Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 11 Nov 2020 11:52:35 -0300
From:      carlos antonio neira bustos <cneirabustos@gmail.com>
To:        Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au>
Cc:        freebsd-net <freebsd-net@freebsd.org>, FreeBSD Hackers <freebsd-hackers@freebsd.org>
Subject:   Re: Allow PING(8) in jails without raw socket access permissions
Message-ID:  <CACiB22hXYYWb7ebZBJARVM9HZbmnjUzQ9TYV_75OQ3-teP6DqQ@mail.gmail.com>
In-Reply-To: <9ffe565d-65cb-cbfa-f0dc-189ee8d7215e@heuristicsystems.com.au>
References:  <CACiB22jQTwR=yJQG8hxBuVU=xbn-rpJ1PZVQ=7xPzEV8en90=A@mail.gmail.com> <9ffe565d-65cb-cbfa-f0dc-189ee8d7215e@heuristicsystems.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
Thank you all for the feedback.
I'll resume work on this taking your comments into account.

Thanks again!


On Fri, Oct 23, 2020 at 10:00 PM Dewayne Geraghty <
dewayne.geraghty@heuristicsystems.com.au> wrote:

> On 15/10/2020 9:00 am, carlos antonio neira bustos wrote:
> > Hello,
> >
> > I have currently a patch in review with jamie which is the current jail
> > maintainer and kyle evans, if anyone else could comment/review this
> patch :
> > https://reviews.freebsd.org/D26782
> >
> > What has been done is the following :
> >
> > Raw socket access is allowed for ICMP protocol as is required by
> > PING(8) but option IP_HDRINCL is not allowed. to accomplish this
> > a new privilege PRIV_NETINET_ICMP_ACCESS has been added by default for
> > jails.
> >
> >
> > Bests
> > _______________________________________________
> > freebsd-net@freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-net
> > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
> >
> Thanks for the heads-up Carlos.  I have a use for allowing only icmp
> traffic, so its beneficial.
>
> However I do agree with BZ that it should not be enabled by default, as
> it weakens the security model, enabling a broken jail to more easily
> enumerate the wider network environment.
>
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACiB22hXYYWb7ebZBJARVM9HZbmnjUzQ9TYV_75OQ3-teP6DqQ>