Lines 193-198
static struct bool_flags pr_flag_allow[NBBY * NBPW
Link Here
|
193 |
{"allow.mlock", "allow.nomlock", PR_ALLOW_MLOCK}, |
193 |
{"allow.mlock", "allow.nomlock", PR_ALLOW_MLOCK}, |
194 |
{"allow.reserved_ports", "allow.noreserved_ports", |
194 |
{"allow.reserved_ports", "allow.noreserved_ports", |
195 |
PR_ALLOW_RESERVED_PORTS}, |
195 |
PR_ALLOW_RESERVED_PORTS}, |
|
|
196 |
{"allow.read_msgbuf", "allow.noread_msgbuf", PR_ALLOW_READ_MSGBUF}, |
196 |
}; |
197 |
}; |
197 |
const size_t pr_flag_allow_size = sizeof(pr_flag_allow); |
198 |
const size_t pr_flag_allow_size = sizeof(pr_flag_allow); |
198 |
|
199 |
|
Lines 3350-3355
prison_priv_check(struct ucred *cred, int priv)
Link Here
|
3350 |
case PRIV_PROC_SETLOGINCLASS: |
3351 |
case PRIV_PROC_SETLOGINCLASS: |
3351 |
return (0); |
3352 |
return (0); |
3352 |
|
3353 |
|
|
|
3354 |
/* |
3355 |
* Do not allow a process inside a jail read the kernel |
3356 |
* message buffer unless explicitly permitted. |
3357 |
*/ |
3358 |
case PRIV_MSGBUF: |
3359 |
if (cred->cr_prison->pr_allow & PR_ALLOW_READ_MSGBUF) |
3360 |
return (0); |
3361 |
else |
3362 |
return (EPERM); |
3363 |
|
3353 |
default: |
3364 |
default: |
3354 |
/* |
3365 |
/* |
3355 |
* In all remaining cases, deny the privilege request. This |
3366 |
* In all remaining cases, deny the privilege request. This |
Lines 3770-3775
SYSCTL_JAIL_PARAM(_allow, mlock, CTLTYPE_INT | CTL
Link Here
|
3770 |
"B", "Jail may lock (unlock) physical pages in memory"); |
3781 |
"B", "Jail may lock (unlock) physical pages in memory"); |
3771 |
SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW, |
3782 |
SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW, |
3772 |
"B", "Jail may bind sockets to reserved ports"); |
3783 |
"B", "Jail may bind sockets to reserved ports"); |
|
|
3784 |
SYSCTL_JAIL_PARAM(_allow, read_msgbuf, CTLTYPE_INT | CTLFLAG_RW, |
3785 |
"B", "Jail may read the kernel message buffer"); |
3773 |
|
3786 |
|
3774 |
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); |
3787 |
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); |
3775 |
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, |
3788 |
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, |