kern/174104: security.jail.param does not reflect actual jail perms
Ed Maste
emaste at FreeBSD.org
Tue Dec 4 11:10:00 UTC 2012
>Number: 174104
>Category: kern
>Synopsis: security.jail.param does not reflect actual jail perms
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Dec 04 11:10:00 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Ed Maste
>Release: FreeBSD 9.1-RC3 amd64
>Organization:
ADARA Networks
>Environment:
System: FreeBSD bld91 9.1-RC3 FreeBSD 9.1-RC3 #0 r243630M: Mon Dec 3 10:44:36 PST 2012 root at bld91:/data/obj/data/freebsd-src/9.1/sys/GENERIC amd64
>Description:
I would expect security.jail.param.* to update inside the jail after using
jail -m on the host to change settings, but this does not appear to happen.
>How-To-Repeat:
# on the host, disallow chflags:
bld91# jail -m jid=2 allow.chflags=0
# in the jail, verify that chflags fails:
root at tinderbox:/root # sysctl security.jail.param.allow.chflags
security.jail.param.allow.chflags: 0
root at tinderbox:/root # touch foo
root at tinderbox:/root # chflags schg foo; chflags noschg foo
chflags: foo: Operation not permitted
# on the host, allow chflags:
bld91# jail -m jid=2 allow.chflags=1
# in the jail, chflags works but the sysctl still shows 0:
root at tinderbox:/root # sysctl security.jail.param.allow.chflags
security.jail.param.allow.chflags: 0
root at tinderbox:/root # chflags schg foo ; chflags noschg foo
root at tinderbox:/root #
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list