Date: Mon, 12 May 2025 22:27:18 GMT From: Lexi Winter <ivy@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 3a53fe2cc4b7 - main - jail: add allow.routing jail permission Message-ID: <202505122227.54CMRIRd060986@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by ivy: URL: https://cgit.FreeBSD.org/src/commit/?id=3a53fe2cc4b7076003163376a7db65e432f6283e commit 3a53fe2cc4b7076003163376a7db65e432f6283e Author: Lexi Winter <ivy@FreeBSD.org> AuthorDate: 2025-05-11 02:01:25 +0000 Commit: Lexi Winter <ivy@FreeBSD.org> CommitDate: 2025-05-12 22:13:18 +0000 jail: add allow.routing jail permission if allow.routing is set, the jail can modify the system routing table even if it's not a VNET jail. Reviewed by: kevans, des, adrian Approved by: kevans (mentor), des (mentor) Differential Revision: https://reviews.freebsd.org/D49843 --- sys/kern/kern_jail.c | 13 +++++++++++++ sys/netlink/route/rt.c | 2 ++ sys/sys/jail.h | 3 ++- usr.sbin/jail/jail.8 | 5 ++++- 4 files changed, 21 insertions(+), 2 deletions(-) diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index b0b0fa50e648..d4529e096929 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -231,6 +231,7 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = { {"allow.extattr", "allow.noextattr", PR_ALLOW_EXTATTR}, {"allow.adjtime", "allow.noadjtime", PR_ALLOW_ADJTIME}, {"allow.settime", "allow.nosettime", PR_ALLOW_SETTIME}, + {"allow.routing", "allow.norouting", PR_ALLOW_ROUTING}, }; static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC; const size_t pr_flag_allow_size = sizeof(pr_flag_allow); @@ -4224,6 +4225,16 @@ prison_priv_check(struct ucred *cred, int priv) else return (EPERM); + /* + * Conditionally allow privileged process in the jail to modify + * the routing table. + */ + case PRIV_NET_ROUTE: + if (cred->cr_prison->pr_allow & PR_ALLOW_ROUTING) + return (0); + else + return (EPERM); + default: /* * In all remaining cases, deny the privilege request. This @@ -4692,6 +4703,8 @@ SYSCTL_JAIL_PARAM(_allow, adjtime, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may adjust system time"); SYSCTL_JAIL_PARAM(_allow, settime, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may set system time"); +SYSCTL_JAIL_PARAM(_allow, routing, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may modify routing table"); SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c index 30dab2b0d8cf..dcd19b43105c 100644 --- a/sys/netlink/route/rt.c +++ b/sys/netlink/route/rt.c @@ -1118,12 +1118,14 @@ static const struct rtnl_cmd_handler cmd_handlers[] = { .name = "RTM_DELROUTE", .cb = &rtnl_handle_delroute, .priv = PRIV_NET_ROUTE, + .flags = RTNL_F_ALLOW_NONVNET_JAIL, }, { .cmd = NL_RTM_NEWROUTE, .name = "RTM_NEWROUTE", .cb = &rtnl_handle_newroute, .priv = PRIV_NET_ROUTE, + .flags = RTNL_F_ALLOW_NONVNET_JAIL, } }; diff --git a/sys/sys/jail.h b/sys/sys/jail.h index 90fcf8cd5a47..08caa9f49270 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -259,7 +259,8 @@ struct prison_racct { #define PR_ALLOW_EXTATTR 0x00040000 #define PR_ALLOW_ADJTIME 0x00080000 #define PR_ALLOW_SETTIME 0x00100000 -#define PR_ALLOW_ALL_STATIC 0x001f87ff +#define PR_ALLOW_ROUTING 0x00200000 +#define PR_ALLOW_ALL_STATIC 0x003f87ff /* * PR_ALLOW_DIFFERENCES determines which flags are able to be diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 3426f4f0d600..8d7bc25a8694 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd September 19, 2024 +.Dd May 11, 2025 .Dt JAIL 8 .Os .Sh NAME @@ -710,6 +710,9 @@ For example through utilities like .Xr date 1 . This permission includes also .Va allow.adjtime . +.It Va allow.routing +Allow privileged process in the non-VNET jail to modify the system routing +table. .El .El .Pp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202505122227.54CMRIRd060986>