- Update the sysctl mibs in order to reflect the recent kern_jail.c
changes. Approved by: rwatson Reviewed by: rwatson
This commit is contained in:
Andrew R. Reiter
parent
83aee5a8d5
commit
94b3b598b9
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=87717
@ -193,10 +193,10 @@ virtual host interface, and then start the jail's
|
||||
script from within the jail.
|
||||
.Pp
|
||||
NOTE: If you plan to allow untrusted users to have root access inside the
|
||||
jail, you may wish to consider setting the jail.set_hostname_allowed to
|
||||
0. Please see the management reasons why this is a good idea. If you
|
||||
do decide to set this variable, it must be set before starting any jails,
|
||||
and once each boot.
|
||||
jail, you may wish to consider setting the
|
||||
kern.security.jail.set_hostname_allowed to 0. Please see the management
|
||||
reasons why this is a good idea. If you do decide to set this variable,
|
||||
it must be set before starting any jails, and once each boot.
|
||||
.Bd -literal -offset indent
|
||||
# ifconfig ed0 inet alias 192.168.11.100 netmask 255.255.255.255
|
||||
# mount -t procfs proc /data/jail/192.168.11.100/proc
|
||||
@ -263,13 +263,13 @@ default, modified from within the jail, so the
|
||||
.Pa /proc
|
||||
status entry is unreliable by default. To disable the setting of the hostname
|
||||
from within a jail, set the
|
||||
.Dq Va jail.set_hostname_allowed
|
||||
.Dq Va kern.security.jail.set_hostname_allowed
|
||||
sysctl variable in the host environment to 0, which will affect all jails.
|
||||
You can have this sysctl set each boot using
|
||||
.Xr sysctl.conf 5 .
|
||||
Just add the following line to sysctl.conf:
|
||||
.Bd -literal -offset indent
|
||||
jail.set_hostname_allowed=0
|
||||
kern.security.jail.set_hostname_allowed=0
|
||||
.Ed
|
||||
.Pp
|
||||
In a future version of
|
||||
@ -284,7 +284,7 @@ MIB variables.
|
||||
Currently, these variables affect all jails on the system, although in
|
||||
the future this functionality may be finer grained.
|
||||
.Bl -tag -width XXX
|
||||
.It jail.set_hostname_allowed
|
||||
.It kern.security.jail.set_hostname_allowed
|
||||
This MIB entry determines whether or not processes within a jail are
|
||||
allowed to change their hostname via
|
||||
.Xr hostname 1
|
||||
@ -296,7 +296,7 @@ information in
|
||||
.Pa /proc .
|
||||
As such, this should be disabled in environments where privileged access to
|
||||
jails is given out to untrusted parties.
|
||||
.It jail.socket_unixiproute_only
|
||||
.It kern.security.jail.socket_unixiproute_only
|
||||
The jail functionality binds an IPv4 address to each jail, and limits
|
||||
access to other network addresses in the IPv4 space that may be available
|
||||
in the host environment.
|
||||
@ -312,7 +312,7 @@ permitting them access to UNIX domain sockets,
|
||||
IPv4 addresses, and routing sockets.
|
||||
To enable access to other domains, this MIB variable may be set to
|
||||
0.
|
||||
.It jail.sysvipc_allowed
|
||||
.It kern.security.jail.sysvipc_allowed
|
||||
This MIB entry determines whether or not processes within a jail have access
|
||||
to System V IPC primitives.
|
||||
In the current jail implementation, System V primitives share a single
|
||||
|
||||
Loading…
Reference in New Issue
Block a user