Index: kern/kern_jail.c
===================================================================
RCS file: /private/FreeBSD/src/sys/kern/kern_jail.c,v
retrieving revision 1.42
diff -u -p -r1.42 kern_jail.c
--- kern/kern_jail.c	26 Apr 2004 19:46:52 -0000	1.42
+++ kern/kern_jail.c	15 May 2004 16:40:50 -0000
@@ -64,6 +64,11 @@ SYSCTL_INT(_security_jail, OID_AUTO, all
     &jail_allow_raw_sockets, 0,
     "Prison root can create raw sockets");
 
+int	jail_allow_system_flags_modifications = 0;
+SYSCTL_INT(_security_jail, OID_AUTO, allow_system_flags_modifications,
+    CTLFLAG_RW, &jail_allow_system_flags_modifications, 0,
+    "Prison root can modify systems flags");
+
 /* allprison, lastprid, and prisoncount are protected by allprison_mtx. */
 struct	prisonlist allprison;
 struct	mtx allprison_mtx;
Index: sys/jail.h
===================================================================
RCS file: /private/FreeBSD/src/sys/sys/jail.h,v
retrieving revision 1.21
diff -u -p -r1.21 jail.h
--- sys/jail.h	26 Apr 2004 19:46:52 -0000	1.21
+++ sys/jail.h	15 May 2004 16:41:55 -0000
@@ -83,6 +83,7 @@ extern int	jail_socket_unixiproute_only;
 extern int	jail_sysvipc_allowed;
 extern int	jail_getfsstat_jailrootonly;
 extern int	jail_allow_raw_sockets;
+extern int	jail_allow_system_flags_modifications;
 
 LIST_HEAD(prisonlist, prison);
 extern struct	prisonlist allprison;
Index: ufs/ufs/ufs_vnops.c
===================================================================
RCS file: /private/FreeBSD/src/sys/ufs/ufs/ufs_vnops.c,v
retrieving revision 1.239
diff -u -p -r1.239 ufs_vnops.c
--- ufs/ufs/ufs_vnops.c	7 Apr 2004 03:47:20 -0000	1.239
+++ ufs/ufs/ufs_vnops.c	15 May 2004 16:46:09 -0000
@@ -51,6 +51,7 @@ __FBSDID("$FreeBSD: src/sys/ufs/ufs/ufs_
 #include <sys/stat.h>
 #include <sys/bio.h>
 #include <sys/buf.h>
+#include <sys/jail.h>
 #include <sys/mount.h>
 #include <sys/unistd.h>
 #include <sys/vnode.h>
@@ -499,7 +500,8 @@ ufs_setattr(ap)
 		 * Privileged non-jail processes may not modify system flags
 		 * if securelevel > 0 and any existing system flags are set.
 		 */
-		if (!suser_cred(cred, PRISON_ROOT)) {
+		if (!suser_cred(cred,
+		    jail_allow_system_flags_modifications ? PRISON_ROOT : 0)) {
 			if (ip->i_flags
 			    & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) {
 				error = securelevel_gt(cred, 0);
Index: gnu/ext2fs/ext2_vnops.c
===================================================================
RCS file: /private/FreeBSD/src/sys/gnu/ext2fs/ext2_vnops.c,v
retrieving revision 1.83
diff -u -p -r1.83 ext2_vnops.c
--- gnu/ext2fs/ext2_vnops.c	7 Apr 2004 20:46:03 -0000	1.83
+++ gnu/ext2fs/ext2_vnops.c	15 May 2004 16:45:38 -0000
@@ -53,6 +53,7 @@
 #include <sys/bio.h>
 #include <sys/buf.h>
 #include <sys/proc.h>
+#include <sys/jail.h>
 #include <sys/mount.h>
 #include <sys/unistd.h>
 #include <sys/time.h>
@@ -480,7 +481,8 @@ ext2_setattr(ap)
 		 * Privileged non-jail processes may not modify system flags
 		 * if securelevel > 0 and any existing system flags are set.
 		 */
-		if (!suser_cred(cred, PRISON_ROOT)) {
+		if (!suser_cred(cred,
+		    jail_allow_system_flags_modifications ? PRISON_ROOT : 0)) {
 			if (ip->i_flags
 			    & (SF_NOUNLINK | SF_IMMUTABLE | SF_APPEND)) {
 				error = securelevel_gt(cred, 0);