diff options
| -rw-r--r-- | en_US.ISO8859-1/books/arch-handbook/jail/chapter.sgml | 27 |
1 files changed, 21 insertions, 6 deletions
diff --git a/en_US.ISO8859-1/books/arch-handbook/jail/chapter.sgml b/en_US.ISO8859-1/books/arch-handbook/jail/chapter.sgml index f53b729659..b7df90b150 100644 --- a/en_US.ISO8859-1/books/arch-handbook/jail/chapter.sgml +++ b/en_US.ISO8859-1/books/arch-handbook/jail/chapter.sgml @@ -112,7 +112,7 @@ j.hostname = argv[2];</programlisting> <programlisting><filename>/usr/src/usr.sbin/jail/jail.c</filename>: struct in.addr in; ... -i = inet.aton(argv[3], <![CDATA[&in]]>); +i = inet_aton(argv[3], <![CDATA[&in]]>); ... j.ip_number = ntohl(in.s.addr);</programlisting> @@ -170,26 +170,41 @@ i = execv(argv[4], argv + 4);</programlisting> <programlisting><filename>/usr/src/sys/kern/kern_jail.c:</filename> int jail_set_hostname_allowed = 1; -SYSCTL_INT(_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW, +SYSCTL_INT(_security_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW, <![CDATA[&jail]]>_set_hostname_allowed, 0, "Processes in jail can set their hostnames"); int jail_socket_unixiproute_only = 1; -SYSCTL_INT(_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW, +SYSCTL_INT(_security_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW, <![CDATA[&jail]]>_socket_unixiproute_only, 0, "Processes in jail are limited to creating &unix;/IPv4/route sockets only "); int jail_sysvipc_allowed = 0; -SYSCTL_INT(_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW, +SYSCTL_INT(_security_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW, <![CDATA[&jail]]>_sysvipc_allowed, 0, - "Processes in jail can use System V IPC primitives");</programlisting> + "Processes in jail can use System V IPC primitives"); + +static int jail_enforce_statfs = 2; +SYSCTL_INT(_security_jail, OID_AUTO, enforce_statfs, CTLFLAG_RW, + <![CDATA[&jail]]>_enforce_statfs, 0, + "Processes in jail cannot see all mounted file systems"); + +int jail_allow_raw_sockets = 0; +SYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW, + <![CDATA[&jail]]>_allow_raw_sockets, 0, + "Prison root can create raw sockets"); + +int jail_chflags_allowed = 0; +SYSCTL_INT(_security_jail, OID_AUTO, chflags_allowed, CTLFLAG_RW, + <![CDATA[&jail]]>_chflags_allowed, 0, + "Processes in jail can alter system file flags");</programlisting> <para>Each of these sysctls can be accessed by the user through the sysctl program. Throughout the kernel, these specific sysctls are recognized by their name. For example, the name of the first sysctl is - <literal>jail.set.hostname.allowed</literal>.</para> + <literal>security.jail.set_hostname_allowed</literal>.</para> </sect3> <sect3> |