Add the -s option to set jail's securelevel. This is useful for jails run with non-root privileges.

PR:	bin/80242
MFC after:	2 weeks

2 files changed, 26 insertions, 4 deletions

diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index eb7d538..955e660 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -33,7 +33,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd May 9, 2006
+.Dd May 11, 2006
 .Dt JAIL 8
 .Os
 .Sh NAME
@@ -43,6 +43,7 @@
 .Nm
 .Op Fl i
 .Op Fl J Ar jid_file
+.Op Fl s Ar securelevel
 .Op Fl l u Ar username | Fl U Ar username
 .Ar path hostname ip-number command ...
 .Sh DESCRIPTION
@@ -73,6 +74,10 @@ is set to the target login.
 is imported from the current environment.
 The environment variables from the login class capability database for the
 target login are also set.
+.It Fl s Ar securelevel
+Sets 
+.Va kern.securelevel 
+to the specified value inside the newly created jail.
 .It Fl u Ar username
 The user name from host environment as whom the
 .Ar command
diff --git a/usr.sbin/jail/jail.c b/usr.sbin/jail/jail.c
index 49caa52..1116ed6 100644
--- a/usr.sbin/jail/jail.c
+++ b/usr.sbin/jail/jail.c
@@ -12,6 +12,7 @@ __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
 #include <sys/jail.h>
+#include <sys/sysctl.h>
 
 #include <netinet/in.h>
 #include <arpa/inet.h>
@@ -28,6 +29,7 @@ __FBSDID("$FreeBSD$");
 #include <unistd.h>
 
 static void	usage(void);
+static void	setsecurelevel(int level);
 extern char	**environ;
 
 #define GET_USER_INFO do {						\
@@ -58,13 +60,14 @@ main(int argc, char **argv)
 	char path[PATH_MAX], *username, *JidFile;
 	static char *cleanenv;
 	const char *shell, *p = NULL;
+	int securelevel = -1;
 	FILE *fp;
 
 	iflag = Jflag = lflag = uflag = Uflag = 0;
 	username = JidFile = cleanenv = NULL;
 	fp = NULL;
 
-	while ((ch = getopt(argc, argv, "ilu:U:J:")) != -1) {
+	while ((ch = getopt(argc, argv, "ils:u:U:J:")) != -1) {
 		switch (ch) {
 		case 'i':
 			iflag = 1;
@@ -73,6 +76,9 @@ main(int argc, char **argv)
 			JidFile = optarg;
 			Jflag = 1;
 			break;
+		case 's':
+			securelevel = (int) strtol(optarg, NULL, 0);
+			break;
 		case 'u':
 			username = optarg;
 			uflag = 1;
@@ -130,6 +136,8 @@ main(int argc, char **argv)
 			errx(1, "Could not write JidFile: %s", JidFile);
 		}
 	}
+	if (securelevel > 0)
+			setsecurelevel(securelevel);
 	if (username != NULL) {
 		if (Uflag)
 			GET_USER_INFO;
@@ -168,8 +176,17 @@ static void
 usage(void)
 {
 
-	(void)fprintf(stderr, "%s%s\n",
-	     "usage: jail [-i] [-J jid_file] [-l -u username | -U username]",
+	(void)fprintf(stderr, "%s%s%s\n",
+		 "usage: jail [-i] [-J jid_file] [-s securelevel] [-l -u ",
+ 		 "username | -U username]",
 	     " path hostname ip-number command ...");
 	exit(1);
 }
+
+static void
+setsecurelevel(int level) {
+		if (sysctlbyname("kern.securelevel", NULL, 0, &level, sizeof(level)))
+		   err(1, "Can not set securelevel to %d", level);
+
+}
+