From owner-freebsd-hackers  Sun Mar 16 23: 4: 8 2003
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 35A3237B401
	for <freebsd-hackers@FreeBSD.ORG>; Sun, 16 Mar 2003 23:04:07 -0800 (PST)
Received: from ints.mail.pike.ru (ints.mail.pike.ru [195.9.45.194])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 94E2A43F3F
	for <freebsd-hackers@FreeBSD.ORG>; Sun, 16 Mar 2003 23:04:05 -0800 (PST)
	(envelope-from babolo@cicuta.babolo.ru)
Received: (qmail 23795 invoked from network); 17 Mar 2003 07:19:40 -0000
Received: from babolo.ru (HELO cicuta.babolo.ru) (194.58.226.160)
  by ints.mail.pike.ru with SMTP; 17 Mar 2003 07:19:40 -0000
Received: (nullmailer pid 883 invoked by uid 136);
	Mon, 17 Mar 2003 07:06:27 -0000
Subject: Re: jail support for ping, traceroute, etc.. crude hack
X-ELM-OSV: (Our standard violations) hdr-charset=KOI8-R; no-hdr-encoding=1
In-Reply-To: <20030317005641.GA8288@puck.nether.net>
To: Jared Mauch <jared@puck.nether.net>
Date: Mon, 17 Mar 2003 10:06:27 +0300 (MSK)
From: "."@babolo.ru
Cc: Mooneer Salem <mooneer@translator.cx>,
	freebsd-hackers@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL99b (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Message-Id: <1047884787.866448.882.nullmailer@cicuta.babolo.ru>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

> On Sun, Mar 16, 2003 at 02:30:36PM -0800, Mooneer Salem wrote:
> 
> 	When i was looking at this i was somewhat frustated with
> the way suser() doesn't really allow any sort of a context-of-check
> to happen easily that i was able to find.  ie, was it for a networking
> check, filesystem, etc..  so my first stab at this ended up with
> every user being able to do raw ip packets which was bad.. i
> ended up doing the p->p_prison save hack instead to get the result
> then applied the prison policy there.
It is time to invent "ping socket" and "traceroute socket"
in addition to tcp, udp, divert so on?


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message