o Deny access to System V IPC from within jail by default, as in the

current implementation, jail neither virtualizes the Sys V IPC namespace, nor provides inter-jail protections on IPC objects. o Support for System V IPC can be enabled by setting jail.sysvipc_allowed=1 using sysctl. o This is not the "real fix" which involves virtualizing the System V IPC namespace, but prevents processes within jail from influencing those outside of jail when not approved by the administrator. Reported by: Paulo Fragoso <paulo@nlink.com.br>
author: rwatson <rwatson@FreeBSD.org> 2000-10-31 01:34:00 +0000
committer: rwatson <rwatson@FreeBSD.org> 2000-10-31 01:34:00 +0000
commit: e1bb04b4d38e6ec7620efea36cb2e8a7c68390a3 (patch)
tree: 997462626f7687a9313713167612f39d8dec1084 /sys/kern/kern_jail.c
parent: 44bd1e3405849fed4c24b6701de82eb9d1a5906f (diff)
download: FreeBSD-src-e1bb04b4d38e6ec7620efea36cb2e8a7c68390a3.zip
FreeBSD-src-e1bb04b4d38e6ec7620efea36cb2e8a7c68390a3.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index af18a5e..d180f3c 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -39,6 +39,11 @@ SYSCTL_INT(_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW,
     &jail_socket_unixiproute_only, 0,
     "Processes in jail are limited to creating UNIX/IPv4/route sockets only");
 
+int	jail_sysvipc_allowed = 0;
+SYSCTL_INT(_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW,
+    &jail_sysvipc_allowed, 0,
+    "Processes in jail can use System V IPC primitives");
+
 int
 jail(p, uap)
         struct proc *p;
author	rwatson <rwatson@FreeBSD.org>	2000-10-31 01:34:00 +0000
committer	rwatson <rwatson@FreeBSD.org>	2000-10-31 01:34:00 +0000
commit	e1bb04b4d38e6ec7620efea36cb2e8a7c68390a3 (patch)
tree	997462626f7687a9313713167612f39d8dec1084 /sys/kern/kern_jail.c
parent	44bd1e3405849fed4c24b6701de82eb9d1a5906f (diff)
download	FreeBSD-src-e1bb04b4d38e6ec7620efea36cb2e8a7c68390a3.zip FreeBSD-src-e1bb04b4d38e6ec7620efea36cb2e8a7c68390a3.tar.gz