Bug 174104 - [jail] security.jail.param does not reflect actual jail perms
Summary: [jail] security.jail.param does not reflect actual jail perms
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: unspecified
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-04 11:10 UTC by Ed Maste
Modified: 2019-11-08 21:08 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ed Maste freebsd_committer 2012-12-04 11:10:00 UTC
I would expect security.jail.param.* to update inside the jail after using
jail -m on the host to change settings, but this does not appear to happen.

How-To-Repeat: 
# on the host, disallow chflags:                                                
bld91# jail -m jid=2 allow.chflags=0                                            
                                                                                
# in the jail, verify that chflags fails:                                       
root@tinderbox:/root # sysctl security.jail.param.allow.chflags                 
security.jail.param.allow.chflags: 0                                            
root@tinderbox:/root # touch foo
root@tinderbox:/root # chflags schg foo; chflags noschg foo                     
chflags: foo: Operation not permitted                                           
                                                                                
# on the host, allow chflags:                                                   
bld91# jail -m jid=2 allow.chflags=1                                            
                                                                                
# in the jail, chflags works but the sysctl still shows 0:                      
root@tinderbox:/root # sysctl security.jail.param.allow.chflags                 
security.jail.param.allow.chflags: 0                                            
root@tinderbox:/root # chflags schg foo ; chflags noschg foo                    
root@tinderbox:/root #
Comment 1 Ed Maste freebsd_committer 2012-12-04 14:26:51 UTC
Responsible Changed
From-To: freebsd-bugs->emaste

Assign to myself for tracking. 

This stuff is rather opaque and poorly documented, but it does appear to 
function. 

There are two sysctls associated with each of these parameters - e.g.: 

security.jail.param.allow.mount.nullfs: 
Jail may mount the nullfs file system 

security.jail.mount_nullfs_allowed: 
Processes in jail can mount the nullfs file system 

The non-param one inside the jail tracks modifications from jail -m 
modifications done by the host.
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:56 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped