Date: Mon, 3 Dec 2012 11:55:51 -0800 (PST) From: Ed Maste <emaste@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/174104: security.jail.param does not reflect actual jail perms Message-ID: <201212031955.qB3JtpjU002612@bld91> Resent-Message-ID: <201212041110.qB4BA0TS012205@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 174104
>Category: kern
>Synopsis: security.jail.param does not reflect actual jail perms
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Dec 04 11:10:00 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Ed Maste
>Release: FreeBSD 9.1-RC3 amd64
>Organization:
ADARA Networks
>Environment:
System: FreeBSD bld91 9.1-RC3 FreeBSD 9.1-RC3 #0 r243630M: Mon Dec 3 10:44:36 PST 2012 root@bld91:/data/obj/data/freebsd-src/9.1/sys/GENERIC amd64
>Description:
I would expect security.jail.param.* to update inside the jail after using
jail -m on the host to change settings, but this does not appear to happen.
>How-To-Repeat:
# on the host, disallow chflags:
bld91# jail -m jid=2 allow.chflags=0
# in the jail, verify that chflags fails:
root@tinderbox:/root # sysctl security.jail.param.allow.chflags
security.jail.param.allow.chflags: 0
root@tinderbox:/root # touch foo
root@tinderbox:/root # chflags schg foo; chflags noschg foo
chflags: foo: Operation not permitted
# on the host, allow chflags:
bld91# jail -m jid=2 allow.chflags=1
# in the jail, chflags works but the sysctl still shows 0:
root@tinderbox:/root # sysctl security.jail.param.allow.chflags
security.jail.param.allow.chflags: 0
root@tinderbox:/root # chflags schg foo ; chflags noschg foo
root@tinderbox:/root #
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201212031955.qB3JtpjU002612>