Index: jail.8
===================================================================
RCS file: /usr/repo/src/usr.sbin/jail/jail.8,v
retrieving revision 1.65
diff -u -p -r1.65 jail.8
--- jail.8	28 May 2005 16:23:29 -0000	1.65
+++ jail.8	9 Jun 2005 19:57:29 -0000
@@ -455,20 +455,21 @@ and interact with various network subsys
 where privileged access to jails is given out to untrusted parties.
 As such,
 by default this option is disabled.
-.It Va security.jail.getfsstatroot_only
-This MIB entry determines whether or not processes within a jail are able
-to see data for all mountpoints.
-When set to 1 (default), the
-.Xr getfsstat 2
-system call returns only (when called by jailed processes) the data for
-the file system on which the jail's root vnode is located.
-Note: this also has the effect of hiding other mounts inside a jail,
-such as
-.Pa /dev ,
-.Pa /tmp ,
-and
-.Pa /proc ,
-but errs on the side of leaking less information.
+.It Va security.jail.enforce_statfs
+This MIB entry determines which informations about mount-points, processes
+within a jail are able to get.
+It affects behaviour of the following syscalls:
+.Xr statfs 2 ,
+.Xr fstatfs 2 ,
+.Xr getfsstat 2 ,
+.Xr fhstatfs 2
+(and simlar compatibility syscalls).
+When set to 0, all mount-points are available without any restrictions.
+When set to 1, only mount-points below jail's chroot directory are visible.
+In addition, path to jail's chroot directory is removed from the front of
+their pathnames.
+When set to 2 (default), above syscalls can operate only on a mount-point
+where jail's chroot directory is placed.
 .It Va security.jail.set_hostname_allowed
 This MIB entry determines whether or not processes within a jail are
 allowed to change their hostname via