diff options
author | rwatson <rwatson@FreeBSD.org> | 2000-10-31 01:34:00 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2000-10-31 01:34:00 +0000 |
commit | e1bb04b4d38e6ec7620efea36cb2e8a7c68390a3 (patch) | |
tree | 997462626f7687a9313713167612f39d8dec1084 /sys/kern/kern_jail.c | |
parent | 44bd1e3405849fed4c24b6701de82eb9d1a5906f (diff) | |
download | FreeBSD-src-e1bb04b4d38e6ec7620efea36cb2e8a7c68390a3.zip FreeBSD-src-e1bb04b4d38e6ec7620efea36cb2e8a7c68390a3.tar.gz |
o Deny access to System V IPC from within jail by default, as in the
current implementation, jail neither virtualizes the Sys V IPC namespace,
nor provides inter-jail protections on IPC objects.
o Support for System V IPC can be enabled by setting jail.sysvipc_allowed=1
using sysctl.
o This is not the "real fix" which involves virtualizing the System V
IPC namespace, but prevents processes within jail from influencing those
outside of jail when not approved by the administrator.
Reported by: Paulo Fragoso <paulo@nlink.com.br>
Diffstat (limited to 'sys/kern/kern_jail.c')
-rw-r--r-- | sys/kern/kern_jail.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index af18a5e..d180f3c 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -39,6 +39,11 @@ SYSCTL_INT(_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW, &jail_socket_unixiproute_only, 0, "Processes in jail are limited to creating UNIX/IPv4/route sockets only"); +int jail_sysvipc_allowed = 0; +SYSCTL_INT(_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW, + &jail_sysvipc_allowed, 0, + "Processes in jail can use System V IPC primitives"); + int jail(p, uap) struct proc *p; |