From 6087050ef52c4e45eeec5ffd773fcc25c9c768c9 Mon Sep 17 00:00:00 2001 From: Alexander Leidinger Date: Tue, 31 Mar 2026 19:20:25 +0200 Subject: [PATCH] Jail sysctls: deprecate generic sysctls in favour of allow-flags - add a missing sysctl to the deprecated list - add a comment to not add new generic sysctls and point to SYSCTL_JAIL_PARAM instead Reviewed by: jamie Differential Revision: https://reviews.freebsd.org/D51150 --- sys/kern/kern_jail.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 369b6aca926..9f78cb42aeb 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -4988,6 +4988,10 @@ sysctl_jail_default_allow(SYSCTL_HANDLER_ARGS) return (0); } +/* + * Do not add more here. Use SYSCTL_JAIL_PARAM (allow flags for jails) + * instead. + */ SYSCTL_PROC(_security_jail, OID_AUTO, set_hostname_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_SET_HOSTNAME, sysctl_jail_default_allow, "I", @@ -5015,7 +5019,7 @@ SYSCTL_PROC(_security_jail, OID_AUTO, mount_allowed, SYSCTL_PROC(_security_jail, OID_AUTO, mlock_allowed, CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, PR_ALLOW_MLOCK, sysctl_jail_default_allow, "I", - "Processes in jail can lock/unlock physical pages in memory"); + "Processes in jail can lock/unlock physical pages in memory (deprecated)"); static int sysctl_jail_default_level(SYSCTL_HANDLER_ARGS)