From owner-freebsd-current@FreeBSD.ORG  Mon Oct  9 21:11:06 2006
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
X-Original-To: freebsd-current@freebsd.org
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 14A2316A407;
	Mon,  9 Oct 2006 21:11:06 +0000 (UTC)
	(envelope-from mime@traveller.cz)
Received: from nxm.secservers.com (nxm.secservers.com [193.85.228.22])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 75EF043D46;
	Mon,  9 Oct 2006 21:11:04 +0000 (GMT)
	(envelope-from mime@traveller.cz)
Received: from localhost.i.cz (nxm.secservers.com. [193.85.228.22])
	by nxm.secservers.com (8.13.4/8.13.4) with ESMTP id k99LB2pL001018;
	Mon, 9 Oct 2006 23:11:02 +0200 (CEST)
	(envelope-from mime@traveller.cz)
From: Michal Mertl <mime@traveller.cz>
To: freebsd-current <freebsd-current@freebsd.org>
Content-Type: multipart/mixed; boundary="=-U5+5Dmb17NrSoP0dw7du"
Date: Mon, 09 Oct 2006 23:11:02 +0200
Message-Id: <1160428262.1009.58.camel@genius.i.cz>
Mime-Version: 1.0
X-Mailer: Evolution 2.6.3 FreeBSD GNOME Team Port 
Cc: rwatson@freebsd.org
Subject: Little patch to mac_portacl(4)
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Oct 2006 21:11:06 -0000


--=-U5+5Dmb17NrSoP0dw7du
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hello,

I have just found out that mac_portacl breaks root binding of low ports
in a jail.

I think that root in a jail should be allowed to bind to protected
ports. Alternatively it can be easily made optional.

What do you think?

One-line patch attached.

Regards

Michal

--=-U5+5Dmb17NrSoP0dw7du
Content-Disposition: attachment; filename=mac_portacl.diff
Content-Type: text/x-patch; name=mac_portacl.diff; charset=ISO-8859-2
Content-Transfer-Encoding: 7bit

Index: mac_portacl.c
===================================================================
RCS file: /home/fcvs/cvs/src/sys/security/mac_portacl/mac_portacl.c,v
retrieving revision 1.8
diff -u -r1.8 mac_portacl.c
--- mac_portacl.c	31 Oct 2005 15:41:28 -0000	1.8
+++ mac_portacl.c	9 Oct 2006 20:55:28 -0000
@@ -427,7 +427,7 @@
 	mtx_unlock(&rule_mtx);
 
 	if (error != 0 && mac_portacl_suser_exempt != 0)
-		error = suser_cred(cred, 0);
+		error = suser_cred(cred, SUSER_ALLOWJAIL);
 
 	return (error);
 }

--=-U5+5Dmb17NrSoP0dw7du--