diff options
Diffstat (limited to 'usr.sbin/jail')
-rw-r--r-- | usr.sbin/jail/jail.8 | 7 | ||||
-rw-r--r-- | usr.sbin/jail/jail.c | 23 |
2 files changed, 26 insertions, 4 deletions
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index eb7d538..955e660 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -33,7 +33,7 @@ .\" .\" $FreeBSD$ .\" -.Dd May 9, 2006 +.Dd May 11, 2006 .Dt JAIL 8 .Os .Sh NAME @@ -43,6 +43,7 @@ .Nm .Op Fl i .Op Fl J Ar jid_file +.Op Fl s Ar securelevel .Op Fl l u Ar username | Fl U Ar username .Ar path hostname ip-number command ... .Sh DESCRIPTION @@ -73,6 +74,10 @@ is set to the target login. is imported from the current environment. The environment variables from the login class capability database for the target login are also set. +.It Fl s Ar securelevel +Sets +.Va kern.securelevel +to the specified value inside the newly created jail. .It Fl u Ar username The user name from host environment as whom the .Ar command diff --git a/usr.sbin/jail/jail.c b/usr.sbin/jail/jail.c index 49caa52..1116ed6 100644 --- a/usr.sbin/jail/jail.c +++ b/usr.sbin/jail/jail.c @@ -12,6 +12,7 @@ __FBSDID("$FreeBSD$"); #include <sys/param.h> #include <sys/jail.h> +#include <sys/sysctl.h> #include <netinet/in.h> #include <arpa/inet.h> @@ -28,6 +29,7 @@ __FBSDID("$FreeBSD$"); #include <unistd.h> static void usage(void); +static void setsecurelevel(int level); extern char **environ; #define GET_USER_INFO do { \ @@ -58,13 +60,14 @@ main(int argc, char **argv) char path[PATH_MAX], *username, *JidFile; static char *cleanenv; const char *shell, *p = NULL; + int securelevel = -1; FILE *fp; iflag = Jflag = lflag = uflag = Uflag = 0; username = JidFile = cleanenv = NULL; fp = NULL; - while ((ch = getopt(argc, argv, "ilu:U:J:")) != -1) { + while ((ch = getopt(argc, argv, "ils:u:U:J:")) != -1) { switch (ch) { case 'i': iflag = 1; @@ -73,6 +76,9 @@ main(int argc, char **argv) JidFile = optarg; Jflag = 1; break; + case 's': + securelevel = (int) strtol(optarg, NULL, 0); + break; case 'u': username = optarg; uflag = 1; @@ -130,6 +136,8 @@ main(int argc, char **argv) errx(1, "Could not write JidFile: %s", JidFile); } } + if (securelevel > 0) + setsecurelevel(securelevel); if (username != NULL) { if (Uflag) GET_USER_INFO; @@ -168,8 +176,17 @@ static void usage(void) { - (void)fprintf(stderr, "%s%s\n", - "usage: jail [-i] [-J jid_file] [-l -u username | -U username]", + (void)fprintf(stderr, "%s%s%s\n", + "usage: jail [-i] [-J jid_file] [-s securelevel] [-l -u ", + "username | -U username]", " path hostname ip-number command ..."); exit(1); } + +static void +setsecurelevel(int level) { + if (sysctlbyname("kern.securelevel", NULL, 0, &level, sizeof(level))) + err(1, "Can not set securelevel to %d", level); + +} + |