Skip site navigation (1)Skip section navigation (2) 
Date:      9 Jul 2012 20:17:04 -0000
From:      David Thiel <lx@redundancy.redundancy.org>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   kern/169751: reading routing information does not work in jails
Message-ID:  <20120709201704.84931.qmail@redundancy.redundancy.org>
Resent-Message-ID: <201207092030.q69KUBgQ054116@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         169751
>Category:       kern
>Synopsis:       reading routing information does not work in jails
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jul 09 20:30:10 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     David Thiel
>Release:        FreeBSD 9.0-RELEASE amd64
>Organization:
>Environment:
System: FreeBSD redundancy.redundancy.org 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64

>Description:

Processes do not appear to be able to open routing sockets within jails, 
regardless of the setting of the security.jail.socket_unixiproute_only or 
security.jail.allow_raw_sockets sysctls. This manifests as not being able to 
use commands such as "route get" or "nmap" SYN scans. While it is 
understandable that one should not be able to write to routing sockets from a 
non-VIMAGE jail, being able to read this information is quite useful 
functionality (critical, in my case).

http://marc.info/?l=freebsd-stable&m=133590147421290&w=2
http://seclists.org/nmap-dev/2012/q2/220

>How-To-Repeat:

Outside of a jail:

    [dthiel@host ~ 1350 ] sudo route get asdf.com
       route to: apache2-emu.malabo.dreamhost.com
    destination: default
           mask: default
        gateway: 210.15.12.11
      interface: em0
          flags: <UP,GATEWAY,DONE,STATIC>
     recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
           0         0         0         0      1500         1         0 

Inside jail:

    [dthiel@host ~ 1347 ] sudo jexec 15 /bin/sh 
    # route get asdf.com
    route: writing to routing socket: No such process
    
    # nmap freebsd.org
    
    Starting Nmap 6.00 ( http://nmap.org ) at 2012-07-09 20:08 UTC
    nexthost: failed to determine route to freebsd.org (69.147.83.40)
    QUITTING!

>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120709201704.84931.qmail>