From owner-freebsd-bugs@FreeBSD.ORG  Tue Dec  4 14:31:39 2012
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 9E329B35;
 Tue,  4 Dec 2012 14:31:39 +0000 (UTC)
 (envelope-from emaste@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id 85F108FC17;
 Tue,  4 Dec 2012 14:31:39 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id qB4EVdrL028474;
 Tue, 4 Dec 2012 14:31:39 GMT
 (envelope-from emaste@freefall.freebsd.org)
Received: (from emaste@localhost)
 by freefall.freebsd.org (8.14.5/8.14.5/Submit) id qB4EVdk4028470;
 Tue, 4 Dec 2012 14:31:39 GMT (envelope-from emaste)
Date: Tue, 4 Dec 2012 14:31:39 GMT
Message-Id: <201212041431.qB4EVdk4028470@freefall.freebsd.org>
To: emaste@FreeBSD.org, freebsd-bugs@FreeBSD.org, emaste@FreeBSD.org
From: emaste@FreeBSD.org
Subject: Re: kern/174104: security.jail.param does not reflect actual jail
 perms
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Dec 2012 14:31:39 -0000

Synopsis: security.jail.param does not reflect actual jail perms

Responsible-Changed-From-To: freebsd-bugs->emaste
Responsible-Changed-By: emaste
Responsible-Changed-When: Tue Dec 4 14:26:51 UTC 2012
Responsible-Changed-Why: 
Assign to myself for tracking.

This stuff is rather opaque and poorly documented, but it does appear to
function.

There are two sysctls associated with each of these parameters - e.g.:

security.jail.param.allow.mount.nullfs:
    Jail may mount the nullfs file system

security.jail.mount_nullfs_allowed:
    Processes in jail can mount the nullfs file system

The non-param one inside the jail tracks modifications from jail -m
modifications done by the host.


http://www.freebsd.org/cgi/query-pr.cgi?pr=174104