Merge pull request #105 from cedwards/template_support_limits

Initial support for LIMITS in template automation

AUTHORS.md

@@ -4,18 +4,22 @@
 
 Christer Edwards [christer.edwards@gmail.com]  
 
-## Contributors
+## Contributors (code)
 
 Barry McCormick  
-Jose Rivera
+Brian Downs  
+Dave Cottlehuber  
 Giacomo Olgeni  
-Jan-Piet Mens
+JP Mens  
+Jose Rivera  
+Lars E.  
+Sven R.  
 
 ### Special thanks
 Software doesn't happen in a vacuum. Thank you to the following people who may
-not be found in the commit history.
+not be found in the commit history but have influenced Bastille's development
+in some way.
 
-Barry McCormick
 Carlos Meza  
 Casandra Woodcox  
 Clint Savage  
@@ -25,6 +29,7 @@ Jun C Park
 Justin Desilets  
 Larry Raab  
 Nate Taylor  
+Peter Czanik  
 Ryan Simpkins  
 Tim Gelter  
 Trevor Sharpe  

CODE-OF-CONDUCT.md

@@ -55,7 +55,7 @@ further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at conduct@bastillebsd.org. All
+reported by contacting the project team lead at christer.edwards@gmail.com. All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.

LICENSE

@@ -1,6 +1,6 @@
 BSD 3-Clause License
 
-Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/bootstrap.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/cmd.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/console.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/cp.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/create.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/destroy.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/htop.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/limits.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # Ressource limits added by Sven R github.com/hackacad
 # 

usr/local/share/bastille/list.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/pkg.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/restart.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/service.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/start.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/stop.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/sysrc.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/template.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without
@@ -92,6 +92,35 @@ for _jail in ${JAILS}; do
         fi
     fi
 
+    ## LIMITS (RCTL)
+    if [ -s "${bastille_template}/LIMITS" ]; then
+        echo -e "${COLOR_GREEN}[${_jail}]:LIMITS -- START${COLOR_RESET}"
+        RACCT_ENABLE=$(sysctl -n kern.racct.enable)
+        if [ "${RACCT_ENABLE}" != '1' ]; then
+            echo "Racct not enabled. Append 'kern.racct.enable=1' to /boot/loader.conf and reboot"
+            continue
+        fi
+        while read _limits; do
+            ## define the key and value
+            _limit_key=$(echo "${_limits}" | awk '{print $1}')
+            _limit_value=$(echo "${_limits}" | awk '{print $2}')
+            _rctl_rule="jail:${_jail}:${_limit_key}:deny=${_limit_value}/jail"
+
+            ## if entry doesn't exist, add; else show existing entry
+            if [ ! "$(grep -qs "${_rctl_rule}" "${bastille_jailsdir}/${_jail}/rctl.conf")" ]; then
+                echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf"
+                echo "${_limits}"
+            else
+                echo "${_limits}"
+            fi
+
+            ## apply limits to system
+            rctl -a "${_rctl_rule}" || exit 1
+        done < "${bastille_template}/LIMITS"
+        echo -e "${COLOR_GREEN}[${_jail}]:LIMITS -- END${COLOR_RESET}"
+        echo
+    fi
+
     ## INCLUDE
     if [ -s "${bastille_template}/INCLUDE" ]; then
         echo -e "${COLOR_GREEN}[${_jail}]:INCLUDE -- START${COLOR_RESET}"

usr/local/share/bastille/top.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/update.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/upgrade.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/verify.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without

usr/local/share/bastille/zfs.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 # 
-# Copyright (c) 2018-2019, Christer Edwards <christer.edwards@gmail.com>
+# Copyright (c) 2018-2020, Christer Edwards <christer.edwards@gmail.com>
 # All rights reserved.
 # 
 # Redistribution and use in source and binary forms, with or without