priv(9) - Removal of PRISON_ROOT flag
Michael Neumann
mneumann at ntecs.de
Mon Jul 13 01:06:16 PDT 2009
Hi all,
The PRISON_ROOT flag is gone now, which could be passed to
priv_check_cred() to allow a privilege within a jail (this meant that
the root user within a jail was allowed to perform a certain operation).
As such, what is allowed within a jail was spread over all calls to
priv_check_cred(). This knownledge is now defined purely within
prison_priv_check(), which checks whether a given privilege is allowed
within a jail or not (this function should not be called directly! it is
called by priv_check_cred()).
So for example if you want to know whether raw IP sockets are allowed
within a jail, simply take a look at prison_priv_check(), where you will
see the following code:
switch(priv)
case PRIV_NETINET_RAW:
if (jail_allow_raw_sockets)
return (0);
else
return (EPERM);
Then do a search over the whole source tree for PRIV_NETINET_RAW to see
where this privilege is requested.
Regards,
Michael
More information about the Kernel
mailing list