ihoro · ihoro · Oct 29, 2024 · Nov 8, 2024 · Nov 8, 2024 · Nov 22, 2024
diff --git a/share/man/man9/sysctl.9 b/share/man/man9/sysctl.9
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd September 1, 2020
+.Dd November 7, 2024
 .Dt SYSCTL 9
 .Os
 .Sh NAME
@@ -901,7 +901,13 @@
 This sysctl can be written to only if the effective securelevel of the
 process is \[<=] 0.
 .It Dv CTLFLAG_PRISON
-This sysctl can be written to by processes in
+It indicates that this sysctl variable may vary per
+.Xr jail 2 .
+All such variables can be listed using
+.Fl J
+option of
+.Xr sysctl 8 .
+Also, if it is not read-only then it can be written to by processes in
 .Xr jail 2 .
 .It Dv CTLFLAG_SKIP
 When iterating the sysctl name space, do not list this sysctl.

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
@@ -4356,7 +4356,7 @@
 }
 
 SYSCTL_OID(_security_jail, OID_AUTO, list,
-    CTLTYPE_STRUCT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
+    CTLTYPE_STRUCT | CTLFLAG_RD | CTLFLAG_PRISON | CTLFLAG_MPSAFE, NULL, 0,
     sysctl_jail_list, "S", "List of active jails");
 
 static int
@@ -4371,7 +4371,7 @@
 }
 
 SYSCTL_PROC(_security_jail, OID_AUTO, jailed,
-    CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
+    CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_PRISON | CTLFLAG_MPSAFE, NULL, 0,
     sysctl_jail_jailed, "I", "Process in jail?");
 
 static int
@@ -4391,7 +4391,7 @@
 }
 
 SYSCTL_PROC(_security_jail, OID_AUTO, vnet,
-    CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0,
+    CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_PRISON | CTLFLAG_MPSAFE, NULL, 0,
     sysctl_jail_vnet, "I", "Jail owns vnet?");
 
 #if defined(INET) || defined(INET6)
@@ -4427,10 +4427,10 @@
 	if (arg1 != NULL)
 		i ^= arg2;
 	/*
-	 * The sysctls don't have CTLFLAGS_PRISON, so assume prison0
+	 * The sysctls don't have CTLFLAG_PRISON, so assume prison0
 	 * for writing.
 	 */
 	mtx_lock(&prison0.pr_mtx);
 	jail_default_allow = (jail_default_allow & ~arg2) | i;
 	mtx_unlock(&prison0.pr_mtx);
 	return (0);
@@ -4513,14 +4513,14 @@
 }
 
 SYSCTL_PROC(_security_jail_children, OID_AUTO, max,
-    CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE,
+    CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_PRISON | CTLFLAG_MPSAFE,
     NULL, offsetof(struct prison, pr_childmax), sysctl_jail_children,
     "I", "Maximum number of child jails");
 SYSCTL_PROC(_security_jail_children, OID_AUTO, cur,
-    CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE,
+    CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_PRISON | CTLFLAG_MPSAFE,
     NULL, offsetof(struct prison, pr_childcount), sysctl_jail_children,
     "I", "Current number of child jails");
 
 /*
 * Nodes to describe jail parameters.  Maximum length of string parameters
 * is returned in the string itself, and the other parameters exist merely

diff --git a/sys/kern/kern_mib.c b/sys/kern/kern_mib.c
@@ -555,7 +555,7 @@
 }
 
 SYSCTL_PROC(_kern, KERN_OSRELEASE, osrelease,
-    CTLTYPE_STRING | CTLFLAG_CAPRD | CTLFLAG_RD | CTLFLAG_MPSAFE,
+    CTLTYPE_STRING | CTLFLAG_CAPRD | CTLFLAG_RD | CTLFLAG_PRISON | CTLFLAG_MPSAFE,
     NULL, 0, sysctl_osrelease, "A", "Operating system release");
 
 /*
@@ -578,10 +578,10 @@
  * /usr/include/osreldate.h
  */
 SYSCTL_PROC(_kern, KERN_OSRELDATE, osreldate,
-    CTLTYPE_INT | CTLFLAG_CAPRD | CTLFLAG_RD | CTLFLAG_MPSAFE,
+    CTLTYPE_INT | CTLFLAG_CAPRD | CTLFLAG_RD | CTLFLAG_PRISON | CTLFLAG_MPSAFE,
     NULL, 0, sysctl_osreldate, "I", "Kernel release date");
 
 /*
 * The build-id is copied from the ELF section .note.gnu.build-id.  The linker
 * script defines two variables to expose the beginning and end.  LLVM
 * currently uses a SHA-1 hash, but other formats can be supported by checking

diff --git a/sys/sys/sysctl.h b/sys/sys/sysctl.h
@@ -81,10 +81,10 @@
 #define	CTLFLAG_DORMANT	0x20000000	/* This sysctl is not active yet */
 #define	CTLFLAG_ANYBODY	0x10000000	/* All users can set this var */
 #define	CTLFLAG_SECURE	0x08000000	/* Permit set only if securelevel<=0 */
-#define	CTLFLAG_PRISON	0x04000000	/* Prisoned roots can fiddle */
+#define	CTLFLAG_PRISON	0x04000000	/* Per jail, prisoned root can fiddle */
 #define	CTLFLAG_DYN	0x02000000	/* Dynamic oid - can be freed */
 #define	CTLFLAG_SKIP	0x01000000	/* Skip this sysctl when listing */
 #define	CTLMASK_SECURE	0x00F00000	/* Secure level */
 #define	CTLFLAG_TUN	0x00080000	/* Default value is loaded from getenv() */
 #define	CTLFLAG_RDTUN	(CTLFLAG_RD|CTLFLAG_TUN)
 #define	CTLFLAG_RWTUN	(CTLFLAG_RW|CTLFLAG_TUN)