MFen 1.18 -> 1.19

Obtained from: The FreeBSD Simplified Chinese Project
svn path=/head/; revision=29633
2007-02-22 06:36:17 +00:00 · 2007-02-22 06:36:17 +00:00 · 52acdf7b7d · 2020-12-08 03:00:23 +00:00
commit 52acdf7b7d
parent d848230019
1 changed files with 24 additions and 7 deletions
--- a/zh_CN.GB2312/books/arch-handbook/jail/chapter.sgml
+++ b/zh_CN.GB2312/books/arch-handbook/jail/chapter.sgml
@ -2,7 +2,7 @@
     The FreeBSD Documentation Project
     The FreeBSD Simplified Chinese Project

-     Original Revision: 1.18
+     Original Revision: 1.19
     $FreeBSD$
 -->

@ -153,28 +153,45 @@ i = execv(argv[4], argv + 4);</programlisting>
        <programlisting><filename>/usr/src/sys/kern/kern_jail.c:</filename>

 int     jail_set_hostname_allowed = 1;
-SYSCTL_INT(_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW,
+SYSCTL_INT(_security_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW,
    <![CDATA[&jail]]>_set_hostname_allowed, 0,
    "Processes in jail can set their hostnames");
    /* Jail中的进程可设定自身的主机名 */

 int     jail_socket_unixiproute_only = 1;
-SYSCTL_INT(_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW,
+SYSCTL_INT(_security_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW,
    <![CDATA[&jail]]>_socket_unixiproute_only, 0,
    "Processes in jail are limited to creating &unix;/IPv4/route sockets only
 ");
    /* Jail中的进程被限制只能建立UNIX套接字、IPv4套接字、路由套接字 */

 int     jail_sysvipc_allowed = 0;
-SYSCTL_INT(_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW,
+SYSCTL_INT(_security_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW,
    <![CDATA[&jail]]>_sysvipc_allowed, 0,
    "Processes in jail can use System V IPC primitives");
-	/* Jail中的进程可以使用System V进程间通讯原语 */</programlisting>
-    
+    /* Jail中的进程可以使用System V进程间通讯原语 */
+
+static int jail_enforce_statfs = 2;
+SYSCTL_INT(_security_jail, OID_AUTO, enforce_statfs, CTLFLAG_RW,
+    <![CDATA[&jail]]>_enforce_statfs, 0,
+    "Processes in jail cannot see all mounted file systems");
+    /* jail 中的进程查看系统中挂接的文件系统时受到何种限制 */
+
+int    jail_allow_raw_sockets = 0;
+SYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW,
+    <![CDATA[&jail]]>_allow_raw_sockets, 0,
+    "Prison root can create raw sockets");
+    /* jail 中的 root 用户是否可以创建 raw socket */
+
+int    jail_chflags_allowed = 0;
+SYSCTL_INT(_security_jail, OID_AUTO, chflags_allowed, CTLFLAG_RW,
+    <![CDATA[&jail]]>_chflags_allowed, 0,
+    "Processes in jail can alter system file flags");
+    /* jail 中的进程是否可以修改系统级文件标记 */</programlisting>

        <para>这些sysctl项中的每一个都可以用命令sysctl访问。在整个内核中，
          这些sysctl项按名称标识。例如，上述第一个sysctl项的名字是
-          <literal>jail.set.hostname.allowed</literal>.</para>
+          <literal>security.jail.set_hostname_allowed</literal>。</para>
      </sect3>

      <sect3>