From owner-freebsd-bugs@FreeBSD.ORG Fri Oct 24 13:40:14 2003 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6168416A4B3 for ; Fri, 24 Oct 2003 13:40:14 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4B0C43FE5 for ; Fri, 24 Oct 2003 13:40:12 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h9OKeCFY047674 for ; Fri, 24 Oct 2003 13:40:12 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h9OKeCmx047673; Fri, 24 Oct 2003 13:40:12 -0700 (PDT) (envelope-from gnats) Resent-Date: Fri, 24 Oct 2003 13:40:12 -0700 (PDT) Resent-Message-Id: <200310242040.h9OKeCmx047673@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "C. Stephen Gunn" Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0261516A4B3 for ; Fri, 24 Oct 2003 13:38:12 -0700 (PDT) Received: from maelstrom.waterspout.com (rrcs-ma-24-56-74-54.biz.rr.com [24.56.74.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86BCE43FCB for ; Fri, 24 Oct 2003 13:38:10 -0700 (PDT) (envelope-from csg@maelstrom.waterspout.com) Received: from maelstrom.waterspout.com (localhost [127.0.0.1]) h9OKboPH068465 for ; Fri, 24 Oct 2003 15:37:51 -0500 (CDT) (envelope-from csg@maelstrom.waterspout.com) Received: (from csg@localhost)h9OKbj4G068464; Fri, 24 Oct 2003 15:37:45 -0500 (CDT) Message-Id: <200310242037.h9OKbj4G068464@maelstrom.waterspout.com> Date: Fri, 24 Oct 2003 15:37:45 -0500 (CDT) From: "C. Stephen Gunn" To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/58497: sysctl knob to return current process' jid X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "C. Stephen Gunn" List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2003 20:40:14 -0000 >Number: 58497 >Category: kern >Synopsis: sysctl knob to return current process' jid >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Oct 24 13:40:12 PDT 2003 >Closed-Date: >Last-Modified: >Originator: C. Stephen Gunn >Release: FreeBSD 5.1-CURRENT i386 >Organization: WaterSpout Communications, Inc. >Environment: FreeBSD dual450.waterspout.com 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Sun Oct 19 21:57:46 CDT 2003 root@dual450.waterspout.com:/usr/src/sys/i386/compile/DUAL450 i386 >Description: There is no easy way to tell if a process is operating in a Jail environment. This lever would be useful in /etc/rc to avoid invocations of privledged commands (sysctl, mount, fsck, etc) that are known to be prohibited in the jail. I have other work against the /etc/rc subsystem that uses this mechanism to avoid carping about operations that are not permitted. >How-To-Repeat: Start a jail and execute /etc/rc, watch all the errors and warnings, fiddle with 'ps | grep ..J..' for a while trying to figure out if you are currently in a jail. >Fix: The following patch (against current), adds a sysctl knob that returns the jid of the calling process, or 0 when the process is not jailed. http://www.waterspout.com/csg/patch/security_jail_jid.diff MD5 (security_jail_jid.diff) = b4b6e0fa944271977c94688e76e9f372 >Release-Note: >Audit-Trail: >Unformatted: