- Correct typos (. vs _)
- Catch up with reality found in kern_jail.c:1.18
This commit is contained in:
Xin LI
parent
80941ee886
commit
00618f6a8c
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=29468
1 changed files with 21 additions and 6 deletions
|
|
@ -112,7 +112,7 @@ j.hostname = argv[2];</programlisting>
|
|||
<programlisting><filename>/usr/src/usr.sbin/jail/jail.c</filename>:
|
||||
struct in.addr in;
|
||||
...
|
||||
i = inet.aton(argv[3], <![CDATA[&in]]>);
|
||||
i = inet_aton(argv[3], <![CDATA[&in]]>);
|
||||
...
|
||||
j.ip_number = ntohl(in.s.addr);</programlisting>
|
||||
|
||||
|
|
@ -170,26 +170,41 @@ i = execv(argv[4], argv + 4);</programlisting>
|
|||
<programlisting><filename>/usr/src/sys/kern/kern_jail.c:</filename>
|
||||
|
||||
int jail_set_hostname_allowed = 1;
|
||||
SYSCTL_INT(_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW,
|
||||
SYSCTL_INT(_security_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW,
|
||||
<![CDATA[&jail]]>_set_hostname_allowed, 0,
|
||||
"Processes in jail can set their hostnames");
|
||||
|
||||
int jail_socket_unixiproute_only = 1;
|
||||
SYSCTL_INT(_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW,
|
||||
SYSCTL_INT(_security_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW,
|
||||
<![CDATA[&jail]]>_socket_unixiproute_only, 0,
|
||||
"Processes in jail are limited to creating &unix;/IPv4/route sockets only
|
||||
");
|
||||
|
||||
int jail_sysvipc_allowed = 0;
|
||||
SYSCTL_INT(_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW,
|
||||
SYSCTL_INT(_security_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW,
|
||||
<![CDATA[&jail]]>_sysvipc_allowed, 0,
|
||||
"Processes in jail can use System V IPC primitives");</programlisting>
|
||||
"Processes in jail can use System V IPC primitives");
|
||||
|
||||
static int jail_enforce_statfs = 2;
|
||||
SYSCTL_INT(_security_jail, OID_AUTO, enforce_statfs, CTLFLAG_RW,
|
||||
<![CDATA[&jail]]>_enforce_statfs, 0,
|
||||
"Processes in jail cannot see all mounted file systems");
|
||||
|
||||
int jail_allow_raw_sockets = 0;
|
||||
SYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW,
|
||||
<![CDATA[&jail]]>_allow_raw_sockets, 0,
|
||||
"Prison root can create raw sockets");
|
||||
|
||||
int jail_chflags_allowed = 0;
|
||||
SYSCTL_INT(_security_jail, OID_AUTO, chflags_allowed, CTLFLAG_RW,
|
||||
<![CDATA[&jail]]>_chflags_allowed, 0,
|
||||
"Processes in jail can alter system file flags");</programlisting>
|
||||
|
||||
<para>Each of these sysctls can be accessed by the user
|
||||
through the sysctl program. Throughout the kernel, these
|
||||
specific sysctls are recognized by their name. For example,
|
||||
the name of the first sysctl is
|
||||
<literal>jail.set.hostname.allowed</literal>.</para>
|
||||
<literal>security.jail.set_hostname_allowed</literal>.</para>
|
||||
</sect3>
|
||||
|
||||
<sect3>
|
||||
|
|
|
|||
Loading…
Reference in a new issue