echo -e "${COLOR_RED}Usage: bastille limits TARGET option value${COLOR_RESET}"
@@ -40,6 +41,7 @@ usage() {
RACCT_ENABLE=$(sysctl -n kern.racct.enable)
if [ "${RACCT_ENABLE}" != '1' ]; then
echo "Racct not enabled. Append 'kern.racct.enable=1' to /boot/loader.conf and reboot"
# exit 1
fi
# Handle special-case commands first.
@@ -68,7 +70,15 @@ fi
for _jail in ${JAILS}; do
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
echo -e "${TYPE} ${VALUE}"
rctl -a jail:"${_jail}":"${OPTION}":deny="${VALUE}/jail"
_rctl_rule="jail:${_jail}:${OPTION}:deny=${VALUE}/jail"
## if entry doesn't exist, add; else show existing entry
if ! grep -qs "${_rctl_rule}" "${bastille_jailsdir}/${_jail}/rctl.conf"; then
echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf"
fi
echo -e "${OPTION} ${VALUE}"
rctl -a "${_rctl_rule}"
echo -e "${COLOR_RESET}"
done

255
usr/local/share/bastille/template.sh
View File

@@ -60,16 +60,38 @@ fi
TEMPLATE="${1}"
shift
if [ ! -d "${bastille_templatesdir}/${TEMPLATE}" ]; then
echo -e "${COLOR_RED}${TEMPLATE} not found.${COLOR_RESET}"
exit 1
fi
case ${TEMPLATE} in
http?://github.com/*/*|http?://gitlab.com/*/*)
TEMPLATE_DIR=$(echo "${TEMPLATE}" | awk -F / '{ print $4 "/" $5 }')
if [ ! -d "${bastille_templatesdir}/${TEMPLATE_DIR}" ]; then
echo -e "${COLOR_GREEN}Bootstrapping ${TEMPLATE}...${COLOR_RESET}"
if ! bastille bootstrap "${TEMPLATE}"; then
echo -e "${COLOR_RED}Failed to bootstrap template: ${TEMPLATE}.${COLOR_RESET}"
exit 1
fi
fi
TEMPLATE="${TEMPLATE_DIR}"
;;
*/*)
if [ ! -d "${bastille_templatesdir}/${TEMPLATE}" ]; then
echo -e "${COLOR_RED}${TEMPLATE} not found.${COLOR_RESET}"
exit 1
fi
;;
*)
echo -e "${COLOR_RED}Template name/URL not recognized.${COLOR_RESET}"
exit 1
esac
if [ -z "${JAILS}" ]; then
echo -e "${COLOR_RED}Container ${TARGET} is not running.${COLOR_RESET}"
exit 1
fi
if [ -z "${HOOKS}" ]; then
HOOKS='LIMITS INCLUDE PRE FSTAB PF PKG OVERLAY CONFIG SYSRC SERVICE CMD'
fi
## global variables
bastille_template=${bastille_templatesdir}/${TEMPLATE}
for _jail in ${JAILS}; do
@@ -77,6 +99,7 @@ for _jail in ${JAILS}; do
bastille_jail_path=$(jls -j "${_jail}" path)
echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
echo -e "${COLOR_GREEN}Applying template: ${TEMPLATE}...${COLOR_RESET}"
## TARGET
if [ -s "${bastille_template}/TARGET" ]; then
@@ -92,194 +115,52 @@ for _jail in ${JAILS}; do
fi
fi
## LIMITS (RCTL)
if [ -s "${bastille_template}/LIMITS" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:LIMITS -- START${COLOR_RESET}"
RACCT_ENABLE=$(sysctl -n kern.racct.enable)
if [ "${RACCT_ENABLE}" != '1' ]; then
echo "Racct not enabled. Append 'kern.racct.enable=1' to /boot/loader.conf and reboot"
continue
fi
while read _limits; do
## define the key and value
_limit_key=$(echo "${_limits}" | awk '{print $1}')
_limit_value=$(echo "${_limits}" | awk '{print $2}')
_rctl_rule="jail:${_jail}:${_limit_key}:deny=${_limit_value}/jail"
for _hook in ${HOOKS}; do
if [ -s "${bastille_template}/${_hook}" ]; then
# Default command is the lowercase hook name and default args are the line from the file. -- cwells
_cmd=$(echo "${_hook}" | awk '{print tolower($1);}')
_args_template='${_line}'
## if entry doesn't exist, add; else show existing entry
if ! grep -qs "${_rctl_rule}" "${bastille_jailsdir}/${_jail}/rctl.conf"; then
echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf"
echo "${_limits}"
else
echo "${_limits}"
fi
## apply limits to system
rctl -a "${_rctl_rule}" || exit 1
done < "${bastille_template}/LIMITS"
echo -e "${COLOR_GREEN}[${_jail}]:LIMITS -- END${COLOR_RESET}"
echo
fi
## INCLUDE
if [ -s "${bastille_template}/INCLUDE" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- START${COLOR_RESET}"
while read _include; do
echo
echo -e "${COLOR_GREEN}INCLUDE: ${_include}${COLOR_RESET}"
echo -e "${COLOR_GREEN}Bootstrapping ${_include}...${COLOR_RESET}"
case ${_include} in
http?://github.com/*/*|http?://gitlab.com/*/*)
bastille bootstrap "${_include}"
;;
*/*)
BASTILLE_TEMPLATE_USER=$(echo "${_include}" | awk -F / '{ print $1 }')
BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $2 }')
bastille template "${_jail}" "${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO}"
;;
*)
echo -e "${COLOR_RED}Template INCLUDE content not recognized.${COLOR_RESET}"
exit 1
;;
# Override default command/args for some hooks. -- cwells
case ${_hook} in
CONFIG)
echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
_args_template='${bastille_template}/${_line} /'
_cmd='cp' ;;
FSTAB)
_cmd='mount' ;;
INCLUDE)
_cmd='template' ;;
OVERLAY)
_args_template='${bastille_template}/${_line} /'
_cmd='cp' ;;
PF)
echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
continue ;;
PRE)
_cmd='cmd' ;;
esac
echo
echo -e "${COLOR_GREEN}Applying ${_include}...${COLOR_RESET}"
BASTILLE_TEMPLATE_PROJECT=$(echo "${_include}" | awk -F / '{ print $4}')
BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $5}')
bastille template "${_jail}" "${BASTILLE_TEMPLATE_PROJECT}/${BASTILLE_TEMPLATE_REPO}"
done < "${bastille_template}/INCLUDE"
echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- END${COLOR_RESET}"
echo
fi
## PRE
if [ -s "${bastille_template}/PRE" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:PRE -- START${COLOR_RESET}"
jexec -l "${_jail}" /bin/sh < "${bastille_template}/PRE" || exit 1
echo -e "${COLOR_GREEN}[${_jail}]:PRE -- END${COLOR_RESET}"
echo
fi
## FSTAB
if [ -s "${bastille_template}/FSTAB" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:FSTAB -- START${COLOR_RESET}"
while read _fstab; do
## assign needed variables
_hostpath=$(echo "${_fstab}" | awk '{print $1}')
_jailpath=$(echo "${_fstab}" | awk '{print $2}')
_type=$(echo "${_fstab}" | awk '{print $3}')
_perms=$(echo "${_fstab}" | awk '{print $4}')
_checks=$(echo "${_fstab}" | awk '{print $5" "$6}')
## if any variables are empty, bail out
if [ -z "${_hostpath}" ] || [ -z "${_jailpath}" ] || [ -z "${_type}" ] || [ -z "${_perms}" ] || [ -z "${_checks}" ]; then
echo -e "${COLOR_RED}FSTAB format not recognized.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
exit 1
fi
## if host path doesn't exist or type is not "nullfs"
if [ ! -d "${_hostpath}" ] || [ "${_type}" != "nullfs" ]; then
echo -e "${COLOR_RED}Detected invalid host path or incorrect mount type in FSTAB.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
exit 1
fi
## if mount permissions are not "ro" or "rw"
if [ "${_perms}" != "ro" ] && [ "${_perms}" != "rw" ]; then
echo -e "${COLOR_RED}Detected invalid mount permissions in FSTAB.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
exit 1
fi
## if check & pass are not "0 0 - 1 1"; bail out
if [ "${_checks}" != "0 0" ] && [ "${_checks}" != "1 0" ] && [ "${_checks}" != "0 1" ] && [ "${_checks}" != "1 1" ]; then
echo -e "${COLOR_RED}Detected invalid fstab options in FSTAB.${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}"
echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}"
exit 1
fi
## aggregate variables into FSTAB entry
_fstab_entry="${_hostpath} ${bastille_jailsdir}/${_jail}/root/${_jailpath} ${_type} ${_perms} ${_checks}"
## if entry doesn't exist, add; else show existing entry
if ! grep -q "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab"; then
echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab"
echo "Added: ${_fstab_entry}"
echo -e "${COLOR_GREEN}[${_jail}]:${_hook} -- START${COLOR_RESET}"
if [ "${_hook}" = 'CMD' ] || [ "${_hook}" = 'PRE' ]; then
bastille cmd "${_jail}" /bin/sh < "${bastille_template}/${_hook}" || exit 1
elif [ "${_hook}" = 'PKG' ]; then
bastille pkg "${_jail}" install -y $(cat "${bastille_template}/PKG") || exit 1
bastille pkg "${_jail}" audit -F
else
grep "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab"
while read _line; do
if [ -z "${_line}" ]; then
continue
fi
eval "_args=\"${_args_template}\""
bastille "${_cmd}" "${_jail}" ${_args} || exit 1
done < "${bastille_template}/${_hook}"
fi
done < "${bastille_template}/FSTAB"
mount -F "${bastille_jailsdir}/${_jail}/fstab" -a
echo -e "${COLOR_GREEN}[${_jail}]:FSTAB -- END${COLOR_RESET}"
echo
fi
echo -e "${COLOR_GREEN}[${_jail}]:${_hook} -- END${COLOR_RESET}"
echo
fi
done
## PF
if [ -s "${bastille_template}/PF" ]; then
echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
fi
## PKG (bootstrap + pkg)
if [ -s "${bastille_template}/PKG" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:PKG -- START${COLOR_RESET}"
jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap || exit 1
jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat "${bastille_template}/PKG") || exit 1
jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg audit -F
echo -e "${COLOR_GREEN}[${_jail}]:PKG -- END${COLOR_RESET}"
echo
fi
## CONFIG / OVERLAY
if [ -s "${bastille_template}/OVERLAY" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- START${COLOR_RESET}"
while read _dir; do
cp -av "${bastille_template}/${_dir}" "${bastille_jail_path}" || exit 1
done < "${bastille_template}/OVERLAY"
echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- END${COLOR_RESET}"
echo
fi
if [ -s "${bastille_template}/CONFIG" ]; then
echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}"
echo -e "${COLOR_GREEN}[${_jail}]:CONFIG -- START${COLOR_RESET}"
while read _dir; do
cp -av "${bastille_template}/${_dir}" "${bastille_jail_path}" || exit 1
done < "${bastille_template}/CONFIG"
echo -e "${COLOR_GREEN}[${_jail}]:CONFIG -- END${COLOR_RESET}"
echo
fi
## SYSRC
if [ -s "${bastille_template}/SYSRC" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- START${COLOR_RESET}"
while read _sysrc; do
jexec -l "${_jail}" /usr/sbin/sysrc "${_sysrc}" || exit 1
done < "${bastille_template}/SYSRC"
echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- END${COLOR_RESET}"
echo
fi
## SERVICE
if [ -s "${bastille_template}/SERVICE" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- START${COLOR_RESET}"
while read _service; do
jexec -l "${_jail}" /usr/sbin/service ${_service} || exit 1
done < "${bastille_template}/SERVICE"
echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- END${COLOR_RESET}"
echo
fi
## CMD
if [ -s "${bastille_template}/CMD" ]; then
echo -e "${COLOR_GREEN}[${_jail}]:CMD -- START${COLOR_RESET}"
jexec -l "${_jail}" /bin/sh < "${bastille_template}/CMD" || exit 1
echo -e "${COLOR_GREEN}[${_jail}]:CMD -- END${COLOR_RESET}"
echo
fi
echo -e "${COLOR_GREEN}Template Complete.${COLOR_RESET}"
echo -e "${COLOR_GREEN}Template complete.${COLOR_RESET}"
echo
done