+++ /dev/null
-#! /bin/bash
-# $Id: chcontext 2599 2007-08-26 21:30:50Z dhozac $
-
-# Copyright (C) 2004 Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
-: ${UTIL_VSERVER_VARS:=/usr/lib/util-vserver/util-vserver-vars}
-test -e "$UTIL_VSERVER_VARS" || {
- echo $"Can not find util-vserver installation (the file '$UTIL_VSERVER_VARS' would be expected); aborting..." >&2
- exit 1
-}
-. "$UTIL_VSERVER_VARS"
-. "$_LIB_FUNCTIONS"
-
-function showHelp()
-{
- echo \
-$"Usage: $1 [--cap [!]<cap_name>] [--secure] [--xid <num>] [--disconnect]
- [--domainname <name>] [--hostname <name>] [--flag <flags>+]
- [--silent] [--] command arguments ...
-
-chcontext allocate a new security context and executes
-a command in that context.
-By default, a new/unused context is allocated
-
---cap CAP_NAME
- Add a capability from the command. This option may be
- repeated several time.
- See /usr/include/linux/capability.h
- In general, this option is used with the --secure option
- --secure removes most critical capabilities and --cap
- adds specific ones.
-
---cap !CAP_NAME
- Remove a capability from the command. This option may be
- repeated several time.
- See /usr/include/linux/capability.h
-
---xid num
- Select the context. On root in context 0 is allowed to
- select a specific context.
- Context number 1 is special. It can see all processes
- in any contexts, but can't kill them though.
- Option --xid may be repeated several times to specify up to 16 contexts.
---disconnect
- Start the command in background and make the process
- a child of process 1.
---domainname new_domainname
- Set the domainname (NIS) in the new security context.
- Use "none" to unset the domain name.
---flag
- Set one flag in the new or current security context. The following
- flags are supported. The option may be used several time.
-
- fakeinit: The new process will believe it is process number 1.
- Useful to run a real /sbin/init in a vserver.
- lock: The new process is trapped and can't use chcontext anymore.
- sched: The new process and its children will share a common
- execution priority.
- nproc: Limit the number of process in the vserver according to
- ulimit setting. Normally, ulimit is a per user thing.
- With this flag, it becomes a per vserver thing.
- private: No one can join this security context once created.
- ulimit: Apply the current ulimit to the whole context
---hostname new_hostname
- Set the hostname in the new security context
- This is need because if you create a less privileged
- security context, it may be unable to change its hostname
---secure
- Remove all the capabilities to make a virtual server trustable
---silent
- Do not print the allocated context number.
-
-Report bugs to <$PACKAGE_BUGREPORT>."
- exit $2
-}
-
-function showVersion()
-{
- echo \
-$"chcontext $PACKAGE_VERSION -- allocates/enters a security context
-This program is part of $PACKAGE_STRING
-
-Copyright (C) 2004 Enrico Scholz
-This program is free software; you may redistribute it under the terms of
-the GNU General Public License. This program has absolutely no warranty."
- exit $1
-}
-
-$_VSERVER_INFO - FEATURE migrate || exec $_CHCONTEXT_COMPAT "$@"
-
-tmp=$(getopt -o + --long cap:,ctx:,xid:,disconnect,domainname:,flag:,hostname:,secure,silent,help,version -n "$0" -- "$@") || exit 1
-eval set -- "$tmp"
-
-OPT_CAPS=()
-OPT_CTX=
-OPT_DISCONNECT=
-OPT_FLAGS=()
-OPT_SECURE=
-OPT_SILENT=
-OPT_INITPID=
-
-while true; do
- case "$1" in
- --help) showHelp $0 0;;
- --version) showVersion 0;;
- --cap) OPT_CAPS=( "${OPT_CAPS[@]}" "$2" ); shift;;
- --ctx|--xid) OPT_CTX=$2; shift;;
- --disconnect) OPT_DISCONNECT=1;;
- --domainname) OPT_DOMAINNAME=$2; shift;;
- --hostname) OPT_HOSTNAME=$2; shift;;
- --flag)
- test "$2" != "fakeinit" || OPT_INITPID=--initpid
- OPT_FLAGS=( "${OPT_FLAGS[@]}" "$2" )
- shift
- ;;
- --secure) OPT_SECURE=1;;
- --silent) OPT_SILENT=1;;
- --) shift; break;;
- *) echo $"chcontext: internal error; arg=='$1'" >&2; exit 1;;
- esac
- shift
-done
-
-create_cmd=( ${OPT_CTX:+$_VTAG --create --tag "$OPT_CTX" --silentexist --silent --}
- $_VCONTEXT --create --silentexist
- ${OPT_SILENT:+--silent}
- ${OPT_CTX:+--xid "$OPT_CTX"} )
-
-chain_cmd=()
-
-old_IFS=$IFS
-IFS=,$IFS
-
-test -z "$OPT_DOMAINNAME$OPT_HOSTNAME" || \
- chain_cmd=( "${chain_cmd[@]}"
- --
- $_VUNAME --set --xid self
- ${OPT_DOMAINNAME:+-t domainname="$OPT_DOMAINNAME"}
- ${OPT_HOSTNAME:+ -t nodename="$OPT_HOSTNAME"} )
-
-chain_cmd=( "${chain_cmd[@]}"
- --
- $_VATTRIBUTE --set
- ${OPT_SECURE:+--secure}
- ${OPT_CAPS:+--bcap "${OPT_CAPS[*]}"}
- ${OPT_FLAGS:+--flag "${OPT_FLAGS[*]}"} )
-
-migrate_cmd=( $_VCONTEXT
- ${OPT_SILENT:+--silent}
- ${OPT_DISCONNECT:+--disconnect}
- $OPT_INITPID )
-
-IFS=$old_IFS
-
-if test -z "$OPT_CTX" || $_VSERVER_INFO -q "$OPT_CTX" XIDTYPE static; then
- "${create_cmd[@]}" "${chain_cmd[@]}" -- \
- "${migrate_cmd[@]}" --endsetup --migrate-self -- "$@"
- rc=$?
-else
- rc=254
-fi
-
-test "$rc" -ne 254 || exec "$_VTAG" --migrate --tag "$OPT_CTX" --silent -- \
- "${migrate_cmd[@]}" --xid "$OPT_CTX" --migrate -- "$@"
-exit $rc