From owner-cvs-src@FreeBSD.ORG  Sat Aug 21 17:38:58 2004
Return-Path: <owner-cvs-src@FreeBSD.ORG>
Delivered-To: cvs-src@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 46E0116A4CF; Sat, 21 Aug 2004 17:38:58 +0000 (GMT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 316F643D53; Sat, 21 Aug 2004 17:38:58 +0000 (GMT)
	(envelope-from csjp@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.11/8.12.11) with ESMTP id i7LHcwfT085241;
	Sat, 21 Aug 2004 17:38:58 GMT
	(envelope-from csjp@repoman.freebsd.org)
Received: (from csjp@localhost)
	by repoman.freebsd.org (8.12.11/8.12.11/Submit) id i7LHcwgP085240;
	Sat, 21 Aug 2004 17:38:58 GMT
	(envelope-from csjp)
Message-Id: <200408211738.i7LHcwgP085240@repoman.freebsd.org>
From: "Christian S.J. Peron" <csjp@FreeBSD.org>
Date: Sat, 21 Aug 2004 17:38:58 +0000 (UTC)
To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org,
	cvs-all@FreeBSD.org
X-FreeBSD-CVS-Branch: HEAD
Subject: cvs commit: src/sys/net route.c
X-BeenThere: cvs-src@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the src tree <cvs-src.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src>
List-Post: <mailto:cvs-src@freebsd.org>
List-Help: <mailto:cvs-src-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Aug 2004 17:38:58 -0000

csjp        2004-08-21 17:38:58 UTC

  FreeBSD src repository

  Modified files:
    sys/net              route.c 
  Log:
  When a prison is given the ability to create raw sockets (when the
  security.jail.allow_raw_sockets sysctl MIB is set to 1) where privileged
  access to jails is given out, it is possible for prison root to manipulate
  various network parameters which effect the host environment. This commit
  plugs a number of security holes associated with the use of raw sockets
  and prisons.
  
  This commit makes the following changes:
  
  - Add a comment to rtioctl warning developers that if they add
    any ioctl commands, they should use super-user checks where necessary,
    as it is possible for PRISON root to make it this far in execution.
  - Add super-user checks for the execution of the SIOCGETVIFCNT
    and SIOCGETSGCNT IP multicast ioctl commands.
  - Add a super-user check to rip_ctloutput(). If the calling cred
    is PRISON root, make sure the socket option name is IP_HDRINCL,
    otherwise deny the request.
  
  Although this patch corrects a number of security problems associated
  with raw sockets and prisons, the warning in jail(8) should still
  apply, and by default we should keep the default value of
  security.jail.allow_raw_sockets MIB to 0 (or disabled) until
  we are certain that we have tracked down all the problems.
  
  Looking forward, we will probably want to eliminate the
  references to curthread.
  
  This may be a MFC candidate for RELENG_5.
  
  Reviewed by:    rwatson
  Approved by:    bmilekic (mentor)
  
  Revision  Changes    Path
  1.107     +7 -0      src/sys/net/route.c