Document security.jail.getfsstatroot_only sysctl.

Obtained from: rwatson's commit log Approved by: rwatson
author: pjd <pjd@FreeBSD.org> 2004-05-20 05:30:16 +0000
committer: pjd <pjd@FreeBSD.org> 2004-05-20 05:30:16 +0000
commit: 8b1807b878e1530fdd59b4ba5961a54e19a351bf (patch)
tree: dd9efd019d8d1535ad16573a58386428fe0de3df /usr.sbin/jail
parent: 7cbfe4913ba5f2332292765d3ec72ce075341c5c (diff)
download: FreeBSD-src-8b1807b878e1530fdd59b4ba5961a54e19a351bf.zip
FreeBSD-src-8b1807b878e1530fdd59b4ba5961a54e19a351bf.tar.gz
1 files changed, 14 insertions, 0 deletions
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index 9ed0d95..96d99ae 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -416,6 +416,20 @@ with the IP address bound to the jail, regardless of whether or not
 the
 .Dv IP_HDRINCL
 flag has been set on the socket.
+.It Va security.jail.getfsstatroot_only
+This MIB entry determines whether or not processes within a jail is able
+to see data for all mountpoints.
+When set to 1 (default),
+.Xr getfsstat 2
+system call only return (while called by jailed processes) the data for
+the file system on which jail's root vnode is located.
+Note: this also has the effect of hiding other mounts inside a jail,
+such as
+.Pa /dev ,
+.Pa /tmp ,
+and
+.Pa /proc ,
+but errs on the side of leaking less information.
 .It Va security.jail.set_hostname_allowed
 This MIB entry determines whether or not processes within a jail are
 allowed to change their hostname via
author	pjd <pjd@FreeBSD.org>	2004-05-20 05:30:16 +0000
committer	pjd <pjd@FreeBSD.org>	2004-05-20 05:30:16 +0000
commit	8b1807b878e1530fdd59b4ba5961a54e19a351bf (patch)
tree	dd9efd019d8d1535ad16573a58386428fe0de3df /usr.sbin/jail
parent	7cbfe4913ba5f2332292765d3ec72ce075341c5c (diff)
download	FreeBSD-src-8b1807b878e1530fdd59b4ba5961a54e19a351bf.zip FreeBSD-src-8b1807b878e1530fdd59b4ba5961a54e19a351bf.tar.gz