Document security.jail.getfsstatroot_only sysctl.

Obtained from: rwatson's commit log Approved by: rwatson
svn path=/head/; revision=129463
2004-05-20 05:30:16 +00:00 · 2004-05-20 05:30:16 +00:00 · 147110cb2d · 2020-12-20 02:59:44 +00:00
commit 147110cb2d
parent 2ff8a3496f
1 changed files with 14 additions and 0 deletions
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@ -416,6 +416,20 @@ with the IP address bound to the jail, regardless of whether or not
 the
 .Dv IP_HDRINCL
 flag has been set on the socket.
+.It Va security.jail.getfsstatroot_only
+This MIB entry determines whether or not processes within a jail is able
+to see data for all mountpoints.
+When set to 1 (default),
+.Xr getfsstat 2
+system call only return (while called by jailed processes) the data for
+the file system on which jail's root vnode is located.
+Note: this also has the effect of hiding other mounts inside a jail,
+such as
+.Pa /dev ,
+.Pa /tmp ,
+and
+.Pa /proc ,
+but errs on the side of leaking less information.
 .It Va security.jail.set_hostname_allowed
 This MIB entry determines whether or not processes within a jail are
 allowed to change their hostname via