1#!/bin/sh 2# 3# Copyright (c) 2018-2021, Christer Edwards <christer.edwards@gmail.com> 4# All rights reserved. 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions are met: 8# 9# * Redistributions of source code must retain the above copyright notice, this 10# list of conditions and the following disclaimer. 11# 12# * Redistributions in binary form must reproduce the above copyright notice, 13# this list of conditions and the following disclaimer in the documentation 14# and/or other materials provided with the distribution. 15# 16# * Neither the name of the copyright holder nor the names of its 17# contributors may be used to endorse or promote products derived from 18# this software without specific prior written permission. 19# 20# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 31. /usr/local/share/bastille/common.sh 32. /usr/local/etc/bastille/bastille.conf 33 34usage() { 35 error_exit "Usage: bastille start TARGET" 36} 37 38# Handle special-case commands first. 39case "$1" in 40help|-h|--help) 41 usage 42 ;; 43esac 44 45if [ $# -gt 1 ] || [ $# -lt 1 ]; then 46 usage 47fi 48 49TARGET="${1}" 50shift 51 52if [ "${TARGET}" = 'ALL' ]; then 53 JAILS=$(bastille list jails) 54fi 55if [ "${TARGET}" != 'ALL' ]; then 56 JAILS=$(bastille list jails | awk "/^${TARGET}$/") 57 ## check if exist 58 if [ ! -d "${bastille_jailsdir}/${TARGET}" ]; then 59 error_exit "[${TARGET}]: Not found." 60 fi 61fi 62 63for _jail in ${JAILS}; do 64 ## test if running 65 if [ "$(/usr/sbin/jls name | awk "/^${_jail}$/")" ]; then 66 error_notify "[${_jail}]: Already started." 67 68 ## test if not running 69 elif [ ! "$(/usr/sbin/jls name | awk "/^${_jail}$/")" ]; then 70 # Verify that the configured interface exists. -- cwells 71 if [ "$(bastille config $_jail get vnet)" != 'enabled' ]; then 72 _interface=$(bastille config $_jail get interface) 73 if ! ifconfig | grep "^${_interface}:" >/dev/null; then 74 error_notify "Error: ${_interface} interface does not exist." 75 continue 76 fi 77 fi 78 79 ## warn if matching configured (but not online) ip4.addr, ignore if there's no ip4.addr entry 80 ip=$(grep 'ip4.addr' "${bastille_jailsdir}/${_jail}/jail.conf" | awk '{print $3}' | sed 's/\;//g') 81 if [ -n "${ip}" ]; then 82 if ifconfig | grep -w "${ip}" >/dev/null; then 83 error_notify "Error: IP address (${ip}) already in use." 84 continue 85 fi 86 ## add ip4.addr to firewall table:jails 87 pfctl -q -t jails -T add "${ip}" 88 fi 89 90 ## start the container 91 info "[${_jail}]:" 92 jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c "${_jail}" 93 94 ## add rctl limits 95 if [ -s "${bastille_jailsdir}/${_jail}/rctl.conf" ]; then 96 while read _limits; do 97 rctl -a "${_limits}" 98 done < "${bastille_jailsdir}/${_jail}/rctl.conf" 99 fi 100 101 ## add rdr rules 102 if [ -s "${bastille_jailsdir}/${_jail}/rdr.conf" ]; then 103 while read _rules; do 104 bastille rdr "${_jail}" ${_rules} 105 done < "${bastille_jailsdir}/${_jail}/rdr.conf" 106 fi 107 fi 108 echo 109done 110