From 52acdf7b7df5cdd6bf8c842d74fa5356d136be98 Mon Sep 17 00:00:00 2001
From: Xin LI <delphij@FreeBSD.org>
Date: Thu, 22 Feb 2007 06:36:17 +0000
Subject: MFen 1.18 -> 1.19

Obtained from:	The FreeBSD Simplified Chinese Project
---
 zh_CN.GB2312/books/arch-handbook/jail/chapter.sgml | 31 +++++++++++++++++-----
 1 file changed, 24 insertions(+), 7 deletions(-)

(limited to 'zh_CN.GB2312/books')

diff --git a/zh_CN.GB2312/books/arch-handbook/jail/chapter.sgml b/zh_CN.GB2312/books/arch-handbook/jail/chapter.sgml
index 3085eefb3a..44cdb791a7 100644
--- a/zh_CN.GB2312/books/arch-handbook/jail/chapter.sgml
+++ b/zh_CN.GB2312/books/arch-handbook/jail/chapter.sgml
@@ -2,7 +2,7 @@
      The FreeBSD Documentation Project
      The FreeBSD Simplified Chinese Project
 
-     Original Revision: 1.18
+     Original Revision: 1.19
      $FreeBSD$
 -->
 
@@ -153,28 +153,45 @@ i = execv(argv[4], argv + 4);</programlisting>
         <programlisting><filename>/usr/src/sys/kern/kern_jail.c:</filename>
 
 int     jail_set_hostname_allowed = 1;
-SYSCTL_INT(_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW,
+SYSCTL_INT(_security_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW,
     <![CDATA[&jail]]>_set_hostname_allowed, 0,
     "Processes in jail can set their hostnames");
     /* Jail中的进程可设定自身的主机名 */
 
 int     jail_socket_unixiproute_only = 1;
-SYSCTL_INT(_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW,
+SYSCTL_INT(_security_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW,
     <![CDATA[&jail]]>_socket_unixiproute_only, 0,
     "Processes in jail are limited to creating &unix;/IPv4/route sockets only
 ");
     /* Jail中的进程被限制只能建立UNIX套接字、IPv4套接字、路由套接字 */
 
 int     jail_sysvipc_allowed = 0;
-SYSCTL_INT(_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW,
+SYSCTL_INT(_security_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW,
     <![CDATA[&jail]]>_sysvipc_allowed, 0,
     "Processes in jail can use System V IPC primitives");
-	/* Jail中的进程可以使用System V进程间通讯原语 */</programlisting>
-    
+    /* Jail中的进程可以使用System V进程间通讯原语 */
+
+static int jail_enforce_statfs = 2;
+SYSCTL_INT(_security_jail, OID_AUTO, enforce_statfs, CTLFLAG_RW,
+    <![CDATA[&jail]]>_enforce_statfs, 0,
+    "Processes in jail cannot see all mounted file systems");
+    /* jail 中的进程查看系统中挂接的文件系统时受到何种限制 */
+
+int    jail_allow_raw_sockets = 0;
+SYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW,
+    <![CDATA[&jail]]>_allow_raw_sockets, 0,
+    "Prison root can create raw sockets");
+    /* jail 中的 root 用户是否可以创建 raw socket */
+
+int    jail_chflags_allowed = 0;
+SYSCTL_INT(_security_jail, OID_AUTO, chflags_allowed, CTLFLAG_RW,
+    <![CDATA[&jail]]>_chflags_allowed, 0,
+    "Processes in jail can alter system file flags");
+    /* jail 中的进程是否可以修改系统级文件标记 */</programlisting>
 
         <para>这些sysctl项中的每一个都可以用命令sysctl访问。在整个内核中，
           这些sysctl项按名称标识。例如，上述第一个sysctl项的名字是
-          <literal>jail.set.hostname.allowed</literal>.</para>
+          <literal>security.jail.set_hostname_allowed</literal>。</para>
       </sect3>
 
       <sect3>
-- 
cgit v1.2.3