diff options
| author | cperciva <cperciva@FreeBSD.org> | 2005-02-08 21:31:11 +0000 |
|---|---|---|
| committer | cperciva <cperciva@FreeBSD.org> | 2005-02-08 21:31:11 +0000 |
| commit | 30beb7d8e4b1fdb77e1c6f609b79c8d9d2e387cf (patch) | |
| tree | 0024f1770569c434b08f85294b067e0e7ad79755 /sys/kern | |
| parent | e64e9f38d4432ab314933f6b9faf86fa3c0c778f (diff) | |
| download | FreeBSD-src-30beb7d8e4b1fdb77e1c6f609b79c8d9d2e387cf.zip FreeBSD-src-30beb7d8e4b1fdb77e1c6f609b79c8d9d2e387cf.tar.gz | |
Add a new sysctl, "security.jail.chflags_allowed", which controls the
behaviour of chflags within a jail. If set to 0 (the default), then a
jailed root user is treated as an unprivileged user; if set to 1, then
a jailed root user is treated the same as an unjailed root user.
This is necessary to allow "make installworld" to work inside a jail,
since it attempts to manipulate the system immutable flag on certain
files.
Discussed with: csjp, rwatson
MFC after: 2 weeks
Diffstat (limited to 'sys/kern')
| -rw-r--r-- | sys/kern/kern_jail.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 7a8442e..28120fd 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -67,6 +67,11 @@ SYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW, &jail_allow_raw_sockets, 0, "Prison root can create raw sockets"); +int jail_chflags_allowed = 0; +SYSCTL_INT(_security_jail, OID_AUTO, chflags_allowed, CTLFLAG_RW, + &jail_chflags_allowed, 0, + "Processes in jail can alter system file flags"); + /* allprison, lastprid, and prisoncount are protected by allprison_mtx. */ struct prisonlist allprison; struct mtx allprison_mtx; |
