Document security.jail.getfsstatroot_only sysctl.
Obtained from: rwatson's commit log Approved by: rwatson
This commit is contained in:
Pawel Jakub Dawidek
parent
2ff8a3496f
commit
147110cb2d
@ -416,6 +416,20 @@ with the IP address bound to the jail, regardless of whether or not
|
||||
the
|
||||
.Dv IP_HDRINCL
|
||||
flag has been set on the socket.
|
||||
.It Va security.jail.getfsstatroot_only
|
||||
This MIB entry determines whether or not processes within a jail is able
|
||||
to see data for all mountpoints.
|
||||
When set to 1 (default),
|
||||
.Xr getfsstat 2
|
||||
system call only return (while called by jailed processes) the data for
|
||||
the file system on which jail's root vnode is located.
|
||||
Note: this also has the effect of hiding other mounts inside a jail,
|
||||
such as
|
||||
.Pa /dev ,
|
||||
.Pa /tmp ,
|
||||
and
|
||||
.Pa /proc ,
|
||||
but errs on the side of leaking less information.
|
||||
.It Va security.jail.set_hostname_allowed
|
||||
This MIB entry determines whether or not processes within a jail are
|
||||
allowed to change their hostname via
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user