From owner-freebsd-security@FreeBSD.ORG Tue Apr 20 13:00:30 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F87E16A4DD for ; Tue, 20 Apr 2004 13:00:29 -0700 (PDT) Received: from staff.seccuris.com (staff.seccuris.com [204.112.0.40]) by mx1.FreeBSD.org (Postfix) with SMTP id 7C5ED43D48 for ; Tue, 20 Apr 2004 13:00:28 -0700 (PDT) (envelope-from maneo@bsdpro.com) Received: (qmail 52623 invoked by uid 1006); 20 Apr 2004 20:00:27 -0000 Date: Tue, 20 Apr 2004 20:00:27 +0000 From: "Christian S.J. Peron" To: Poul-Henning Kamp Message-ID: <20040420200027.A51891@staff.seccuris.com> References: <20040420015638.A84821@staff.seccuris.com> <14522.1082452837@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <14522.1082452837@critter.freebsd.dk>; from phk@phk.freebsd.dk on Tue, Apr 20, 2004 at 11:20:37AM +0200 X-Mailman-Approved-At: Thu, 22 Apr 2004 02:09:13 -0700 cc: freebsd-hackers@freebsd.org cc: freebsd-security@freebsd.org Subject: Re: [patch] Raw sockets in jails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Apr 2004 20:00:30 -0000 Poul/group The following patch makes raw sockets comply with prison IP addresses. Some tools such as traceroute(8) may require that the prison IP address be specified on the command line. I.E. traceroute -s Otherwise it might fail. (because of this we may want to get rid of the create_raw_sockets MIB all together). Anyway, take a gander at it (testers feedback welcome): Regards Christian S.J. Peron --- sys/netinet/raw_ip.c.b Mon Apr 19 16:23:57 2004 +++ sys/netinet/raw_ip.c Tue Apr 20 19:43:30 2004 @@ -40,6 +40,7 @@ #include "opt_random_ip_id.h" #include +#include #include #include #include @@ -215,6 +216,11 @@ if (inp->inp_faddr.s_addr && inp->inp_faddr.s_addr != ip->ip_src.s_addr) goto docontinue; + if (inp->inp_socket->so_cred->cr_prison) { + if (htonl(inp->inp_socket->so_cred->cr_prison->pr_ip) + != ip->ip_dst.s_addr) + goto docontinue; + } if (last) { struct mbuf *n; @@ -270,7 +276,11 @@ ip->ip_off = 0; ip->ip_p = inp->inp_ip_p; ip->ip_len = m->m_pkthdr.len; - ip->ip_src = inp->inp_laddr; + if (inp->inp_socket->so_cred->cr_prison) + ip->ip_src.s_addr = + htonl(inp->inp_socket->so_cred->cr_prison->pr_ip); + else + ip->ip_src = inp->inp_laddr; ip->ip_dst.s_addr = dst; ip->ip_ttl = inp->inp_ip_ttl; } else { @@ -279,6 +289,13 @@ return(EMSGSIZE); } ip = mtod(m, struct ip *); + if (inp->inp_socket->so_cred->cr_prison) { + if (ip->ip_src.s_addr != + htonl(inp->inp_socket->so_cred->cr_prison->pr_ip)) { + m_freem(m); + return (EPERM); + } + } /* don't allow both user specified and setsockopt options, and don't allow packet length sizes that will crash */ if (((ip->ip_hl != (sizeof (*ip) >> 2)) @@ -505,6 +522,7 @@ } } +extern int jail_allow_raw_sockets; u_long rip_sendspace = RIPSNDQ; u_long rip_recvspace = RIPRCVQ; @@ -527,7 +545,11 @@ INP_INFO_WUNLOCK(&ripcbinfo); return EINVAL; } - if (td && (error = suser(td)) != 0) { + if (td && jailed(td->td_ucred) && !jail_allow_raw_sockets) { + INP_INFO_WUNLOCK(&ripcbinfo); + return (EPERM); + } + if (td && (error = suser_cred(td->td_ucred, PRISON_ROOT)) != 0) { INP_INFO_WUNLOCK(&ripcbinfo); return error; } @@ -626,6 +648,11 @@ if (nam->sa_len != sizeof(*addr)) return EINVAL; + + if (td->td_ucred->cr_prison) + if (htonl(td->td_ucred->cr_prison->pr_ip) + != addr->sin_addr.s_addr) + return (EADDRNOTAVAIL); if (TAILQ_EMPTY(&ifnet) || (addr->sin_family != AF_INET && addr->sin_family != AF_IMPLINK) || --- sys/kern/kern_jail.c.bak Mon Apr 19 16:55:40 2004 +++ sys/kern/kern_jail.c Mon Apr 19 17:56:03 2004 @@ -53,6 +53,11 @@ &jail_sysvipc_allowed, 0, "Processes in jail can use System V IPC primitives"); +int jail_allow_raw_sockets = 0; +SYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW, + &jail_allow_raw_sockets, 0, + "Prison root can create raw sockets"); + /* allprison, lastprid, and prisoncount are protected by allprison_mtx. */ struct prisonlist allprison; struct mtx allprison_mtx; On 20 Apr 2004 Poul-Henning Kamp wrote: > In message <20040420015638.A84821@staff.seccuris.com>, "Christian S.J. Peron" w > rites: > > > > Although RAW sockets can be used when specifying the source > > address of packets (defeating one of the aspects of the jail) > > some people may find it usefull to use utilities like ping(8) > > or traceroute(8) from inside jails. > > > > Enclosed is a patch I have written which gives you the option > > of allowing prison-root to create raw sockets inside the prison, > > so that programs various network debugging programs like ping > > and traceroute etc can be used. > > > > This patch will create the security.jail.allow_raw_sockets sysctl > > MIB. I would appriciate any feed-back from testers > > > > See PR #: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=65800 > > Could you take a peek and see how hard it would be to enforce source-IP > compliance with the jail restriction ? > > -- > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 > phk@FreeBSD.ORG | TCP/IP since RFC 956 > FreeBSD committer | BSD since 4.3-tahoe > Never attribute to malice what can adequately be explained by incompetence. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"