diff options
author | Jamie Gritton <jamie@FreeBSD.org> | 2018-08-16 18:40:16 +0000 |
---|---|---|
committer | Jamie Gritton <jamie@FreeBSD.org> | 2018-08-16 18:40:16 +0000 |
commit | 284001a222ae071c063920aa1c1b6477f168002d (patch) | |
tree | 10ee709c397d09f7bbe58bae03f7543dbe01998b /sys/ufs | |
parent | a8e44f4da0e8b8892688d88a8faea5abfff2219e (diff) | |
download | src-284001a222ae071c063920aa1c1b6477f168002d.tar.gz src-284001a222ae071c063920aa1c1b6477f168002d.zip |
Put jail(2) under COMPAT_FREEBSD11. It has been the "old" way of creating
jails since FreeBSD 7.
Along with the system call, put the various security.jail.allow_foo and
security.jail.foo_allowed sysctls partly under COMPAT_FREEBSD11 (or
BURN_BRIDGES). These sysctls had two disparate uses: on the system side,
they were global permissions for jails created via jail(2) which lacked
fine-grained permission controls; inside a jail, they're read-only
descriptions of what the current jail is allowed to do. The first use
is obsolete along with jail(2), but keep them for the second-read-only use.
Differential Revision: D14791
Notes
Notes:
svn path=/head/; revision=337922
Diffstat (limited to 'sys/ufs')
-rw-r--r-- | sys/ufs/ufs/ufs_vnops.c | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/sys/ufs/ufs/ufs_vnops.c b/sys/ufs/ufs/ufs_vnops.c index 66651e3f71bb..9e6e24c32db9 100644 --- a/sys/ufs/ufs/ufs_vnops.c +++ b/sys/ufs/ufs/ufs_vnops.c @@ -550,9 +550,8 @@ ufs_setattr(ap) * Privileged non-jail processes may not modify system flags * if securelevel > 0 and any existing system flags are set. * Privileged jail processes behave like privileged non-jail - * processes if the security.jail.chflags_allowed sysctl is - * is non-zero; otherwise, they behave like unprivileged - * processes. + * processes if the PR_ALLOW_CHFLAGS permission bit is set; + * otherwise, they behave like unprivileged processes. */ if (!priv_check_cred(cred, PRIV_VFS_SYSFLAGS, 0)) { if (ip->i_flags & |