Introduce a new sysctl, kern.jailcansethostname, which determines whether

or not a process in a jail, with privilege, may set the jail's hostname. Defaults to 1, which permits this. May be set to 0 by a process with appropriate privilege outside of jail. Preventing hostname renaming from within a jail is currently required to make jails manageable, as they a currently identifiable only by hostname using /proc, which may be modified without this sysctl being set to 0. This will be documented in upcoming man commits. Authorized by: jkh, the ever-patient
2000-02-10 05:32:03 +00:00 · 2000-02-10 05:32:03 +00:00 · 6c144e7521
commit 6c144e7521
parent 0decb68047
2 changed files with 12 additions and 3 deletions
--- a/sys/kern/kern_mib.c
+++ b/sys/kern/kern_mib.c
@ -145,6 +145,11 @@ static char	machine_arch[] = MACHINE_ARCH;
 SYSCTL_STRING(_hw, HW_MACHINE_ARCH, machine_arch, CTLFLAG_RD,
    machine_arch, 0, "System architecture");

+static int	jailcansethostname=1;
+SYSCTL_INT(_kern, KERN_JAILCANSETHOSTNAME, jailcansethostname,
+	CTLFLAG_RW, &jailcansethostname, 0,
+	"Jail can set its hostname");
+
 char hostname[MAXHOSTNAMELEN];

 static int
@ -152,11 +157,13 @@ sysctl_hostname SYSCTL_HANDLER_ARGS
 {
 	int error;

-	if (req->p->p_prison) 
+	if (req->p->p_prison) {
+		if (!jailcansethostname)
+			return(EPERM);
 		error = sysctl_handle_string(oidp, 
 		    req->p->p_prison->pr_host,
 		    sizeof req->p->p_prison->pr_host, req);
-	else
+	} else
 		error = sysctl_handle_string(oidp, 
 		    hostname, sizeof hostname, req);
 	return (error);
--- a/sys/sys/sysctl.h
+++ b/sys/sys/sysctl.h
@ -260,7 +260,8 @@ void sysctl_unregister_oid(struct sysctl_oid *oidp);
 #define	KERN_PS_STRINGS		32	/* int: address of PS_STRINGS */
 #define	KERN_USRSTACK		33	/* int: address of USRSTACK */
 #define	KERN_LOGSIGEXIT		34	/* int: do we log sigexit procs? */
-#define KERN_MAXID		35      /* number of valid kern ids */
+#define KERN_JAILCANSETHOSTNAME	35	/* int: jailed p can set hostname */
+#define KERN_MAXID		36      /* number of valid kern ids */

 #define CTL_KERN_NAMES { \
 	{ 0, 0 }, \
@ -298,6 +299,7 @@ void sysctl_unregister_oid(struct sysctl_oid *oidp);
 	{ "ps_strings", CTLTYPE_INT }, \
 	{ "usrstack", CTLTYPE_INT }, \
 	{ "logsigexit", CTLTYPE_INT }, \
+	{ "jailcansethostname", CTLTYPE_INT }, \
 }

 /*