From 8b1807b878e1530fdd59b4ba5961a54e19a351bf Mon Sep 17 00:00:00 2001
From: pjd <pjd@FreeBSD.org>
Date: Thu, 20 May 2004 05:30:16 +0000
Subject: [PATCH] Document security.jail.getfsstatroot_only sysctl.

Obtained from:	rwatson's commit log
Approved by:	rwatson
---
 usr.sbin/jail/jail.8 | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index 9ed0d952dcf..96d99aec8ff 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -416,6 +416,20 @@ with the IP address bound to the jail, regardless of whether or not
 the
 .Dv IP_HDRINCL
 flag has been set on the socket.
+.It Va security.jail.getfsstatroot_only
+This MIB entry determines whether or not processes within a jail is able
+to see data for all mountpoints.
+When set to 1 (default),
+.Xr getfsstat 2
+system call only return (while called by jailed processes) the data for
+the file system on which jail's root vnode is located.
+Note: this also has the effect of hiding other mounts inside a jail,
+such as
+.Pa /dev ,
+.Pa /tmp ,
+and
+.Pa /proc ,
+but errs on the side of leaking less information.
 .It Va security.jail.set_hostname_allowed
 This MIB entry determines whether or not processes within a jail are
 allowed to change their hostname via
-- 
2.45.2