diff options
| author | Xin LI <delphij@FreeBSD.org> | 2007-02-22 06:36:17 +0000 |
|---|---|---|
| committer | Xin LI <delphij@FreeBSD.org> | 2007-02-22 06:36:17 +0000 |
| commit | 52acdf7b7df5cdd6bf8c842d74fa5356d136be98 (patch) | |
| tree | a85ce2c94d117078f6b100c6da9ce229b9cb6e8e | |
| parent | d848230019ad7e529aa2b8dfbb3c28b4c28b01ca (diff) | |
Notes
| -rw-r--r-- | zh_CN.GB2312/books/arch-handbook/jail/chapter.sgml | 31 |
1 files changed, 24 insertions, 7 deletions
diff --git a/zh_CN.GB2312/books/arch-handbook/jail/chapter.sgml b/zh_CN.GB2312/books/arch-handbook/jail/chapter.sgml index 3085eefb3a..44cdb791a7 100644 --- a/zh_CN.GB2312/books/arch-handbook/jail/chapter.sgml +++ b/zh_CN.GB2312/books/arch-handbook/jail/chapter.sgml @@ -2,7 +2,7 @@ The FreeBSD Documentation Project The FreeBSD Simplified Chinese Project - Original Revision: 1.18 + Original Revision: 1.19 $FreeBSD$ --> @@ -153,28 +153,45 @@ i = execv(argv[4], argv + 4);</programlisting> <programlisting><filename>/usr/src/sys/kern/kern_jail.c:</filename> int jail_set_hostname_allowed = 1; -SYSCTL_INT(_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW, +SYSCTL_INT(_security_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW, <![CDATA[&jail]]>_set_hostname_allowed, 0, "Processes in jail can set their hostnames"); /* Jail中的进程可设定自身的主机名 */ int jail_socket_unixiproute_only = 1; -SYSCTL_INT(_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW, +SYSCTL_INT(_security_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW, <![CDATA[&jail]]>_socket_unixiproute_only, 0, "Processes in jail are limited to creating &unix;/IPv4/route sockets only "); /* Jail中的进程被限制只能建立UNIX套接字、IPv4套接字、路由套接字 */ int jail_sysvipc_allowed = 0; -SYSCTL_INT(_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW, +SYSCTL_INT(_security_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW, <![CDATA[&jail]]>_sysvipc_allowed, 0, "Processes in jail can use System V IPC primitives"); - /* Jail中的进程可以使用System V进程间通讯原语 */</programlisting> - + /* Jail中的进程可以使用System V进程间通讯原语 */ + +static int jail_enforce_statfs = 2; +SYSCTL_INT(_security_jail, OID_AUTO, enforce_statfs, CTLFLAG_RW, + <![CDATA[&jail]]>_enforce_statfs, 0, + "Processes in jail cannot see all mounted file systems"); + /* jail 中的进程查看系统中挂接的文件系统时受到何种限制 */ + +int jail_allow_raw_sockets = 0; +SYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW, + <![CDATA[&jail]]>_allow_raw_sockets, 0, + "Prison root can create raw sockets"); + /* jail 中的 root 用户是否可以创建 raw socket */ + +int jail_chflags_allowed = 0; +SYSCTL_INT(_security_jail, OID_AUTO, chflags_allowed, CTLFLAG_RW, + <![CDATA[&jail]]>_chflags_allowed, 0, + "Processes in jail can alter system file flags"); + /* jail 中的进程是否可以修改系统级文件标记 */</programlisting> <para>这些sysctl项中的每一个都可以用命令sysctl访问。在整个内核中, 这些sysctl项按名称标识。例如,上述第一个sysctl项的名字是 - <literal>jail.set.hostname.allowed</literal>.</para> + <literal>security.jail.set_hostname_allowed</literal>。</para> </sect3> <sect3> |