diff options
| author | Jamie Gritton <jamie@FreeBSD.org> | 2018-10-17 16:11:43 +0000 |
|---|---|---|
| committer | Jamie Gritton <jamie@FreeBSD.org> | 2018-10-17 16:11:43 +0000 |
| commit | b19d66fd5a21c3045c6d4c395dac73d1585f77ed (patch) | |
| tree | 4987983d43acb303fea2405e811c8f4cc99ef318 /usr.sbin | |
| parent | eb144aa007e4ef03af9b1f2fa7cea29916abf82f (diff) | |
| download | src-b19d66fd5a21c3045c6d4c395dac73d1585f77ed.tar.gz src-b19d66fd5a21c3045c6d4c395dac73d1585f77ed.zip | |
Add a new jail permission, allow.read_msgbuf. When true, jailed processes
can see the dmesg buffer (this is the current behavior). When false (the
new default), dmesg will be unavailable to jailed users, whether root or
not.
The security.bsd.unprivileged_read_msgbuf sysctl still works as before,
controlling system-wide whether non-root users can see the buffer.
PR: 211580
Submitted by: bz
Approved by: re@ (kib@)
MFC after: 3 days
Notes
Notes:
svn path=/head/; revision=339409
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/jail/jail.8 | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index ba5be58a2413..c0e59f3c9a96 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 20, 2018 +.Dd October 17, 2018 .Dt JAIL 8 .Os .Sh NAME @@ -549,6 +549,11 @@ option. The jail root may administer quotas on the jail's filesystem(s). This includes filesystems that the jail may share with other jails or with non-jailed parts of the system. +.It Va allow.read_msgbuf +Jailed users may read the kernel message buffer. +If the +.Va security.bsd.unprivileged_read_msgbuf +MIB entry is zero, this will be restricted to to root user. .It Va allow.socket_af Sockets within a jail are normally restricted to IPv4, IPv6, local (UNIX), and route. This allows access to other protocol stacks that |