From 6604b94b6e6d2caf5df58e9a0f9f5bd8e5402bae Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 21 Mar 2025 14:46:14 -0600 Subject: [PATCH 01/23] limits: Add clear and reset as commands --- usr/local/share/bastille/limits.sh | 64 +++++++++++++++++++++--------- 1 file changed, 45 insertions(+), 19 deletions(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index 2c794772..f626df15 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -35,8 +35,8 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_notify "Usage: bastille limits [option(s)] TARGET OPTION VALUE" - echo -e "Example: bastille limits JAILNAME memoryuse 1G" + error_notify "Usage: bastille limits [option(s)] TARGET [OPTION VALUE|clear|reset]" + echo -e "Example: bastille limits TARGET memoryuse 1G" cat << EOF Options: @@ -78,7 +78,7 @@ while [ "$#" -gt 0 ]; do esac done -if [ $# -ne 3 ]; then +if [ "$#" -lt 2 ] || [ "$#" -gt 3 ]; then usage fi @@ -103,23 +103,49 @@ for _jail in ${JAILS}; do error_notify "Jail is not running." error_continue "Use [-a|--auto] to auto-start the jail." fi + + case "${OPTION}" in + clear) + # Remove limits + if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then + while read _limits; do + rctl -r "${_limits}" + done < "${bastille_jailsdir}/${_jail}/rctl.conf" + fi + ;; + reset) + # Remove limits and delete rctl.conf + if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then + while read _limits; do + rctl -r "${_limits}" + done < "${bastille_jailsdir}/${_jail}/rctl.conf" + fi + if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then + rm -f "${bastille_jailsdir}/${_jail}/rctl.conf" + info "[${TARGET}]: rctl.conf removed." + else + error_continue "[${TARGET}]: rctl.conf not found." + fi + ;; + *) + # Add rctl rule to rctl.conf + _rctl_rule="jail:${_jail}:${OPTION}:deny=${VALUE}/jail" + _rctl_rule_log="jail:${_jail}:${OPTION}:log=${VALUE}/jail" - _rctl_rule="jail:${_jail}:${OPTION}:deny=${VALUE}/jail" - _rctl_rule_log="jail:${_jail}:${OPTION}:log=${VALUE}/jail" + # Check whether the entry already exists and, if so, update it. -- cwells + if grep -qs "jail:${_jail}:${OPTION}:deny" "${bastille_jailsdir}/${_jail}/rctl.conf"; then + _escaped_option=$(echo "${OPTION}" | sed 's/\//\\\//g') + _escaped_rctl_rule=$(echo "${_rctl_rule}" | sed 's/\//\\\//g') + _escaped_rctl_rule_log=$(echo "${_rctl_rule_log}" | sed 's/\//\\\//g') + sed -i '' -E "s/jail:${_jail}:${_escaped_option}:deny.+/${_escaped_rctl_rule}/" "${bastille_jailsdir}/${_jail}/rctl.conf" + sed -i '' -E "s/jail:${_jail}:${_escaped_option}:log.+/${_escaped_rctl_rule_log}/" "${bastille_jailsdir}/${_jail}/rctl.conf" + else # Just append the entry. -- cwells + echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" + echo "${_rctl_rule_log}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" + fi - # Check whether the entry already exists and, if so, update it. -- cwells - if grep -qs "jail:${_jail}:${OPTION}:deny" "${bastille_jailsdir}/${_jail}/rctl.conf"; then - _escaped_option=$(echo "${OPTION}" | sed 's/\//\\\//g') - _escaped_rctl_rule=$(echo "${_rctl_rule}" | sed 's/\//\\\//g') - _escaped_rctl_rule_log=$(echo "${_rctl_rule_log}" | sed 's/\//\\\//g') - sed -i '' -E "s/jail:${_jail}:${_escaped_option}:deny.+/${_escaped_rctl_rule}/" "${bastille_jailsdir}/${_jail}/rctl.conf" - sed -i '' -E "s/jail:${_jail}:${_escaped_option}:log.+/${_escaped_rctl_rule_log}/" "${bastille_jailsdir}/${_jail}/rctl.conf" - else # Just append the entry. -- cwells - echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" - echo "${_rctl_rule_log}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" - fi - - echo -e "${OPTION} ${VALUE}" - rctl -a "${_rctl_rule}" "${_rctl_rule_log}" + echo -e "${OPTION} ${VALUE}" + rctl -a "${_rctl_rule}" "${_rctl_rule_log}" + ;; done From 2024482725364f3c8b6ca2c18bc5805d7a44e059 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 21 Mar 2025 14:47:18 -0600 Subject: [PATCH 02/23] stop: Use new limits clear command --- usr/local/share/bastille/stop.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/usr/local/share/bastille/stop.sh b/usr/local/share/bastille/stop.sh index 124cef24..21f9ab8e 100644 --- a/usr/local/share/bastille/stop.sh +++ b/usr/local/share/bastille/stop.sh @@ -105,9 +105,7 @@ for _jail in ${JAILS}; do # Remove rctl limits if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then - while read _limits; do - rctl -r "${_limits}" - done < "${bastille_jailsdir}/${_jail}/rctl.conf" + bastille limits "${_jail}" clear fi # Stop jail From 14fa1a1210b3ee910469c65162f8e5b445269649 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 21 Mar 2025 14:55:47 -0600 Subject: [PATCH 03/23] Update limits.sh --- usr/local/share/bastille/limits.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index f626df15..6ad853fb 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -147,5 +147,6 @@ for _jail in ${JAILS}; do echo -e "${OPTION} ${VALUE}" rctl -a "${_rctl_rule}" "${_rctl_rule_log}" ;; + esac done From b200f1bf5a47a8f191316a9f09e5dd2baefcd439 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 21 Mar 2025 15:09:42 -0600 Subject: [PATCH 04/23] docs: Update limits --- docs/chapters/subcommands/limits.rst | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/chapters/subcommands/limits.rst b/docs/chapters/subcommands/limits.rst index 7aee8be4..b82d12c8 100644 --- a/docs/chapters/subcommands/limits.rst +++ b/docs/chapters/subcommands/limits.rst @@ -3,12 +3,16 @@ limits Set resourse limits for targeted jail(s). +To clear the limits from the system, use `bastille limits TARGET clear' + +To clear the limits, and remove the rctl.conf, use `bastille limits TARGET reset` + .. code-block:: shell ishmael ~ # bastille limits help - Usage: bastille limits [option(s)] TARGET OPTION VALUE" - Example: bastille limits JAILNAME memoryuse 1G" + Usage: bastille limits [option(s)] TARGET [OPTION VALUE|clear|reset]" + Example: bastille limits TARGET memoryuse 1G" Options: From 70c79c8d624580d81ebf744e7b9023e32b474fee Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Fri, 21 Mar 2025 17:51:34 -0600 Subject: [PATCH 05/23] limits: Redirect errors --- usr/local/share/bastille/limits.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index 6ad853fb..c9826c72 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -109,16 +109,18 @@ for _jail in ${JAILS}; do # Remove limits if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then while read _limits; do - rctl -r "${_limits}" + rctl -r "${_limits}" 2 > /dev/null done < "${bastille_jailsdir}/${_jail}/rctl.conf" + info "[${TARGET}]: RCTL limits cleared." fi - ;; + ;; reset) # Remove limits and delete rctl.conf if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then while read _limits; do - rctl -r "${_limits}" + rctl -r "${_limits}" 2 > /dev/null done < "${bastille_jailsdir}/${_jail}/rctl.conf" + info "[${TARGET}]: RCTL limits cleared." fi if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then rm -f "${bastille_jailsdir}/${_jail}/rctl.conf" From 5280daec7c833ce0bda27a6cffcee37e84c44555 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 22 Mar 2025 09:18:10 -0600 Subject: [PATCH 06/23] limits: Fix redirect of errors --- usr/local/share/bastille/limits.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index c9826c72..28f1aa68 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -109,7 +109,7 @@ for _jail in ${JAILS}; do # Remove limits if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then while read _limits; do - rctl -r "${_limits}" 2 > /dev/null + rctl -r "${_limits}" 2>/dev/null done < "${bastille_jailsdir}/${_jail}/rctl.conf" info "[${TARGET}]: RCTL limits cleared." fi @@ -118,7 +118,7 @@ for _jail in ${JAILS}; do # Remove limits and delete rctl.conf if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then while read _limits; do - rctl -r "${_limits}" 2 > /dev/null + rctl -r "${_limits}" 2>/dev/null done < "${bastille_jailsdir}/${_jail}/rctl.conf" info "[${TARGET}]: RCTL limits cleared." fi From 9d235fa1a4e0a43f71ecc8842c2f762660ff744b Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 22 Mar 2025 18:44:21 -0600 Subject: [PATCH 07/23] limits: Add show and stats --- usr/local/share/bastille/limits.sh | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index 28f1aa68..8b639aa8 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -35,7 +35,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_notify "Usage: bastille limits [option(s)] TARGET [OPTION VALUE|clear|reset]" + error_notify "Usage: bastille limits [option(s)] TARGET [OPTION VALUE|clear|reset|show|stats]" echo -e "Example: bastille limits TARGET memoryuse 1G" cat << EOF Options: @@ -114,6 +114,18 @@ for _jail in ${JAILS}; do info "[${TARGET}]: RCTL limits cleared." fi ;; + show) + # Show limits + if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then + rctl jail:${_jail} 2>/dev/null + fi + ;; + stats) + # Show statistics + if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then + rctl -hu jail:${_jail} 2>/dev/null + fi + ;; reset) # Remove limits and delete rctl.conf if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then From 97db520d65d8bf950e6ae08305b203afc308bc49 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 22 Mar 2025 20:02:53 -0600 Subject: [PATCH 08/23] limits: Allow showing activee rules --- usr/local/share/bastille/limits.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index 8b639aa8..8b853925 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -114,10 +114,14 @@ for _jail in ${JAILS}; do info "[${TARGET}]: RCTL limits cleared." fi ;; - show) + list|show) # Show limits if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then - rctl jail:${_jail} 2>/dev/null + if [ "${VALUE}" = "active" ]; then + rctl jail:${_jail} 2>/dev/null + else + cat "${bastille_jailsdir}/${_jail}/rctl.conf" + fi fi ;; stats) From deed49c4777e0166f607a15c10594a5be525345b Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 22 Mar 2025 20:05:25 -0600 Subject: [PATCH 09/23] Update limits.sh --- usr/local/share/bastille/limits.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index 8b853925..2a9dff2f 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -35,7 +35,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_notify "Usage: bastille limits [option(s)] TARGET [OPTION VALUE|clear|reset|show|stats]" + error_notify "Usage: bastille limits [option(s)] TARGET [OPTION VALUE|clear|reset|[list|show] (active)|stats]" echo -e "Example: bastille limits TARGET memoryuse 1G" cat << EOF Options: From 01af65787ad664d5cfbb715ffc45d2ee07bbd699 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 22 Mar 2025 20:06:14 -0600 Subject: [PATCH 10/23] Update limits.rst --- docs/chapters/subcommands/limits.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/chapters/subcommands/limits.rst b/docs/chapters/subcommands/limits.rst index b82d12c8..e672eeef 100644 --- a/docs/chapters/subcommands/limits.rst +++ b/docs/chapters/subcommands/limits.rst @@ -11,7 +11,7 @@ To clear the limits, and remove the rctl.conf, use `bastille limits TARGET reset ishmael ~ # bastille limits help - Usage: bastille limits [option(s)] TARGET [OPTION VALUE|clear|reset]" + Usage: bastille limits [option(s)] TARGET [OPTION VALUE|clear|reset|[list|show] (active)|stats] Example: bastille limits TARGET memoryuse 1G" Options: From bfcce7c65f13b348b9d3dea0d1e90592d5ba4098 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 22 Mar 2025 23:32:39 -0600 Subject: [PATCH 11/23] limits: add action as the second arg --- usr/local/share/bastille/limits.sh | 47 ++++++++++++++++-------------- 1 file changed, 25 insertions(+), 22 deletions(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index 2a9dff2f..c851baf2 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -83,8 +83,9 @@ if [ "$#" -lt 2 ] || [ "$#" -gt 3 ]; then fi TARGET="${1}" -OPTION="${2}" -VALUE="${3}" +ACTION="${2}" +shift 2 + RACCT_ENABLE="$(sysctl -n kern.racct.enable)" if [ "${RACCT_ENABLE}" != '1' ]; then error_exit "Racct not enabled. Append 'kern.racct.enable=1' to /boot/loader.conf and reboot" @@ -104,49 +105,51 @@ for _jail in ${JAILS}; do error_continue "Use [-a|--auto] to auto-start the jail." fi - case "${OPTION}" in + case "${ACTION}" in clear) - # Remove limits + # Remove limits if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then while read _limits; do rctl -r "${_limits}" 2>/dev/null done < "${bastille_jailsdir}/${_jail}/rctl.conf" - info "[${TARGET}]: RCTL limits cleared." + info "[${_jail}]: RCTL limits cleared." fi - ;; + ;; list|show) - # Show limits + # Show limits if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then - if [ "${VALUE}" = "active" ]; then + if [ "${1}" = "active" ]; then rctl jail:${_jail} 2>/dev/null else cat "${bastille_jailsdir}/${_jail}/rctl.conf" fi fi - ;; + ;; stats) - # Show statistics + # Show statistics if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then rctl -hu jail:${_jail} 2>/dev/null fi - ;; + ;; reset) - # Remove limits and delete rctl.conf - if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then + # Remove limits and delete rctl.conf + if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then while read _limits; do rctl -r "${_limits}" 2>/dev/null done < "${bastille_jailsdir}/${_jail}/rctl.conf" - info "[${TARGET}]: RCTL limits cleared." + info "[${TARGET}]: RCTL limits cleared." fi if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then rm -f "${bastille_jailsdir}/${_jail}/rctl.conf" - info "[${TARGET}]: rctl.conf removed." + info "[${TARGET}]: rctl.conf removed." else - error_continue "[${TARGET}]: rctl.conf not found." - fi - ;; - *) - # Add rctl rule to rctl.conf + error_continue "[${TARGET}]: rctl.conf not found." + fi + ;; + add) + OPTION="${1}" + VALUE="${2}" + # Add rctl rule to rctl.conf _rctl_rule="jail:${_jail}:${OPTION}:deny=${VALUE}/jail" _rctl_rule_log="jail:${_jail}:${OPTION}:log=${VALUE}/jail" @@ -155,7 +158,7 @@ for _jail in ${JAILS}; do _escaped_option=$(echo "${OPTION}" | sed 's/\//\\\//g') _escaped_rctl_rule=$(echo "${_rctl_rule}" | sed 's/\//\\\//g') _escaped_rctl_rule_log=$(echo "${_rctl_rule_log}" | sed 's/\//\\\//g') - sed -i '' -E "s/jail:${_jail}:${_escaped_option}:deny.+/${_escaped_rctl_rule}/" "${bastille_jailsdir}/${_jail}/rctl.conf" + sed -i '' -E "s/jail:${_jail}:${_escaped_option}:deny.+/${_escaped_rctl_rule}/" "${bastille_jailsdir}/${_jail}/rctl.conf" sed -i '' -E "s/jail:${_jail}:${_escaped_option}:log.+/${_escaped_rctl_rule_log}/" "${bastille_jailsdir}/${_jail}/rctl.conf" else # Just append the entry. -- cwells echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" @@ -164,7 +167,7 @@ for _jail in ${JAILS}; do echo -e "${OPTION} ${VALUE}" rctl -a "${_rctl_rule}" "${_rctl_rule_log}" - ;; + ;; esac done From 3b06106fc79fd27c0572051f0e932db0d615971a Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 22 Mar 2025 23:36:25 -0600 Subject: [PATCH 12/23] Update limits.sh --- usr/local/share/bastille/limits.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index c851baf2..5f7a4997 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -35,8 +35,8 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_notify "Usage: bastille limits [option(s)] TARGET [OPTION VALUE|clear|reset|[list|show] (active)|stats]" - echo -e "Example: bastille limits TARGET memoryuse 1G" + error_notify "Usage: bastille limits [option(s)] TARGET [add OPTION VALUE|clear|reset|[list|show] (active)|stats]" + echo -e "Example: bastille limits TARGET add memoryuse 1G" cat << EOF Options: From cabae336813b8898df6260668881059aff38c9e6 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 22 Mar 2025 23:50:31 -0600 Subject: [PATCH 13/23] limits: add remove sub --- usr/local/share/bastille/limits.sh | 57 ++++++++++++++++++------------ 1 file changed, 34 insertions(+), 23 deletions(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index 5f7a4997..6091f2cf 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -35,7 +35,7 @@ . /usr/local/etc/bastille/bastille.conf usage() { - error_notify "Usage: bastille limits [option(s)] TARGET [add OPTION VALUE|clear|reset|[list|show] (active)|stats]" + error_notify "Usage: bastille limits [option(s)] TARGET [add OPTION VALUE|remove OPTION|clear|reset|[list|show] (active)|stats]" echo -e "Example: bastille limits TARGET add memoryuse 1G" cat << EOF Options: @@ -106,6 +106,39 @@ for _jail in ${JAILS}; do fi case "${ACTION}" in + add) + OPTION="${1}" + VALUE="${2}" + # Add rctl rule to rctl.conf + _rctl_rule="jail:${_jail}:${OPTION}:deny=${VALUE}/jail" + _rctl_rule_log="jail:${_jail}:${OPTION}:log=${VALUE}/jail" + + # Check whether the entry already exists and, if so, update it. -- cwells + if grep -qs "jail:${_jail}:${OPTION}:deny" "${bastille_jailsdir}/${_jail}/rctl.conf"; then + _escaped_option=$(echo "${OPTION}" | sed 's/\//\\\//g') + _escaped_rctl_rule=$(echo "${_rctl_rule}" | sed 's/\//\\\//g') + _escaped_rctl_rule_log=$(echo "${_rctl_rule_log}" | sed 's/\//\\\//g') + sed -i '' -E "s/jail:${_jail}:${_escaped_option}:deny.+/${_escaped_rctl_rule}/" "${bastille_jailsdir}/${_jail}/rctl.conf" + sed -i '' -E "s/jail:${_jail}:${_escaped_option}:log.+/${_escaped_rctl_rule_log}/" "${bastille_jailsdir}/${_jail}/rctl.conf" + else # Just append the entry. -- cwells + echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" + echo "${_rctl_rule_log}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" + fi + + echo -e "${OPTION} ${VALUE}" + rctl -a "${_rctl_rule}" "${_rctl_rule_log}" + ;; + remove) + OPTION="${1}" + # Remove rule from rctl.conf + if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then + if grep -qs "jail:${_jail}:${OPTION}:deny" "${bastille_jailsdir}/${_jail}/rctl.conf"; then + rctl_rule="$(grep "jail:${_jail}:${OPTION}:deny" "${bastille_jailsdir}/${_jail}/rctl.conf")" + rctl_rule_log="$(grep "jail:${_jail}:${OPTION}:log" "${bastille_jailsdir}/${_jail}/rctl.conf")" + rctl -r "${_rctl_rule}" "${_rctl_rule_log}" 2>/dev/null + sed -i '' "/.*${_jail}:${OPTION}.*/d" "${bastille_jailsdir}/${_jail}/rctl.conf" + fi + fi clear) # Remove limits if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then @@ -146,28 +179,6 @@ for _jail in ${JAILS}; do error_continue "[${TARGET}]: rctl.conf not found." fi ;; - add) - OPTION="${1}" - VALUE="${2}" - # Add rctl rule to rctl.conf - _rctl_rule="jail:${_jail}:${OPTION}:deny=${VALUE}/jail" - _rctl_rule_log="jail:${_jail}:${OPTION}:log=${VALUE}/jail" - - # Check whether the entry already exists and, if so, update it. -- cwells - if grep -qs "jail:${_jail}:${OPTION}:deny" "${bastille_jailsdir}/${_jail}/rctl.conf"; then - _escaped_option=$(echo "${OPTION}" | sed 's/\//\\\//g') - _escaped_rctl_rule=$(echo "${_rctl_rule}" | sed 's/\//\\\//g') - _escaped_rctl_rule_log=$(echo "${_rctl_rule_log}" | sed 's/\//\\\//g') - sed -i '' -E "s/jail:${_jail}:${_escaped_option}:deny.+/${_escaped_rctl_rule}/" "${bastille_jailsdir}/${_jail}/rctl.conf" - sed -i '' -E "s/jail:${_jail}:${_escaped_option}:log.+/${_escaped_rctl_rule_log}/" "${bastille_jailsdir}/${_jail}/rctl.conf" - else # Just append the entry. -- cwells - echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" - echo "${_rctl_rule_log}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" - fi - - echo -e "${OPTION} ${VALUE}" - rctl -a "${_rctl_rule}" "${_rctl_rule_log}" - ;; esac done From d0dd809893e759754b2a58175f638234a5a67fee Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 22 Mar 2025 23:52:46 -0600 Subject: [PATCH 14/23] docs: Update limits for remove command --- docs/chapters/subcommands/limits.rst | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/chapters/subcommands/limits.rst b/docs/chapters/subcommands/limits.rst index e672eeef..b2adc7e4 100644 --- a/docs/chapters/subcommands/limits.rst +++ b/docs/chapters/subcommands/limits.rst @@ -3,15 +3,19 @@ limits Set resourse limits for targeted jail(s). +To add a limit, use `bastille limits TARGET add OPTION VALUE` + To clear the limits from the system, use `bastille limits TARGET clear' To clear the limits, and remove the rctl.conf, use `bastille limits TARGET reset` +To remove a limit, use `bastille limits TARGET remove OPTION` + .. code-block:: shell ishmael ~ # bastille limits help - Usage: bastille limits [option(s)] TARGET [OPTION VALUE|clear|reset|[list|show] (active)|stats] + Usage: bastille limits [option(s)] TARGET [add OPTION VALUE|remove OPTION|clear|reset|[list|show] (active)|stats] Example: bastille limits TARGET memoryuse 1G" Options: From 7a28d90aaea0bb4a1389500a8d8cad2990ff5dfc Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 22 Mar 2025 23:56:45 -0600 Subject: [PATCH 15/23] limits: Fix shellcheck --- usr/local/share/bastille/limits.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index 6091f2cf..12fad594 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -139,6 +139,7 @@ for _jail in ${JAILS}; do sed -i '' "/.*${_jail}:${OPTION}.*/d" "${bastille_jailsdir}/${_jail}/rctl.conf" fi fi + ;; clear) # Remove limits if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then From 27beac434e22d87029826b6e1f3463edcee87873 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 22 Mar 2025 23:58:27 -0600 Subject: [PATCH 16/23] limits: Fix shellcheck again --- usr/local/share/bastille/limits.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index 12fad594..a9d1d127 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -133,8 +133,8 @@ for _jail in ${JAILS}; do # Remove rule from rctl.conf if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then if grep -qs "jail:${_jail}:${OPTION}:deny" "${bastille_jailsdir}/${_jail}/rctl.conf"; then - rctl_rule="$(grep "jail:${_jail}:${OPTION}:deny" "${bastille_jailsdir}/${_jail}/rctl.conf")" - rctl_rule_log="$(grep "jail:${_jail}:${OPTION}:log" "${bastille_jailsdir}/${_jail}/rctl.conf")" + _rctl_rule="$(grep "jail:${_jail}:${OPTION}:deny" "${bastille_jailsdir}/${_jail}/rctl.conf")" + _rctl_rule_log="$(grep "jail:${_jail}:${OPTION}:log" "${bastille_jailsdir}/${_jail}/rctl.conf")" rctl -r "${_rctl_rule}" "${_rctl_rule_log}" 2>/dev/null sed -i '' "/.*${_jail}:${OPTION}.*/d" "${bastille_jailsdir}/${_jail}/rctl.conf" fi From f5cdff4fc126e52ba629494c32bb0d4994fe032f Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 23 Mar 2025 06:00:09 -0600 Subject: [PATCH 17/23] limits: Retain support for no action (will default to add) --- usr/local/share/bastille/limits.sh | 38 +++++++++++++++++------------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index a9d1d127..233d39c4 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -86,6 +86,11 @@ TARGET="${1}" ACTION="${2}" shift 2 +# Retain support for no action (will default to add) +if [ "${ACTION}" != "remove" ] && [ "${ACTION}" != "clear" ] && [ "${ACTION}" != "list" ] && [ "${ACTION}" != "show" ] && [ "${ACTION}" != "reset" ] && [ "${ACTION}" != "stats" ]; then + ACTION="add" +fi + RACCT_ENABLE="$(sysctl -n kern.racct.enable)" if [ "${RACCT_ENABLE}" != '1' ]; then error_exit "Racct not enabled. Append 'kern.racct.enable=1' to /boot/loader.conf and reboot" @@ -109,7 +114,7 @@ for _jail in ${JAILS}; do add) OPTION="${1}" VALUE="${2}" - # Add rctl rule to rctl.conf + # Add rctl rule to rctl.conf _rctl_rule="jail:${_jail}:${OPTION}:deny=${VALUE}/jail" _rctl_rule_log="jail:${_jail}:${OPTION}:log=${VALUE}/jail" @@ -118,7 +123,7 @@ for _jail in ${JAILS}; do _escaped_option=$(echo "${OPTION}" | sed 's/\//\\\//g') _escaped_rctl_rule=$(echo "${_rctl_rule}" | sed 's/\//\\\//g') _escaped_rctl_rule_log=$(echo "${_rctl_rule_log}" | sed 's/\//\\\//g') - sed -i '' -E "s/jail:${_jail}:${_escaped_option}:deny.+/${_escaped_rctl_rule}/" "${bastille_jailsdir}/${_jail}/rctl.conf" + sed -i '' -E "s/jail:${_jail}:${_escaped_option}:deny.+/${_escaped_rctl_rule}/" "${bastille_jailsdir}/${_jail}/rctl.conf" sed -i '' -E "s/jail:${_jail}:${_escaped_option}:log.+/${_escaped_rctl_rule_log}/" "${bastille_jailsdir}/${_jail}/rctl.conf" else # Just append the entry. -- cwells echo "${_rctl_rule}" >> "${bastille_jailsdir}/${_jail}/rctl.conf" @@ -127,7 +132,7 @@ for _jail in ${JAILS}; do echo -e "${OPTION} ${VALUE}" rctl -a "${_rctl_rule}" "${_rctl_rule_log}" - ;; + ;; remove) OPTION="${1}" # Remove rule from rctl.conf @@ -141,16 +146,16 @@ for _jail in ${JAILS}; do fi ;; clear) - # Remove limits + # Remove limits if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then while read _limits; do rctl -r "${_limits}" 2>/dev/null done < "${bastille_jailsdir}/${_jail}/rctl.conf" - info "[${_jail}]: RCTL limits cleared." + info "[${_jail}]: RCTL limits cleared." fi ;; list|show) - # Show limits + # Show limits if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then if [ "${1}" = "active" ]; then rctl jail:${_jail} 2>/dev/null @@ -158,28 +163,27 @@ for _jail in ${JAILS}; do cat "${bastille_jailsdir}/${_jail}/rctl.conf" fi fi - ;; + ;; stats) - # Show statistics + # Show statistics if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then rctl -hu jail:${_jail} 2>/dev/null fi - ;; + ;; reset) - # Remove limits and delete rctl.conf - if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then + # Remove limits and delete rctl.conf + if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then while read _limits; do rctl -r "${_limits}" 2>/dev/null done < "${bastille_jailsdir}/${_jail}/rctl.conf" - info "[${TARGET}]: RCTL limits cleared." + info "[${TARGET}]: RCTL limits cleared." fi if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then rm -f "${bastille_jailsdir}/${_jail}/rctl.conf" - info "[${TARGET}]: rctl.conf removed." + info "[${TARGET}]: rctl.conf removed." else - error_continue "[${TARGET}]: rctl.conf not found." - fi - ;; + error_continue "[${TARGET}]: rctl.conf not found." + fi + ;; esac - done From 1fde6bfb2c70783abd626c578229ae663c366a2b Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 23 Mar 2025 06:01:09 -0600 Subject: [PATCH 18/23] docs: Limits > fix single quote --- docs/chapters/subcommands/limits.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/chapters/subcommands/limits.rst b/docs/chapters/subcommands/limits.rst index b2adc7e4..6dc25a41 100644 --- a/docs/chapters/subcommands/limits.rst +++ b/docs/chapters/subcommands/limits.rst @@ -5,7 +5,7 @@ Set resourse limits for targeted jail(s). To add a limit, use `bastille limits TARGET add OPTION VALUE` -To clear the limits from the system, use `bastille limits TARGET clear' +To clear the limits from the system, use `bastille limits TARGET clear` To clear the limits, and remove the rctl.conf, use `bastille limits TARGET reset` From 838ac60147d3fe568ea300795d35b9ad37bb093c Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 23 Mar 2025 09:02:12 -0600 Subject: [PATCH 19/23] limits: Fix too few args --- usr/local/share/bastille/limits.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index 233d39c4..a8f36b3d 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -78,7 +78,7 @@ while [ "$#" -gt 0 ]; do esac done -if [ "$#" -lt 2 ] || [ "$#" -gt 3 ]; then +if [ "$#" -lt 2 ] || [ "$#" -gt 4 ]; then usage fi From bb070517fc8b64ef1303bd806342fae8152036b9 Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sun, 23 Mar 2025 09:04:14 -0600 Subject: [PATCH 20/23] docs: Fix limits example --- docs/chapters/subcommands/limits.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/chapters/subcommands/limits.rst b/docs/chapters/subcommands/limits.rst index 6dc25a41..33f66d63 100644 --- a/docs/chapters/subcommands/limits.rst +++ b/docs/chapters/subcommands/limits.rst @@ -16,7 +16,7 @@ To remove a limit, use `bastille limits TARGET remove OPTION` ishmael ~ # bastille limits help Usage: bastille limits [option(s)] TARGET [add OPTION VALUE|remove OPTION|clear|reset|[list|show] (active)|stats] - Example: bastille limits TARGET memoryuse 1G" + Example: bastille limits TARGET add memoryuse 1G" Options: From b3ae55516823ccc3dde5e10232400333d9b28b9a Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 29 Mar 2025 10:08:57 -0600 Subject: [PATCH 21/23] limits: Fix retain when not using add as action --- usr/local/share/bastille/limits.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index a8f36b3d..ecb4672d 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -83,12 +83,13 @@ if [ "$#" -lt 2 ] || [ "$#" -gt 4 ]; then fi TARGET="${1}" -ACTION="${2}" -shift 2 - # Retain support for no action (will default to add) if [ "${ACTION}" != "remove" ] && [ "${ACTION}" != "clear" ] && [ "${ACTION}" != "list" ] && [ "${ACTION}" != "show" ] && [ "${ACTION}" != "reset" ] && [ "${ACTION}" != "stats" ]; then ACTION="add" + shift 1 +else + ACTION="${2}" + shift 2 fi RACCT_ENABLE="$(sysctl -n kern.racct.enable)" From 683135b575dc1595a8182a510571187cbb11f88d Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 29 Mar 2025 18:21:27 -0600 Subject: [PATCH 22/23] limits: Fix action --- usr/local/share/bastille/limits.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index ecb4672d..0a268e75 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -83,6 +83,7 @@ if [ "$#" -lt 2 ] || [ "$#" -gt 4 ]; then fi TARGET="${1}" +ACTION="${2}" # Retain support for no action (will default to add) if [ "${ACTION}" != "remove" ] && [ "${ACTION}" != "clear" ] && [ "${ACTION}" != "list" ] && [ "${ACTION}" != "show" ] && [ "${ACTION}" != "reset" ] && [ "${ACTION}" != "stats" ]; then ACTION="add" From 0d2c35d768279676a01bf2d1727a7861ec4e867a Mon Sep 17 00:00:00 2001 From: tschettervictor <85497460+tschettervictor@users.noreply.github.com> Date: Sat, 29 Mar 2025 18:23:51 -0600 Subject: [PATCH 23/23] limits: Fix action again --- usr/local/share/bastille/limits.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/local/share/bastille/limits.sh b/usr/local/share/bastille/limits.sh index 0a268e75..e8567916 100644 --- a/usr/local/share/bastille/limits.sh +++ b/usr/local/share/bastille/limits.sh @@ -85,7 +85,7 @@ fi TARGET="${1}" ACTION="${2}" # Retain support for no action (will default to add) -if [ "${ACTION}" != "remove" ] && [ "${ACTION}" != "clear" ] && [ "${ACTION}" != "list" ] && [ "${ACTION}" != "show" ] && [ "${ACTION}" != "reset" ] && [ "${ACTION}" != "stats" ]; then +if [ "${ACTION}" != "add" ] && [ "${ACTION}" != "remove" ] && [ "${ACTION}" != "clear" ] && [ "${ACTION}" != "list" ] && [ "${ACTION}" != "show" ] && [ "${ACTION}" != "reset" ] && [ "${ACTION}" != "stats" ]; then ACTION="add" shift 1 else