From root@bld91.adaranet.com  Tue Dec  4 11:02:25 2012
Return-Path: <root@bld91.adaranet.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 24F86C0C
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  4 Dec 2012 11:02:25 +0000 (UTC)
	(envelope-from root@bld91.adaranet.com)
Received: from bld91.adaranet.com (smtp.adaranet.com [72.5.229.2])
	by mx1.freebsd.org (Postfix) with ESMTP id 0BA978FC0C
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  4 Dec 2012 11:02:24 +0000 (UTC)
Received: from bld91 (localhost [127.0.0.1])
	by bld91 (8.14.5/8.14.5) with ESMTP id qB3JtpVA002613
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 3 Dec 2012 11:55:51 -0800 (PST)
	(envelope-from root@bld91)
Received: (from root@localhost)
	by bld91 (8.14.5/8.14.5/Submit) id qB3JtpjU002612;
	Mon, 3 Dec 2012 11:55:51 -0800 (PST)
	(envelope-from root)
Message-Id: <201212031955.qB3JtpjU002612@bld91>
Date: Mon, 3 Dec 2012 11:55:51 -0800 (PST)
From: Ed Maste <emaste@freebsd.org>
Reply-To: Ed Maste <emaste@freebsd.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: security.jail.param does not reflect actual jail perms
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         174104
>Category:       kern
>Synopsis:       [jail] security.jail.param does not reflect actual jail perms
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    emaste
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Dec 04 11:10:00 UTC 2012
>Closed-Date:    
>Last-Modified:  Sun Dec 09 17:55:58 UTC 2012
>Originator:     Ed Maste
>Release:        FreeBSD 9.1-RC3 amd64
>Organization:
ADARA Networks
>Environment:
System: FreeBSD bld91 9.1-RC3 FreeBSD 9.1-RC3 #0 r243630M: Mon Dec 3 10:44:36 PST 2012 root@bld91:/data/obj/data/freebsd-src/9.1/sys/GENERIC amd64

>Description:

I would expect security.jail.param.* to update inside the jail after using
jail -m on the host to change settings, but this does not appear to happen.

>How-To-Repeat:

# on the host, disallow chflags:                                                
bld91# jail -m jid=2 allow.chflags=0                                            
                                                                                
# in the jail, verify that chflags fails:                                       
root@tinderbox:/root # sysctl security.jail.param.allow.chflags                 
security.jail.param.allow.chflags: 0                                            
root@tinderbox:/root # touch foo
root@tinderbox:/root # chflags schg foo; chflags noschg foo                     
chflags: foo: Operation not permitted                                           
                                                                                
# on the host, allow chflags:                                                   
bld91# jail -m jid=2 allow.chflags=1                                            
                                                                                
# in the jail, chflags works but the sysctl still shows 0:                      
root@tinderbox:/root # sysctl security.jail.param.allow.chflags                 
security.jail.param.allow.chflags: 0                                            
root@tinderbox:/root # chflags schg foo ; chflags noschg foo                    
root@tinderbox:/root #                                                          

>Fix:

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->emaste 
Responsible-Changed-By: emaste 
Responsible-Changed-When: Tue Dec 4 14:26:51 UTC 2012 
Responsible-Changed-Why:  
Assign to myself for tracking. 

This stuff is rather opaque and poorly documented, but it does appear to 
function. 

There are two sysctls associated with each of these parameters - e.g.: 

security.jail.param.allow.mount.nullfs: 
Jail may mount the nullfs file system 

security.jail.mount_nullfs_allowed: 
Processes in jail can mount the nullfs file system 

The non-param one inside the jail tracks modifications from jail -m 
modifications done by the host. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=174104 
>Unformatted:
