Merge pull request #529 from BastilleBSD/fete_nationale_2022

prepare for fete nationale 2022

AUTHORS.md

@@ -23,6 +23,11 @@ Christer Edwards [christer.edwards@gmail.com]
 - Sven R.
 - Tobias Tom
 - Stefano Marinelli
+- Logan Ellis
+- Chuck Tuffli
+- Niketh Murali
+- Eric Borisch
+- Kevet Duncombe
 
 ### Special thanks
 Software doesn't happen in a vacuum. Thank you to the following people who may

README.md

@@ -735,8 +735,8 @@ After populating `usr/local/` with custom config files that your container will
 use, be sure to include `usr` in the template OVERLAY definition. eg;
 
 ```shell
-echo "CP etc" >> /usr/local/bastille/templates/username/base/Bastillefile
-echo "CP usr" >> /usr/local/bastille/templates/username/base/Bastillefile
+echo "OVERLAY etc" >> /usr/local/bastille/templates/username/base/Bastillefile
+echo "OVERLAY usr" >> /usr/local/bastille/templates/username/base/Bastillefile
 ```
 
 The above example will include anything under "etc" and "usr" inside

docs/chapters/installation.rst

@@ -4,7 +4,7 @@ Bastille is available in the official FreeBSD ports tree at
 `sysutils/bastille`. Binary packages available in `quarterly` and `latest`
 repositories.
 
-Current version is `0.9.20220216`.
+Current version is `0.9.20220714`.
 
 To install from the FreeBSD package repository:
 

docs/chapters/subcommands/bootstrap.rst

@@ -22,7 +22,7 @@ Releases
 Example
 -------
 
-To `bootstrap` a release, run the bootstrap sub-command with the
+To `bootstrap` a FreeBSD release, run the bootstrap sub-command with the
 release version as the argument.
 
 .. code-block:: shell
@@ -30,6 +30,14 @@ release version as the argument.
   ishmael ~ # bastille bootstrap 11.4-RELEASE [update]
   ishmael ~ # bastille bootstrap 12.1-RELEASE
 
+To `bootstrap` a HardenedBSD release, run the bootstrap sub-command with the
+build version as the argument.
+
+.. code-block:: shell
+
+  ishmael ~ # bastille bootstrap 13-stable-build-latest
+
+
 This command will ensure the required directory structures are in place and
 download the requested release. For each requested release, `bootstrap` will
 download the base.txz. These files are verified (sha256 via MANIFEST file)

docs/chapters/targeting.rst

@@ -27,7 +27,7 @@ Examples: Containers
 | cmd       | ALL    | 'sockstat -4'    | execute `sockstat -4` in ALL containers (ip4 sockets)       |
 +-----------+--------+-----+------------+-------------------------------------------------------------+
 | console   | mariadb02    | ---        | console (shell) access to mariadb02                         |
-+----+------+----+---------+------------+--------------+----------------------------------------------+
++----+------+--------+-----+------------+-------------------------------------------------------------+
 | pkg       | web01  | 'install nginx'  | install nginx package in web01 container                    |
 +-----------+--------+------------------+-------------------------------------------------------------+
 | pkg       | ALL    | upgrade          | upgrade packages in ALL containers                          |
@@ -39,11 +39,11 @@ Examples: Containers
 | template  | ALL    | username/base    | apply `username/base` template to ALL containers            |
 +-----------+--------+------------------+-------------------------------------------------------------+
 | start     | web02  | ---              | start web02 container                                       |
-+-----------+--------+-----+------------+-------------------------------------------------------------+
-| cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to container-path in bastion03|
 +----+------+----+---+------------------+--------------+----------------------------------------------+
+| cp | bastion03 | /tmp/resolv.conf-cf etc/resolv.conf | copy host-path to container-path in bastion03|
++----+------+----+---+---------------------------------+----------------------------------------------+
 | create    | folsom | 12.1-RELEASE 10.17.89.10        | create 12.1 container named `folsom` with IP |
-+-----------+--------+------------------+--------------+----------------------------------------------+
++-----------+--------+---------------------------------+----------------------------------------------+
 
 
 Examples: Releases
@@ -60,7 +60,7 @@ Examples: Releases
 +-----------+--------------+--------------+-------------------------------------------------------------+
 | update    | 11.4-RELEASE | ---          | update 11.4-RELEASE release                                 |
 +-----------+--------------+--------------+-------------------------------------------------------------+
-| upgrade   | 11.3-RELEASE | 11.4-RELEASE | update 11.4-RELEASE release                                 |
+| upgrade   | 11.3-RELEASE | 11.4-RELEASE | upgrade 11.3-RELEASE release to 11.4-RELEASE                |
 +-----------+--------------+--------------+-------------------------------------------------------------+
-| verify    | 11.4-RELEASE | ---          | update 11.4-RELEASE release                                 |
+| verify    | 11.4-RELEASE | ---          | verify 11.4-RELEASE release                                 |
 +-----------+--------------+--------------+-------------------------------------------------------------+

docs/conf.py

@@ -12,9 +12,9 @@ copyright = '2018-2022, Christer Edwards'
 author = 'Christer Edwards'
 
 # The short X.Y version
-version = '0.9.20220216'
+version = '0.9.20220714'
 # The full version, including alpha/beta/rc tags
-release = '0.9.20220216-beta'
+release = '0.9.20220714-beta'
 
 
 # -- General configuration ---------------------------------------------------

usr/local/bin/bastille

@@ -70,7 +70,7 @@ bastille_perms_check() {
 bastille_perms_check
 
 ## version
-BASTILLE_VERSION="0.9.20220216"
+BASTILLE_VERSION="0.9.20220714"
 
 usage() {
     cat << EOF

usr/local/share/bastille/bootstrap.sh

@@ -127,19 +127,29 @@ bootstrap_directories() {
         if [ "${bastille_zfs_enable}" = "YES" ]; then
             if [ -n "${bastille_zfs_zpool}" ]; then
                 zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache"
-                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
+                # Don't create unused/stale cache/RELEASE directory on Linux jails creation.
+                if [ -z "${NOCACHEDIR}" ]; then
+                    zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
+                fi
             fi
         else
-            mkdir -p "${bastille_cachedir}/${RELEASE}"
+            mkdir -p "${bastille_cachedir}"
+            # Don't create unused/stale cache/RELEASE directory on Linux jails creation.
+            if [ -z "${NOCACHEDIR}" ]; then
+                mkdir -p "${bastille_cachedir}/${RELEASE}"
+            fi
         fi
     ## create subsequent cache/XX.X-RELEASE datasets
     elif [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then
-        if [ "${bastille_zfs_enable}" = "YES" ]; then
-            if [ -n "${bastille_zfs_zpool}" ]; then
-                zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
+        # Don't create unused/stale cache/RELEASE directory on Linux jails creation.
+        if [ -z "${NOCACHEDIR}" ]; then
+            if [ "${bastille_zfs_enable}" = "YES" ]; then
+                if [ -n "${bastille_zfs_zpool}" ]; then
+                    zfs create ${bastille_zfs_options} -o mountpoint="${bastille_cachedir}/${RELEASE}" "${bastille_zfs_zpool}/${bastille_zfs_prefix}/cache/${RELEASE}"
+                fi
+            else
+                mkdir -p "${bastille_cachedir}/${RELEASE}"
             fi
-        else
-            mkdir -p "${bastille_cachedir}/${RELEASE}"
         fi
     fi
 
@@ -305,6 +315,7 @@ bootstrap_release() {
 debootstrap_release() {
 
     # Make sure to check/bootstrap directories first.
+    NOCACHEDIR=1
     RELEASE="${DIR_BOOTSTRAP}"
     bootstrap_directories
 
@@ -445,6 +456,7 @@ else
     HW_MACHINE_ARCH_LINUX=${HW_MACHINE_ARCH}
 fi
 
+NOCACHEDIR=
 RELEASE="${1}"
 OPTION="${2}"
 

usr/local/share/bastille/cmd.sh

@@ -29,6 +29,7 @@
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 . /usr/local/share/bastille/common.sh
+. /usr/local/etc/bastille/bastille.conf
 
 usage() {
     error_exit "Usage: bastille cmd TARGET command"
@@ -51,12 +52,19 @@ RETURN=0
 for _jail in ${JAILS}; do
     COUNT=$(($COUNT+1))
     info "[${_jail}]:"
-    jexec -l -U root "${_jail}" "$@"
+
+    if grep -qw "linsysfs" "${bastille_jailsdir}/${TARGET}/fstab"; then
+        # Allow executing commands on Linux jails.
+        jexec -l -u root "${_jail}" "$@"
+    else
+        jexec -l -U root "${_jail}" "$@"
+    fi
+
     ERROR_CODE=$?
     info "[${_jail}]: ${ERROR_CODE}"
     
     if [ "$COUNT" -eq 1 ]; then
-        RETURN=$ERROR_CODE
+        RETURN=${ERROR_CODE}
     else 
         RETURN=$(($RETURN+$ERROR_CODE))
     fi
@@ -65,8 +73,8 @@ for _jail in ${JAILS}; do
 done
 
 # Check when a command is executed in all running jails. (bastille cmd ALL ...)
-if [ "$COUNT" -gt 1 ] && [ "$RETURN" -gt 0 ]; then
+if [ "${COUNT}" -gt 1 ] && [ "${RETURN}" -gt 0 ]; then
     RETURN=1
 fi
 
-return "$RETURN"
+return "${RETURN}"

usr/local/share/bastille/common.sh

@@ -74,9 +74,11 @@ generate_vnet_jail_netblock() {
         local num_range=$((list_jails_num + 1))
         for _num in $(seq 0 "${num_range}"); do
             if ! grep -q "e[0-9]b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then
-                local uniq_epair="bastille${_num}"
-                local uniq_epair_bridge="${_num}"
-                break
+                if ! grep -q "epair${_num}" "${bastille_jailsdir}"/*/jail.conf; then
+                    local uniq_epair="bastille${_num}"
+                    local uniq_epair_bridge="${_num}"
+                    break
+                fi
             fi
         done
     else

usr/local/share/bastille/create.sh

@@ -170,6 +170,7 @@ ${NAME} {
   mount.fstab = ${bastille_jail_fstab};
   path = ${bastille_jail_path};
   devfs_ruleset = 4;
+  enforce_statfs = 1;
 
   exec.start = '/bin/true';
   exec.stop = '/bin/true';

usr/local/share/bastille/rdr.sh

@@ -32,7 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    error_exit "Usage: bastille rdr TARGET [clear|list|(tcp|udp host_port jail_port)]"
+    error_exit "Usage: bastille rdr TARGET [clear|list|(tcp|udp host_port jail_port [log ['(' logopts ')'] ] )]"
 }
 
 # Handle special-case commands first.
@@ -91,6 +91,16 @@ if ! grep -qs "$1 $2 $3" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then
 fi
 }
 
+persist_rdr_log_rule() {
+proto=$1;host_port=$2;jail_port=$3;
+shift 3;
+log=$@;
+if ! grep -qs "$proto $host_port $jail_port $log" "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"; then
+    echo "$proto $host_port $jail_port $log" >> "${bastille_jailsdir}/${JAIL_NAME}/rdr.conf"
+fi
+}
+
+
 # function: load rdr rule via pfctl
 load_rdr_rule() {
 ( pfctl -a "rdr/${JAIL_NAME}" -Psn;
@@ -98,6 +108,16 @@ load_rdr_rule() {
       | pfctl -a "rdr/${JAIL_NAME}" -f-
 }
 
+# function: load rdr rule with log via pfctl
+load_rdr_log_rule() {
+proto=$1;host_port=$2;jail_port=$3;
+shift 3;
+log=$@
+( pfctl -a "rdr/${JAIL_NAME}" -Psn;
+  printf '%s\nrdr pass %s on $ext_if inet proto %s to port %s -> %s port %s\n' "$EXT_IF" "$log" "$proto" "$host_port" "$JAIL_IP" "$jail_port" ) \
+      | pfctl -a "rdr/${JAIL_NAME}" -f-
+}
+
 while [ $# -gt 0 ]; do
     case "$1" in
         list)
@@ -127,11 +147,44 @@ while [ $# -gt 0 ]; do
         tcp|udp)
             if [ $# -lt 3 ]; then
                 usage
+            elif [ $# -eq 3 ]; then
+                check_jail_validity
+                persist_rdr_rule $1 $2 $3
+                load_rdr_rule $1 $2 $3
+                shift 3
+            else
+                case "$4" in
+                    log)
+                        proto=$1
+                        host_port=$2
+                        jail_port=$3
+                        shift 3
+                        if [ $# -gt 3 ]; then
+                            for last in $@; do
+				true
+                            done
+                            if [ $2 == "(" ] && [ $last == ")" ] ; then
+                                check_jail_validity
+                                persist_rdr_log_rule $proto $host_port $jail_port $@
+                                load_rdr_log_rule $proto $host_port $jail_port $@
+                                shift $#
+                            else
+                                usage
+                            fi
+                        elif [ $# -eq 1 ]; then
+                            check_jail_validity
+                            persist_rdr_log_rule $proto $host_port $jail_port $@
+                            load_rdr_log_rule $proto $host_port $jail_port $@
+                            shift 1
+                        else
+                            usage
+                        fi
+                        ;;
+                    *)
+                        usage
+                        ;;
+                esac
             fi
-            check_jail_validity
-            persist_rdr_rule $1 $2 $3
-            load_rdr_rule $1 $2 $3
-            shift 3
             ;;
         *)
             usage

usr/local/share/bastille/stop.sh

@@ -49,12 +49,8 @@ fi
 for _jail in ${JAILS}; do
     ## test if running
     if [ "$(/usr/sbin/jls name | awk "/^${_jail}$/")" ]; then
-        ## remove ip4.addr from firewall table:jails
-        if [ -n "${bastille_network_loopback}" ]; then
-            if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
-                pfctl -q -t jails -T delete "$(/usr/sbin/jls -j ${_jail} ip4.addr)"
-            fi
-        fi
+        ## Capture ip4.addr address while still running
+        _ip="$(/usr/sbin/jls -j ${_jail} ip4.addr)"
 
         # Check if pfctl is present
         if which -s pfctl; then
@@ -73,6 +69,13 @@ for _jail in ${JAILS}; do
         ## stop container
         info "[${_jail}]:"
         jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r "${_jail}"
+
+        ## remove (captured above) ip4.addr from firewall table:jails
+        if [ -n "${bastille_network_loopback}" -a ! -z "${_ip}" ]; then
+            if grep -qw "interface.*=.*${bastille_network_loopback}" "${bastille_jailsdir}/${_jail}/jail.conf"; then
+                pfctl -q -t jails -T delete "${_ip}"
+            fi
+        fi
     fi
     echo
 done

usr/local/share/bastille/template.sh

@@ -229,6 +229,7 @@ for _jail in ${JAILS}; do
     bastille_jail_path=$(/usr/sbin/jls -j "${_jail}" path)
     if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
         _jail_ip=$(/usr/sbin/jls -j "${_jail}" ip4.addr 2>/dev/null)
+        _jail_ip6=$(/usr/sbin/jls -j "${_jail}" ip6.addr 2>/dev/null)
         if [ -z "${_jail_ip}" -o "${_jail_ip}" = "-" ]; then
             error_notify "Jail IP not found: ${_jail}"
             _jail_ip='' # In case it was -. -- cwells
@@ -251,7 +252,7 @@ for _jail in ${JAILS}; do
 
     # Build a list of sed commands like this: -e 's/${username}/root/g' -e 's/${domain}/example.com/g'
     # Values provided by default (without being defined by the user) are listed here. -- cwells
-    ARG_REPLACEMENTS="-e 's/\${JAIL_IP}/${_jail_ip}/g' -e 's/\${JAIL_NAME}/${_jail}/g'"
+    ARG_REPLACEMENTS="-e 's/\${JAIL_IP}/${_jail_ip}/g' -e 's/\${JAIL_IP6}/${_jail_ip6}/g' -e 's/\${JAIL_NAME}/${_jail}/g'"
     # This is parsed outside the HOOKS loop so an ARG file can be used with a Bastillefile. -- cwells
     if [ -s "${bastille_template}/ARG" ]; then
         while read _line; do