By default, don't allow processes in a jail to list the set of

jails in the system. Previous behavior (allowed) may be restored by setting security.jail.list_allowed=1.
author: rwatson <rwatson@FreeBSD.org> 2004-02-14 19:19:47 +0000
committer: rwatson <rwatson@FreeBSD.org> 2004-02-14 19:19:47 +0000
commit: ee9218912a48e9a9e8b8921374ee1b4ec5e89573 (patch)
tree: a7461dc03e55c9a4e92bbf23a9a520c25f011f00 /sys/kern
parent: c7301501a540e75d02c61e392e3c079e8b8de06c (diff)
download: FreeBSD-src-ee9218912a48e9a9e8b8921374ee1b4ec5e89573.zip
FreeBSD-src-ee9218912a48e9a9e8b8921374ee1b4ec5e89573.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 94ac0aa..b867935 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -59,6 +59,11 @@ SYSCTL_INT(_security_jail, OID_AUTO, getfsstate_getfsstatroot_only, CTLFLAG_RW,
     &jail_getfsstatroot_only, 0,
     "Processes see only their root file system in getfsstat()");
 
+int	jail_list_allowed = 0;
+SYSCTL_INT(_security_jail, OID_AUTO, list_allowed, CTLFLAG_RW,
+    &jail_list_allowed, 0,
+    "Processes in jail can access system jail list");
+
 /* allprison, lastprid, and prisoncount are protected by allprison_mtx. */
 struct	prisonlist allprison;
 struct	mtx allprison_mtx;
@@ -446,6 +451,8 @@ sysctl_jail_list(SYSCTL_HANDLER_ARGS)
 	int count, error;
 
 	mtx_assert(&Giant, MA_OWNED);
+	if (jailed(req->td->td_ucred) && !jail_list_allowed)
+		return (0);
 retry:
 	mtx_lock(&allprison_mtx);
 	count = prisoncount;
author	rwatson <rwatson@FreeBSD.org>	2004-02-14 19:19:47 +0000
committer	rwatson <rwatson@FreeBSD.org>	2004-02-14 19:19:47 +0000
commit	ee9218912a48e9a9e8b8921374ee1b4ec5e89573 (patch)
tree	a7461dc03e55c9a4e92bbf23a9a520c25f011f00 /sys/kern
parent	c7301501a540e75d02c61e392e3c079e8b8de06c (diff)
download	FreeBSD-src-ee9218912a48e9a9e8b8921374ee1b4ec5e89573.zip FreeBSD-src-ee9218912a48e9a9e8b8921374ee1b4ec5e89573.tar.gz