From owner-freebsd-net@FreeBSD.ORG Thu Jan 3 03:27:03 2013 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id B848DB31; Thu, 3 Jan 2013 03:27:03 +0000 (UTC) (envelope-from jamie@FreeBSD.org) Received: from m2.gritton.org (gritton.org [199.192.164.235]) by mx1.freebsd.org (Postfix) with ESMTP id 8D7051A8; Thu, 3 Jan 2013 03:27:00 +0000 (UTC) Received: from glorfindel.gritton.org (c-174-52-130-157.hsd1.ut.comcast.net [174.52.130.157]) (authenticated bits=0) by m2.gritton.org (8.14.5/8.14.5) with ESMTP id r033Epe3091804; Wed, 2 Jan 2013 20:14:51 -0700 (MST) (envelope-from jamie@FreeBSD.org) Message-ID: <50E4F7A9.4070900@FreeBSD.org> Date: Wed, 02 Jan 2013 20:14:49 -0700 From: Jamie Gritton User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.24) Gecko/20120129 Thunderbird/3.1.16 MIME-Version: 1.0 To: FreeBSD-Jail , freebsd-net@FreeBSD.org Subject: kern/68189 and kern/169751: what jails are allowed to see in a routing socket Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: David Thiel , "Bjoern A. Zeeb" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jan 2013 03:27:03 -0000 I've been looking at PR kern/169751, which was noting that routing sockets don't work inside a jail. It made the point that setting security.jail.socket_unixiproute_only or security.jail.allow_raw_sockets didn't help things. It would seem kind of a given from the "unixiproute" name that a route socket ought to work. And indeed, such a socket is permitted to be created in such a jail. It's just using it that doesn't work. I narrowed this failure down to line 816 of sys/net/rtsock.c, which explicitly denies jails from reading routes, regardless of the setting of the above two sysctls (or the jail allow.* bits they work with). And that bit of code came about in response to PR kern/68189, which noted that jails could see interfaces that aren't theirs (i.e. their address doesn't live on it). So we have two PRs that are kind of at cross purposes. It would be nice to keep hiding non-jail interfaces from a jail, but it would also be nice to let a jailed process know the route to somewhere - at least sometimes. One solution would be to add a much finer layer of control to the jail test in rtsock.c, looking at interfaces and seeing if they're somehow connected with one of the jail's IP addresses. But that just seems like a lot of messy corner-case code. Another way around this, and what I'd like to go with if there are no objections, is to allow the route sockets to be used by jails that have raw_sockets permission. I know that's kind of a semantic leap, but it seems that a jail that has the power of using raw sockets would be able to do pretty much as it pleases with routes anyway if it tried hard enough. Also, it would be consistent to allow such operations on jails that aren't IP-restricted, or in VIMAGE jails. - Jamie