From ee9218912a48e9a9e8b8921374ee1b4ec5e89573 Mon Sep 17 00:00:00 2001 From: rwatson Date: Sat, 14 Feb 2004 19:19:47 +0000 Subject: By default, don't allow processes in a jail to list the set of jails in the system. Previous behavior (allowed) may be restored by setting security.jail.list_allowed=1. --- sys/kern/kern_jail.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'sys/kern') diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 94ac0aa..b867935 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -59,6 +59,11 @@ SYSCTL_INT(_security_jail, OID_AUTO, getfsstate_getfsstatroot_only, CTLFLAG_RW, &jail_getfsstatroot_only, 0, "Processes see only their root file system in getfsstat()"); +int jail_list_allowed = 0; +SYSCTL_INT(_security_jail, OID_AUTO, list_allowed, CTLFLAG_RW, + &jail_list_allowed, 0, + "Processes in jail can access system jail list"); + /* allprison, lastprid, and prisoncount are protected by allprison_mtx. */ struct prisonlist allprison; struct mtx allprison_mtx; @@ -446,6 +451,8 @@ sysctl_jail_list(SYSCTL_HANDLER_ARGS) int count, error; mtx_assert(&Giant, MA_OWNED); + if (jailed(req->td->td_ucred) && !jail_list_allowed) + return (0); retry: mtx_lock(&allprison_mtx); count = prisoncount; -- cgit v1.1