I would expect security.jail.param.* to update inside the jail after using jail -m on the host to change settings, but this does not appear to happen. How-To-Repeat: # on the host, disallow chflags: bld91# jail -m jid=2 allow.chflags=0 # in the jail, verify that chflags fails: root@tinderbox:/root # sysctl security.jail.param.allow.chflags security.jail.param.allow.chflags: 0 root@tinderbox:/root # touch foo root@tinderbox:/root # chflags schg foo; chflags noschg foo chflags: foo: Operation not permitted # on the host, allow chflags: bld91# jail -m jid=2 allow.chflags=1 # in the jail, chflags works but the sysctl still shows 0: root@tinderbox:/root # sysctl security.jail.param.allow.chflags security.jail.param.allow.chflags: 0 root@tinderbox:/root # chflags schg foo ; chflags noschg foo root@tinderbox:/root #
Responsible Changed From-To: freebsd-bugs->emaste Assign to myself for tracking. This stuff is rather opaque and poorly documented, but it does appear to function. There are two sysctls associated with each of these parameters - e.g.: security.jail.param.allow.mount.nullfs: Jail may mount the nullfs file system security.jail.mount_nullfs_allowed: Processes in jail can mount the nullfs file system The non-param one inside the jail tracks modifications from jail -m modifications done by the host.
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped