From 42bafe7619304fe213ed429022a9a3e951db7152 Mon Sep 17 00:00:00 2001 From: Chris Wells Date: Sun, 24 May 2020 20:41:11 -0400 Subject: [PATCH] Execute template hooks using Bastille subcommands --- usr/local/share/bastille/limits.sh | 14 +- usr/local/share/bastille/template.sh | 255 +++++++-------------------- 2 files changed, 80 insertions(+), 189 deletions(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index a8f7ad0..9619033 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -30,6 +30,7 @@ # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. . /usr/local/share/bastille/colors.pre.sh +. /usr/local/etc/bastille/bastille.conf usage() { echo -e "${COLOR_RED}Usage: bastille limits TARGET option value${COLOR_RESET}" @@ -40,6 +41,7 @@ usage() { RACCT_ENABLE=$(sysctl -n kern.racct.enable) if [ "${RACCT_ENABLE}" != '1' ]; then echo "Racct not enabled. Append 'kern.racct.enable=1' to /boot/loader.conf and reboot" +# exit 1 fi # Handle special-case commands first. @@ -68,7 +70,15 @@ fi for _jail in ${JAILS}; do echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" - echo -e "${TYPE} ${VALUE}" - rctl -a jail:"${_jail}":"${OPTION}":deny="${VALUE}/jail" + + _rctl_rule="jail:${_jail}:${OPTION}:deny=${VALUE}/jail" + + ## if entry doesn't exist, add; else show existing entry + if ! grep -qs "${_rctl_rule}" "${bastille_jailsdir}/${_jail}/rctl.conf"; then + echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" + fi + + echo -e "${OPTION} ${VALUE}" + rctl -a "${_rctl_rule}" echo -e "${COLOR_RESET}" done diff --git a/usr/local/share/bastille/template.sh b/usr/local/share/bastille/template.sh index 27997d2..db2d973 100644 --- a/usr/local/share/bastille/template.sh +++ b/usr/local/share/bastille/template.sh @@ -60,16 +60,38 @@ fi TEMPLATE="${1}" shift -if [ ! -d "${bastille_templatesdir}/${TEMPLATE}" ]; then - echo -e "${COLOR_RED}${TEMPLATE} not found.${COLOR_RESET}" - exit 1 -fi +case ${TEMPLATE} in + http?://github.com/*/*|http?://gitlab.com/*/*) + TEMPLATE_DIR=$(echo "${TEMPLATE}" | awk -F / '{ print $4 "/" $5 }') + if [ ! -d "${bastille_templatesdir}/${TEMPLATE_DIR}" ]; then + echo -e "${COLOR_GREEN}Bootstrapping ${TEMPLATE}...${COLOR_RESET}" + if ! bastille bootstrap "${TEMPLATE}"; then + echo -e "${COLOR_RED}Failed to bootstrap template: ${TEMPLATE}.${COLOR_RESET}" + exit 1 + fi + fi + TEMPLATE="${TEMPLATE_DIR}" + ;; + */*) + if [ ! -d "${bastille_templatesdir}/${TEMPLATE}" ]; then + echo -e "${COLOR_RED}${TEMPLATE} not found.${COLOR_RESET}" + exit 1 + fi + ;; + *) + echo -e "${COLOR_RED}Template name/URL not recognized.${COLOR_RESET}" + exit 1 +esac if [ -z "${JAILS}" ]; then echo -e "${COLOR_RED}Container ${TARGET} is not running.${COLOR_RESET}" exit 1 fi +if [ -z "${HOOKS}" ]; then + HOOKS='LIMITS INCLUDE PRE FSTAB PF PKG OVERLAY CONFIG SYSRC SERVICE CMD' +fi + ## global variables bastille_template=${bastille_templatesdir}/${TEMPLATE} for _jail in ${JAILS}; do @@ -77,6 +99,7 @@ for _jail in ${JAILS}; do bastille_jail_path=$(jls -j "${_jail}" path) echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}" + echo -e "${COLOR_GREEN}Applying template: ${TEMPLATE}...${COLOR_RESET}" ## TARGET if [ -s "${bastille_template}/TARGET" ]; then @@ -92,194 +115,52 @@ for _jail in ${JAILS}; do fi fi - ## LIMITS (RCTL) - if [ -s "${bastille_template}/LIMITS" ]; then - echo -e "${COLOR_GREEN}[${_jail}]:LIMITS -- START${COLOR_RESET}" - RACCT_ENABLE=$(sysctl -n kern.racct.enable) - if [ "${RACCT_ENABLE}" != '1' ]; then - echo "Racct not enabled. Append 'kern.racct.enable=1' to /boot/loader.conf and reboot" - continue - fi - while read _limits; do - ## define the key and value - _limit_key=$(echo "${_limits}" | awk '{print $1}') - _limit_value=$(echo "${_limits}" | awk '{print $2}') - _rctl_rule="jail:${_jail}:${_limit_key}:deny=${_limit_value}/jail" + for _hook in ${HOOKS}; do + if [ -s "${bastille_template}/${_hook}" ]; then + # Default command is the lowercase hook name and default args are the line from the file. -- cwells + _cmd=$(echo "${_hook}" | awk '{print tolower($1);}') + _args_template='${_line}' - ## if entry doesn't exist, add; else show existing entry - if ! grep -qs "${_rctl_rule}" "${bastille_jailsdir}/${_jail}/rctl.conf"; then - echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" - echo "${_limits}" - else - echo "${_limits}" - fi - - ## apply limits to system - rctl -a "${_rctl_rule}" || exit 1 - done < "${bastille_template}/LIMITS" - echo -e "${COLOR_GREEN}[${_jail}]:LIMITS -- END${COLOR_RESET}" - echo - fi - - ## INCLUDE - if [ -s "${bastille_template}/INCLUDE" ]; then - echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- START${COLOR_RESET}" - while read _include; do - echo - echo -e "${COLOR_GREEN}INCLUDE: ${_include}${COLOR_RESET}" - echo -e "${COLOR_GREEN}Bootstrapping ${_include}...${COLOR_RESET}" - - case ${_include} in - http?://github.com/*/*|http?://gitlab.com/*/*) - bastille bootstrap "${_include}" - ;; - */*) - BASTILLE_TEMPLATE_USER=$(echo "${_include}" | awk -F / '{ print $1 }') - BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $2 }') - bastille template "${_jail}" "${BASTILLE_TEMPLATE_USER}/${BASTILLE_TEMPLATE_REPO}" - ;; - *) - echo -e "${COLOR_RED}Template INCLUDE content not recognized.${COLOR_RESET}" - exit 1 - ;; + # Override default command/args for some hooks. -- cwells + case ${_hook} in + CONFIG) + echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}" + _args_template='${bastille_template}/${_line} /' + _cmd='cp' ;; + FSTAB) + _cmd='mount' ;; + INCLUDE) + _cmd='template' ;; + OVERLAY) + _args_template='${bastille_template}/${_line} /' + _cmd='cp' ;; + PF) + echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}" + continue ;; + PRE) + _cmd='cmd' ;; esac - echo - echo -e "${COLOR_GREEN}Applying ${_include}...${COLOR_RESET}" - BASTILLE_TEMPLATE_PROJECT=$(echo "${_include}" | awk -F / '{ print $4}') - BASTILLE_TEMPLATE_REPO=$(echo "${_include}" | awk -F / '{ print $5}') - bastille template "${_jail}" "${BASTILLE_TEMPLATE_PROJECT}/${BASTILLE_TEMPLATE_REPO}" - done < "${bastille_template}/INCLUDE" - echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- END${COLOR_RESET}" - echo - fi - - ## PRE - if [ -s "${bastille_template}/PRE" ]; then - echo -e "${COLOR_GREEN}[${_jail}]:PRE -- START${COLOR_RESET}" - jexec -l "${_jail}" /bin/sh < "${bastille_template}/PRE" || exit 1 - echo -e "${COLOR_GREEN}[${_jail}]:PRE -- END${COLOR_RESET}" - echo - fi - - ## FSTAB - if [ -s "${bastille_template}/FSTAB" ]; then - echo -e "${COLOR_GREEN}[${_jail}]:FSTAB -- START${COLOR_RESET}" - while read _fstab; do - ## assign needed variables - _hostpath=$(echo "${_fstab}" | awk '{print $1}') - _jailpath=$(echo "${_fstab}" | awk '{print $2}') - _type=$(echo "${_fstab}" | awk '{print $3}') - _perms=$(echo "${_fstab}" | awk '{print $4}') - _checks=$(echo "${_fstab}" | awk '{print $5" "$6}') - - ## if any variables are empty, bail out - if [ -z "${_hostpath}" ] || [ -z "${_jailpath}" ] || [ -z "${_type}" ] || [ -z "${_perms}" ] || [ -z "${_checks}" ]; then - echo -e "${COLOR_RED}FSTAB format not recognized.${COLOR_RESET}" - echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}" - echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}" - exit 1 - fi - ## if host path doesn't exist or type is not "nullfs" - if [ ! -d "${_hostpath}" ] || [ "${_type}" != "nullfs" ]; then - echo -e "${COLOR_RED}Detected invalid host path or incorrect mount type in FSTAB.${COLOR_RESET}" - echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}" - echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}" - exit 1 - fi - ## if mount permissions are not "ro" or "rw" - if [ "${_perms}" != "ro" ] && [ "${_perms}" != "rw" ]; then - echo -e "${COLOR_RED}Detected invalid mount permissions in FSTAB.${COLOR_RESET}" - echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}" - echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}" - exit 1 - fi - ## if check & pass are not "0 0 - 1 1"; bail out - if [ "${_checks}" != "0 0" ] && [ "${_checks}" != "1 0" ] && [ "${_checks}" != "0 1" ] && [ "${_checks}" != "1 1" ]; then - echo -e "${COLOR_RED}Detected invalid fstab options in FSTAB.${COLOR_RESET}" - echo -e "${COLOR_YELLOW}Format: /host/path jail/path nullfs ro 0 0${COLOR_RESET}" - echo -e "${COLOR_YELLOW}Read: ${_fstab}${COLOR_RESET}" - exit 1 - fi - - ## aggregate variables into FSTAB entry - _fstab_entry="${_hostpath} ${bastille_jailsdir}/${_jail}/root/${_jailpath} ${_type} ${_perms} ${_checks}" - - ## if entry doesn't exist, add; else show existing entry - if ! grep -q "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab"; then - echo "${_fstab_entry}" >> "${bastille_jailsdir}/${_jail}/fstab" - echo "Added: ${_fstab_entry}" + echo -e "${COLOR_GREEN}[${_jail}]:${_hook} -- START${COLOR_RESET}" + if [ "${_hook}" = 'CMD' ] || [ "${_hook}" = 'PRE' ]; then + bastille cmd "${_jail}" /bin/sh < "${bastille_template}/${_hook}" || exit 1 + elif [ "${_hook}" = 'PKG' ]; then + bastille pkg "${_jail}" install -y $(cat "${bastille_template}/PKG") || exit 1 + bastille pkg "${_jail}" audit -F else - grep "${_jailpath}" "${bastille_jailsdir}/${_jail}/fstab" + while read _line; do + if [ -z "${_line}" ]; then + continue + fi + eval "_args=\"${_args_template}\"" + bastille "${_cmd}" "${_jail}" ${_args} || exit 1 + done < "${bastille_template}/${_hook}" fi - done < "${bastille_template}/FSTAB" - mount -F "${bastille_jailsdir}/${_jail}/fstab" -a - echo -e "${COLOR_GREEN}[${_jail}]:FSTAB -- END${COLOR_RESET}" - echo - fi + echo -e "${COLOR_GREEN}[${_jail}]:${_hook} -- END${COLOR_RESET}" + echo + fi + done - ## PF - if [ -s "${bastille_template}/PF" ]; then - echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}" - fi - - ## PKG (bootstrap + pkg) - if [ -s "${bastille_template}/PKG" ]; then - echo -e "${COLOR_GREEN}[${_jail}]:PKG -- START${COLOR_RESET}" - jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap || exit 1 - jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg install $(cat "${bastille_template}/PKG") || exit 1 - jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg audit -F - echo -e "${COLOR_GREEN}[${_jail}]:PKG -- END${COLOR_RESET}" - echo - fi - - ## CONFIG / OVERLAY - if [ -s "${bastille_template}/OVERLAY" ]; then - echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- START${COLOR_RESET}" - while read _dir; do - cp -av "${bastille_template}/${_dir}" "${bastille_jail_path}" || exit 1 - done < "${bastille_template}/OVERLAY" - echo -e "${COLOR_GREEN}[${_jail}]:OVERLAY -- END${COLOR_RESET}" - echo - fi - if [ -s "${bastille_template}/CONFIG" ]; then - echo -e "${COLOR_YELLOW}CONFIG deprecated; rename to OVERLAY.${COLOR_RESET}" - echo -e "${COLOR_GREEN}[${_jail}]:CONFIG -- START${COLOR_RESET}" - while read _dir; do - cp -av "${bastille_template}/${_dir}" "${bastille_jail_path}" || exit 1 - done < "${bastille_template}/CONFIG" - echo -e "${COLOR_GREEN}[${_jail}]:CONFIG -- END${COLOR_RESET}" - echo - fi - - ## SYSRC - if [ -s "${bastille_template}/SYSRC" ]; then - echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- START${COLOR_RESET}" - while read _sysrc; do - jexec -l "${_jail}" /usr/sbin/sysrc "${_sysrc}" || exit 1 - done < "${bastille_template}/SYSRC" - echo -e "${COLOR_GREEN}[${_jail}]:SYSRC -- END${COLOR_RESET}" - echo - fi - - ## SERVICE - if [ -s "${bastille_template}/SERVICE" ]; then - echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- START${COLOR_RESET}" - while read _service; do - jexec -l "${_jail}" /usr/sbin/service ${_service} || exit 1 - done < "${bastille_template}/SERVICE" - echo -e "${COLOR_GREEN}[${_jail}]:SERVICE -- END${COLOR_RESET}" - echo - fi - - ## CMD - if [ -s "${bastille_template}/CMD" ]; then - echo -e "${COLOR_GREEN}[${_jail}]:CMD -- START${COLOR_RESET}" - jexec -l "${_jail}" /bin/sh < "${bastille_template}/CMD" || exit 1 - echo -e "${COLOR_GREEN}[${_jail}]:CMD -- END${COLOR_RESET}" - echo - fi - - echo -e "${COLOR_GREEN}Template Complete.${COLOR_RESET}" + echo -e "${COLOR_GREEN}Template complete.${COLOR_RESET}" echo done