Index: usr.sbin/ugidfw/ugidfw.8 =================================================================== --- usr.sbin/ugidfw/ugidfw.8 (revision 195305) +++ usr.sbin/ugidfw/ugidfw.8 (working copy) @@ -44,20 +44,22 @@ .Oo .Op Cm \&! .Cm uid Ar uid | minuid:maxuid .Oc .Oo .Op Cm \&! .Cm gid Ar gid | mingid:maxgid .Oc .Oo .Op Cm \&! +.Cm injail | +.Op Cm \&! .Cm jailid Ad jailid .Oc .Cm object .Op Cm not .Oo .Op Cm \&! .Cm uid Ar uid | minuid:maxuid .Oc .Oo .Op Cm \&! @@ -99,20 +101,22 @@ .Oo .Op Cm \&! .Cm uid Ar uid | minuid:maxuid .Oc .Oo .Op Cm \&! .Cm gid Ar gid | mingid:maxgid .Oc .Oo .Op Cm \&! +.Cm injail | +.Op Cm \&! .Cm jailid Ad jailid .Oc .Cm object .Op Cm not .Oo .Op Cm \&! .Cm uid Ar uid | minuid:maxuid .Oc .Oo .Op Cm \&! @@ -202,37 +206,39 @@ .Oo .Op Cm \&! .Cm uid Ar uid | minuid:maxuid .Oc .Oo .Op Cm \&! .Cm gid Ar gid | mingid:maxgid .Oc .Oo .Op Cm \&! +.Cm injail | +.Op Cm \&! .Cm jailid Ad jailid .Oc .Xc Subjects performing an operation must match all the conditions given. A leading .Cm not means that the subject should not match the remainder of the specification. A condition may be prefixed by .Cm \&! to indicate that particular condition must not match the subject. The subject can be required to have a particular .Ar uid and/or .Ar gid . A range of uids/gids can be specified, seperated by a colon. -The subject can be required to be in a particular jail with the +The subject can be required to be in any jail, or a particular jail with the .Ar jailid . .It Xo .Cm object .Op Cm not .Oo .Op Cm \&! .Cm uid Ar uid | minuid:maxuid .Oc .Oo .Op Cm \&! Index: lib/libugidfw/ugidfw.c =================================================================== --- lib/libugidfw/ugidfw.c (revision 195305) +++ lib/libugidfw/ugidfw.c (working copy) @@ -188,22 +188,25 @@ } } if (!notdone && (rule->mbr_subject.mbs_neg & MBS_PRISON_DEFINED)) { len = snprintf(cur, left, "! "); if (len < 0 || len > left) goto truncated; left -= len; cur += len; } if (rule->mbr_subject.mbs_flags & MBS_PRISON_DEFINED) { - len = snprintf(cur, left, "jailid %d ", - rule->mbr_subject.mbs_prison); + if (rule->mbr_subject.mbs_prison >= 0) + len = snprintf(cur, left, "jailid %d ", + rule->mbr_subject.mbs_prison); + else + len = snprintf(cur, left, "injail "); if (len < 0 || len > left) goto truncated; left -= len; cur += len; } } len = snprintf(cur, left, "object "); if (len < 0 || len > left) goto truncated; @@ -658,20 +661,36 @@ } if (bsde_parse_gidrange(argv[current+1], &gid_min, &gid_max, buflen, errstr) < 0) return (-1); flags |= MBS_GID_DEFINED; if (nextnot) { neg ^= MBS_GID_DEFINED; nextnot = 0; } current += 2; + } else if (strcmp(argv[current], "injail") == 0) { + if (current + 1 > argc) { + len = snprintf(errstr, buflen, "prison short"); + return (-1); + } + if (flags & MBS_PRISON_DEFINED) { + len = snprintf(errstr, buflen, "one jail only"); + return (-1); + } + jid = -1; + flags |= MBS_PRISON_DEFINED; + if (nextnot) { + neg ^= MBS_PRISON_DEFINED; + nextnot = 0; + } + current += 1; } else if (strcmp(argv[current], "jailid") == 0) { if (current + 2 > argc) { len = snprintf(errstr, buflen, "prison short"); return (-1); } if (flags & MBS_PRISON_DEFINED) { len = snprintf(errstr, buflen, "one jail only"); return (-1); } value = strtol(argv[current+1], &endp, 10); Index: sys/security/mac_bsdextended/mac_bsdextended.c =================================================================== --- sys/security/mac_bsdextended/mac_bsdextended.c (revision 195305) +++ sys/security/mac_bsdextended/mac_bsdextended.c (working copy) @@ -264,22 +264,25 @@ } } } if (rule->mbr_subject.mbs_neg & MBS_GID_DEFINED) match = !match; if (!match) return (0); } if (rule->mbr_subject.mbs_flags & MBS_PRISON_DEFINED) { - match = - (cred->cr_prison->pr_id == rule->mbr_subject.mbs_prison); + if (rule->mbr_subject.mbs_prison >= 0) + match = + (cred->cr_prison->pr_id == rule->mbr_subject.mbs_prison); + else + match = (cred->cr_prison->pr_id > 0); if (rule->mbr_subject.mbs_neg & MBS_PRISON_DEFINED) match = !match; if (!match) return (0); } /* * Is there an object match? */ if (rule->mbr_object.mbo_flags & MBO_UID_DEFINED) {