Page MenuHomeFreeBSD
Differential D47601

MAC/do: sysctl_rules(): Set the requesting's thread's jail's rules
AcceptedPublic
Actions

Authored by olce on Fri, Nov 15, 5:07 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Nov 19, 6:50 PM
Unknown Object (File)
Tue, Nov 19, 6:21 PM
Unknown Object (File)
Tue, Nov 19, 12:21 PM
Unknown Object (File)
Mon, Nov 18, 5:46 PM
Unknown Object (File)
Mon, Nov 18, 4:08 PM
Unknown Object (File)
Mon, Nov 18, 12:40 PM
Unknown Object (File)
Mon, Nov 18, 3:20 AM
Unknown Object (File)
Sat, Nov 16, 6:38 AM
View All 9 Files
Subscribers
emaste
imp
jlduran
lwhsu

Details

Reviewers
bapt
Summary

This revision is part of a series. Click on the Stack tab below to see the context.
This series has also been squeezed into D47633 to provide an overall view.

Commit message:
Allowing to change the rules specification on a jail other than the
requesting's thread one is a security issue, as it will immediately
apply to the jail we inherited from and all its other descendants that
inherit from it.

With this change, setting the 'mdo_rules' sysctl in a jail forces that
jail to no more inherit from its parent.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 60592
Build 57476: arc lint + arc unit

Revision Contents
Changeset List

PathSize
sys/
security/
mac_do/
6 lines

Diff 146534

View Options

sys/security/mac_do/mac_do.c

Loading...