diff options
author | rwatson <rwatson@FreeBSD.org> | 2004-02-14 19:19:47 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2004-02-14 19:19:47 +0000 |
commit | ee9218912a48e9a9e8b8921374ee1b4ec5e89573 (patch) | |
tree | a7461dc03e55c9a4e92bbf23a9a520c25f011f00 /sys/kern | |
parent | c7301501a540e75d02c61e392e3c079e8b8de06c (diff) | |
download | FreeBSD-src-ee9218912a48e9a9e8b8921374ee1b4ec5e89573.zip FreeBSD-src-ee9218912a48e9a9e8b8921374ee1b4ec5e89573.tar.gz |
By default, don't allow processes in a jail to list the set of
jails in the system. Previous behavior (allowed) may be restored
by setting security.jail.list_allowed=1.
Diffstat (limited to 'sys/kern')
-rw-r--r-- | sys/kern/kern_jail.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 94ac0aa..b867935 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -59,6 +59,11 @@ SYSCTL_INT(_security_jail, OID_AUTO, getfsstate_getfsstatroot_only, CTLFLAG_RW, &jail_getfsstatroot_only, 0, "Processes see only their root file system in getfsstat()"); +int jail_list_allowed = 0; +SYSCTL_INT(_security_jail, OID_AUTO, list_allowed, CTLFLAG_RW, + &jail_list_allowed, 0, + "Processes in jail can access system jail list"); + /* allprison, lastprid, and prisoncount are protected by allprison_mtx. */ struct prisonlist allprison; struct mtx allprison_mtx; @@ -446,6 +451,8 @@ sysctl_jail_list(SYSCTL_HANDLER_ARGS) int count, error; mtx_assert(&Giant, MA_OWNED); + if (jailed(req->td->td_ucred) && !jail_list_allowed) + return (0); retry: mtx_lock(&allprison_mtx); count = prisoncount; |