Date: Mon, 17 Apr 2006 23:02:11 +0800 (CST) From: Cheng-Lung Sung <clsung@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Cc: clsung@gmail.com Subject: kern/95925: security.jail.jailed should be more secure Message-ID: <20060417150211.A2A517E99A@FreeBSD.csie.nctu.edu.tw> Resent-Message-ID: <200604171510.k3HFAHBj054364@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 95925
>Category: kern
>Synopsis: security.jail.jailed should be more secure
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Mon Apr 17 15:10:17 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Cheng-Lung Sung
>Release: FreeBSD 6.1-PRERELEASE i386
>Organization:
FreeBSD @ Taiwan
>Environment:
System: FreeBSD FreeBSD.csie.nctu.edu.tw 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #7: Thu Apr 13 03:20:20 CST 2006 root@FreeBSD.csie.nctu.edu.tw:/home/usr.obj/usr/src/sys/FREEBSD i386
>Description:
security.jail.jailed can be too easily shown from in jail,
since it gives *someone* changes to know if he is in jail or not.
I think better only show jailed when the administrator decide
to insecure his machines (i.e. securelevel <=0)
>How-To-Repeat:
sysctl -a | grep security.jail.jailed
>Fix:
--- sys/kern/kern_jail.c.orig Mon Apr 17 22:53:48 2006
+++ sys/kern/kern_jail.c Mon Apr 17 22:54:03 2006
@@ -580,5 +580,6 @@
return (error);
}
-SYSCTL_PROC(_security_jail, OID_AUTO, jailed, CTLTYPE_INT | CTLFLAG_RD,
+SYSCTL_PROC(_security_jail, OID_AUTO, jailed,
+ CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_SECURE,
NULL, 0, sysctl_jail_jailed, "I", "Process in jail?");
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060417150211.A2A517E99A>