From 3e83d9fc416882c4fdae860e6a8ee629d6c7a060 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 3 Jun 2025 09:34:42 -0600 Subject: [PATCH 1/8] limits: Allow adding without logging --- usr/local/share/bastille/limits.sh | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index 77255a05..e771e514 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -43,6 +43,7 @@ usage() { Options: -a | --auto Auto mode. Start/stop jail(s) if required. + -l | --log Enable logging tor specified rule (rctl only). -x | --debug Enable debug mode. EOF @@ -51,6 +52,7 @@ EOF # Handle options. AUTO=0 +OPT_LOG=0 while [ "$#" -gt 0 ]; do case "${1}" in -h|--help|help) @@ -60,6 +62,10 @@ while [ "$#" -gt 0 ]; do AUTO=1 shift ;; + -l|--log) + OPT_LOG=1 + shift + ;; -x|--debug) enable_debug shift @@ -68,6 +74,7 @@ while [ "$#" -gt 0 ]; do for _opt in $(echo ${1} | sed 's/-//g' | fold -w1); do case ${_opt} in a) AUTO=1 ;; + l) OPT_LOG=1 ;; x) enable_debug ;; *) error_exit "[ERROR]: Unknown Option: \"${1}\"" ;; esac @@ -166,14 +173,21 @@ for _jail in ${JAILS}; do _escaped_rctl_rule=$(echo "${_rctl_rule}" | sed 's/\//\\\//g') _escaped_rctl_rule_log=$(echo "${_rctl_rule_log}" | sed 's/\//\\\//g') sed -i '' -E "s/jail:${_jail}:${_escaped_option}:deny.+/${_escaped_rctl_rule}/" "${bastille_jailsdir}/${_jail}/rctl.conf" - sed -i '' -E "s/jail:${_jail}:${_escaped_option}:log.+/${_escaped_rctl_rule_log}/" "${bastille_jailsdir}/${_jail}/rctl.conf" + if [ "${OPT_LOG}" -eq 1 ]; then + sed -i '' -E "s/jail:${_jail}:${_escaped_option}:log.+/${_escaped_rctl_rule_log}/" "${bastille_jailsdir}/${_jail}/rctl.conf" + fi else # Just append the entry. -- cwells echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" - echo "${_rctl_rule_log}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" + if [ "${OPT_LOG}" -eq 1 ]; then + echo "${_rctl_rule_log}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" + fi fi echo -e "${OPTION} ${VALUE}" - rctl -a "${_rctl_rule}" "${_rctl_rule_log}" + rctl -a "${_rctl_rule}" + if [ "${OPT_LOG}" -eq 1 ]; then + rctl -a "${_rctl_rule_log}" + fi fi ;; From cd1286478b057fcaa371b8169121f4541d483d3a Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 3 Jun 2025 10:08:00 -0600 Subject: [PATCH 2/8] limits: restructure code --- usr/local/share/bastille/limits.sh | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index e771e514..90df5707 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -165,30 +165,29 @@ for _jail in ${JAILS}; do else # Add rctl rule to rctl.conf _rctl_rule="jail:${_jail}:${OPTION}:deny=${VALUE}/jail" - _rctl_rule_log="jail:${_jail}:${OPTION}:log=${VALUE}/jail" - + _rctl_rule_log="jail:${_jail}:${OPTION}:log=${VALUE}/jail" # Check whether the entry already exists and, if so, update it. -- cwells if grep -qs "jail:${_jail}:${OPTION}:deny" "${bastille_jailsdir}/${_jail}/rctl.conf"; then _escaped_option=$(echo "${OPTION}" | sed 's/\//\\\//g') _escaped_rctl_rule=$(echo "${_rctl_rule}" | sed 's/\//\\\//g') - _escaped_rctl_rule_log=$(echo "${_rctl_rule_log}" | sed 's/\//\\\//g') sed -i '' -E "s/jail:${_jail}:${_escaped_option}:deny.+/${_escaped_rctl_rule}/" "${bastille_jailsdir}/${_jail}/rctl.conf" - if [ "${OPT_LOG}" -eq 1 ]; then - sed -i '' -E "s/jail:${_jail}:${_escaped_option}:log.+/${_escaped_rctl_rule_log}/" "${bastille_jailsdir}/${_jail}/rctl.conf" - fi else # Just append the entry. -- cwells echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" - if [ "${OPT_LOG}" -eq 1 ]; then - echo "${_rctl_rule_log}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" - fi + echo -e "${OPTION} ${VALUE}" + rctl -a "${_rctl_rule}" fi - echo -e "${OPTION} ${VALUE}" - rctl -a "${_rctl_rule}" if [ "${OPT_LOG}" -eq 1 ]; then + if grep -qs "jail:${_jail}:${OPTION}:deny" "${bastille_jailsdir}/${_jail}/rctl.conf"; then + _escaped_option=$(echo "${OPTION}" | sed 's/\//\\\//g') + _escaped_rctl_rule_log=$(echo "${_rctl_rule_log}" | sed 's/\//\\\//g') + sed -i '' -E "s/jail:${_jail}:${_escaped_option}:log.+/${_escaped_rctl_rule_log}/" "${bastille_jailsdir}/${_jail}/rctl.conf" + else # Just append the entry. -- cwells + echo "${_rctl_rule_log}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" + fi + echo -e "[LOGGING]: ${OPTION} ${VALUE}" rctl -a "${_rctl_rule_log}" fi - fi ;; remove) @@ -231,7 +230,7 @@ for _jail in ${JAILS}; do done < "${bastille_jailsdir}/${_jail}/rctl.conf" echo "RCTL limits cleared." fi - ;; + ;; list|show) From ec53d97818605f32054df90f425ae07d4ee4ceca Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 3 Jun 2025 10:16:14 -0600 Subject: [PATCH 3/8] Update limits.sh --- usr/local/share/bastille/limits.sh | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index 90df5707..70b317dd 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -165,29 +165,32 @@ for _jail in ${JAILS}; do else # Add rctl rule to rctl.conf _rctl_rule="jail:${_jail}:${OPTION}:deny=${VALUE}/jail" - _rctl_rule_log="jail:${_jail}:${OPTION}:log=${VALUE}/jail" + _rctl_rule_log="jail:${_jail}:${OPTION}:log=${VALUE}/jail" # Check whether the entry already exists and, if so, update it. -- cwells if grep -qs "jail:${_jail}:${OPTION}:deny" "${bastille_jailsdir}/${_jail}/rctl.conf"; then _escaped_option=$(echo "${OPTION}" | sed 's/\//\\\//g') _escaped_rctl_rule=$(echo "${_rctl_rule}" | sed 's/\//\\\//g') + _escaped_rctl_rule_log=$(echo "${_rctl_rule_log}" | sed 's/\//\\\//g') sed -i '' -E "s/jail:${_jail}:${_escaped_option}:deny.+/${_escaped_rctl_rule}/" "${bastille_jailsdir}/${_jail}/rctl.conf" + if [ "${OPT_LOG}" -eq 1 ]; then + sed -i '' -E "s/jail:${_jail}:${_escaped_option}:log.+/${_escaped_rctl_rule_log}/" "${bastille_jailsdir}/${_jail}/rctl.conf" + fi else # Just append the entry. -- cwells echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" - echo -e "${OPTION} ${VALUE}" - rctl -a "${_rctl_rule}" - fi - - if [ "${OPT_LOG}" -eq 1 ]; then - if grep -qs "jail:${_jail}:${OPTION}:deny" "${bastille_jailsdir}/${_jail}/rctl.conf"; then - _escaped_option=$(echo "${OPTION}" | sed 's/\//\\\//g') - _escaped_rctl_rule_log=$(echo "${_rctl_rule_log}" | sed 's/\//\\\//g') - sed -i '' -E "s/jail:${_jail}:${_escaped_option}:log.+/${_escaped_rctl_rule_log}/" "${bastille_jailsdir}/${_jail}/rctl.conf" - else # Just append the entry. -- cwells + if [ "${OPT_LOG}" -eq 1 ]; then echo "${_rctl_rule_log}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" fi - echo -e "[LOGGING]: ${OPTION} ${VALUE}" - rctl -a "${_rctl_rule_log}" + if [ "${OPT_LOG}" -eq 1 ]; then + echo -e "[LOGGING]: ${OPTION} ${VALUE}" + else + echo -e "${OPTION} ${VALUE}" + fi + rctl -a "${_rctl_rule}" + if [ "${OPT_LOG}" -eq 1 ]; then + rctl -a "${_rctl_rule_log}" + fi fi + fi ;; remove) From 2beef764413815c656c85e5ad19286631889a716 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 3 Jun 2025 10:19:16 -0600 Subject: [PATCH 4/8] Update limits.rst --- docs/chapters/subcommands/limits.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/chapters/subcommands/limits.rst b/docs/chapters/subcommands/limits.rst index d24c60e6..d0d255aa 100644 --- a/docs/chapters/subcommands/limits.rst +++ b/docs/chapters/subcommands/limits.rst @@ -50,4 +50,5 @@ This file can be edited manually using ``bastille edit TARGET cpuset.conf``. Options: -a | --auto Auto mode. Start/stop jail(s) if required. + -l | --log Enable logging for the specified rule (rctl only). -x | --debug Enable debug mode. \ No newline at end of file From 4c30134c5107dca159bc18411f48cf40f36844c3 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 3 Jun 2025 10:19:48 -0600 Subject: [PATCH 5/8] Update limits.sh --- usr/local/share/bastille/limits.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index 70b317dd..ba92ad8e 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -43,7 +43,7 @@ usage() { Options: -a | --auto Auto mode. Start/stop jail(s) if required. - -l | --log Enable logging tor specified rule (rctl only). + -l | --log Enable logging for the specified rule (rctl only). -x | --debug Enable debug mode. EOF From 8e12d1c714c4eb8539f44d41ffa656d1027dafcb Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 3 Jun 2025 10:56:11 -0600 Subject: [PATCH 6/8] Update limits.sh --- usr/local/share/bastille/limits.sh | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index ba92ad8e..ada5a937 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -180,15 +180,13 @@ for _jail in ${JAILS}; do if [ "${OPT_LOG}" -eq 1 ]; then echo "${_rctl_rule_log}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" fi - if [ "${OPT_LOG}" -eq 1 ]; then - echo -e "[LOGGING]: ${OPTION} ${VALUE}" - else - echo -e "${OPTION} ${VALUE}" - fi + fi + if [ "${OPT_LOG}" -eq 1 ]; then + echo -e "[LOGGING]: ${OPTION} ${VALUE}" + rctl -a "${_rctl_rule} ${_rctl_rule_log" + else + echo -e "${OPTION} ${VALUE}" rctl -a "${_rctl_rule}" - if [ "${OPT_LOG}" -eq 1 ]; then - rctl -a "${_rctl_rule_log}" - fi fi fi ;; From 8c968b42c365cf624ccdda1ad2230c1f1a3504eb Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 3 Jun 2025 11:06:09 -0600 Subject: [PATCH 7/8] Fix brace --- usr/local/share/bastille/limits.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index ada5a937..74b9c63d 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -183,7 +183,7 @@ for _jail in ${JAILS}; do fi if [ "${OPT_LOG}" -eq 1 ]; then echo -e "[LOGGING]: ${OPTION} ${VALUE}" - rctl -a "${_rctl_rule} ${_rctl_rule_log" + rctl -a "${_rctl_rule} ${_rctl_rule_log}" else echo -e "${OPTION} ${VALUE}" rctl -a "${_rctl_rule}" From f07488ee5d3aa3f7c1e35f6ae48a41dea21a26fc Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Tue, 3 Jun 2025 11:08:41 -0600 Subject: [PATCH 8/8] Update limits.sh --- usr/local/share/bastille/limits.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index 74b9c63d..472f3ef6 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -130,7 +130,7 @@ add_cpuset() { # Persist cpuset value echo "${_cpuset_rule}" >> "${bastille_jailsdir}/${_jail}/cpuset.conf" - echo -e "Limits: ${OPTION} ${VALUE}" + echo -e "[CPU LIMITS]: ${OPTION} ${VALUE}" # Restart jail to apply cpuset bastille restart ${_jail} @@ -183,7 +183,7 @@ for _jail in ${JAILS}; do fi if [ "${OPT_LOG}" -eq 1 ]; then echo -e "[LOGGING]: ${OPTION} ${VALUE}" - rctl -a "${_rctl_rule} ${_rctl_rule_log}" + rctl -a "${_rctl_rule}" "${_rctl_rule_log}" else echo -e "${OPTION} ${VALUE}" rctl -a "${_rctl_rule}"