From f2722ad13879d5b79d762d3fb26ac2555f2896cc Mon Sep 17 00:00:00 2001 From: rwatson Date: Thu, 10 Feb 2000 05:32:03 +0000 Subject: Introduce a new sysctl, kern.jailcansethostname, which determines whether or not a process in a jail, with privilege, may set the jail's hostname. Defaults to 1, which permits this. May be set to 0 by a process with appropriate privilege outside of jail. Preventing hostname renaming from within a jail is currently required to make jails manageable, as they a currently identifiable only by hostname using /proc, which may be modified without this sysctl being set to 0. This will be documented in upcoming man commits. Authorized by: jkh, the ever-patient --- sys/kern/kern_mib.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'sys/kern/kern_mib.c') diff --git a/sys/kern/kern_mib.c b/sys/kern/kern_mib.c index 506ce86..c93cc6f 100644 --- a/sys/kern/kern_mib.c +++ b/sys/kern/kern_mib.c @@ -145,6 +145,11 @@ static char machine_arch[] = MACHINE_ARCH; SYSCTL_STRING(_hw, HW_MACHINE_ARCH, machine_arch, CTLFLAG_RD, machine_arch, 0, "System architecture"); +static int jailcansethostname=1; +SYSCTL_INT(_kern, KERN_JAILCANSETHOSTNAME, jailcansethostname, + CTLFLAG_RW, &jailcansethostname, 0, + "Jail can set its hostname"); + char hostname[MAXHOSTNAMELEN]; static int @@ -152,11 +157,13 @@ sysctl_hostname SYSCTL_HANDLER_ARGS { int error; - if (req->p->p_prison) + if (req->p->p_prison) { + if (!jailcansethostname) + return(EPERM); error = sysctl_handle_string(oidp, req->p->p_prison->pr_host, sizeof req->p->p_prison->pr_host, req); - else + } else error = sysctl_handle_string(oidp, hostname, sizeof hostname, req); return (error); -- cgit v1.1