diff --git a/share/man/man9/sysctl.9 b/share/man/man9/sysctl.9 --- a/share/man/man9/sysctl.9 +++ b/share/man/man9/sysctl.9 @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd September 1, 2020 +.Dd November 7, 2024 .Dt SYSCTL 9 .Os .Sh NAME @@ -901,7 +901,13 @@ This sysctl can be written to only if the effective securelevel of the process is \[<=] 0. .It Dv CTLFLAG_PRISON -This sysctl can be written to by processes in +It indicates that this sysctl variable may vary per +.Xr jail 2 . +All such variables can be listed using +.Fl J +option of +.Xr sysctl 8 . +Also, if it is not read-only then it can be written to by processes in .Xr jail 2 . .It Dv CTLFLAG_SKIP When iterating the sysctl name space, do not list this sysctl. diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -4356,7 +4356,7 @@ } SYSCTL_OID(_security_jail, OID_AUTO, list, - CTLTYPE_STRUCT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0, + CTLTYPE_STRUCT | CTLFLAG_RD | CTLFLAG_PRISON | CTLFLAG_MPSAFE, NULL, 0, sysctl_jail_list, "S", "List of active jails"); static int @@ -4371,7 +4371,7 @@ } SYSCTL_PROC(_security_jail, OID_AUTO, jailed, - CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0, + CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_PRISON | CTLFLAG_MPSAFE, NULL, 0, sysctl_jail_jailed, "I", "Process in jail?"); static int @@ -4391,7 +4391,7 @@ } SYSCTL_PROC(_security_jail, OID_AUTO, vnet, - CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0, + CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_PRISON | CTLFLAG_MPSAFE, NULL, 0, sysctl_jail_vnet, "I", "Jail owns vnet?"); #if defined(INET) || defined(INET6) @@ -4427,7 +4427,7 @@ if (arg1 != NULL) i ^= arg2; /* - * The sysctls don't have CTLFLAGS_PRISON, so assume prison0 + * The sysctls don't have CTLFLAG_PRISON, so assume prison0 * for writing. */ mtx_lock(&prison0.pr_mtx); @@ -4513,11 +4513,11 @@ } SYSCTL_PROC(_security_jail_children, OID_AUTO, max, - CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, + CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_PRISON | CTLFLAG_MPSAFE, NULL, offsetof(struct prison, pr_childmax), sysctl_jail_children, "I", "Maximum number of child jails"); SYSCTL_PROC(_security_jail_children, OID_AUTO, cur, - CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, + CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_PRISON | CTLFLAG_MPSAFE, NULL, offsetof(struct prison, pr_childcount), sysctl_jail_children, "I", "Current number of child jails"); diff --git a/sys/kern/kern_mib.c b/sys/kern/kern_mib.c --- a/sys/kern/kern_mib.c +++ b/sys/kern/kern_mib.c @@ -555,7 +555,7 @@ } SYSCTL_PROC(_kern, KERN_OSRELEASE, osrelease, - CTLTYPE_STRING | CTLFLAG_CAPRD | CTLFLAG_RD | CTLFLAG_MPSAFE, + CTLTYPE_STRING | CTLFLAG_CAPRD | CTLFLAG_RD | CTLFLAG_PRISON | CTLFLAG_MPSAFE, NULL, 0, sysctl_osrelease, "A", "Operating system release"); /* @@ -578,7 +578,7 @@ * /usr/include/osreldate.h */ SYSCTL_PROC(_kern, KERN_OSRELDATE, osreldate, - CTLTYPE_INT | CTLFLAG_CAPRD | CTLFLAG_RD | CTLFLAG_MPSAFE, + CTLTYPE_INT | CTLFLAG_CAPRD | CTLFLAG_RD | CTLFLAG_PRISON | CTLFLAG_MPSAFE, NULL, 0, sysctl_osreldate, "I", "Kernel release date"); /* diff --git a/sys/sys/sysctl.h b/sys/sys/sysctl.h --- a/sys/sys/sysctl.h +++ b/sys/sys/sysctl.h @@ -81,7 +81,7 @@ #define CTLFLAG_DORMANT 0x20000000 /* This sysctl is not active yet */ #define CTLFLAG_ANYBODY 0x10000000 /* All users can set this var */ #define CTLFLAG_SECURE 0x08000000 /* Permit set only if securelevel<=0 */ -#define CTLFLAG_PRISON 0x04000000 /* Prisoned roots can fiddle */ +#define CTLFLAG_PRISON 0x04000000 /* Per jail, prisoned root can fiddle */ #define CTLFLAG_DYN 0x02000000 /* Dynamic oid - can be freed */ #define CTLFLAG_SKIP 0x01000000 /* Skip this sysctl when listing */ #define CTLMASK_SECURE 0x00F00000 /* Secure level */