From nobody Mon May 12 22:27:18 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZxDkH0sNpz5vwZc;
	Mon, 12 May 2025 22:27:19 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZxDkG6f7jz4FtH;
	Mon, 12 May 2025 22:27:18 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1747088838;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=AnJh6NzSqNKMehQh+Ja0mJumL3eV3IwnKdHtH0Jom9I=;
	b=uUGvTWypNPRRtQYwdmV0G7vzUEyNUst7tTfZ4vS2ZQaOeQEIAjacy8gELoxgH1UpSdLNxh
	zqBuIE68EhZ/kXvqj5imZEuiNUYQFfkLtbrPEhvxJpa/1u/pWMA136233Ig2Oic3K7dcCG
	8lyYCKt0aBK6RkltLMCMlB922sRdA+nTSEYm+ODjaQpzFqxTqZKACpbOySExTEp9mUyndt
	If31PooPy6OjrqiN9sHm2uWcBK5IJC3SvLxOyMlGuNbHwYNST6QAyCBXtnhbRsy1nkeotX
	QoJHTc1Puhf1VM5dogceal0JjXQeUY7Mt0n3ghWoS14jXUABn0dCLfUId6vxGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1747088838;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=AnJh6NzSqNKMehQh+Ja0mJumL3eV3IwnKdHtH0Jom9I=;
	b=xJ7IS8NLMoFrvBRtgYUVOQXdz3/KvFzJsWU2u5M2IXQfY1gJ89eLRNindRy0TqXKKAgnDH
	oVu9sf/5d00Fm6DUSvXWBHtYWT5AObV1oJfK+p2eLUn8Ksu1mxRz9sIevS3Z5Grt6QKEF7
	LnZKGw+uwy1wBh/DLxk4skScmaxEADWMHtkB3HaCcxpOgSSRtoFIZzm4CDmnhDGu8E6SXB
	dWG+wTC0QfvvA+e2HxcokPhJMJyRzsOxEw1zPdVRJNcUIL3B8khiy+oMvf8UR5aTBhlw+q
	CnWL4gN8UbGHKo75t695gQcZO9gujAhWZ0TuA/30H+fvj6TM/n/GzG5Rn66i5w==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1747088838; a=rsa-sha256; cv=none;
	b=FIn5Vl79gsXvcFq+UWsyh1Wcv1DQrLJR/ZeqQzJkoxxK6AzTi05zJX4X3upcIaa7fAw4sM
	5d+Nr8vW0ZUe5Kv9SNnpxa5MMNNBqozCmnELT/cP69cmJhVXD75xCG2ZpEjAl7x/Bl9BBN
	W9/Eo87OP2d19/k1SNVYmk+vVVvTKZMfx9h1Hxb4lKhJReblILFcO0h+UKH/3jP5F3UVxf
	OiVZTABc6fnmAG06pYYZmjjBusL5PO1Tr+MQLutKZpLUX69VEmmLzcIQs7/X+ZqeoPl6mw
	jLKo1ZiNrKuvAot8Dslq99Q+KHapudM8L04O7TzXSiui4wT7O8h7I1a5o/sTCA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZxDkG5xrnz4rx;
	Mon, 12 May 2025 22:27:18 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 54CMRIlp060989;
	Mon, 12 May 2025 22:27:18 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 54CMRIRd060986;
	Mon, 12 May 2025 22:27:18 GMT
	(envelope-from git)
Date: Mon, 12 May 2025 22:27:18 GMT
Message-Id: <202505122227.54CMRIRd060986@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Lexi Winter <ivy@FreeBSD.org>
Subject: git: 3a53fe2cc4b7 - main - jail: add allow.routing jail
  permission
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: ivy
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 3a53fe2cc4b7076003163376a7db65e432f6283e
Auto-Submitted: auto-generated

The branch main has been updated by ivy:

URL: https://cgit.FreeBSD.org/src/commit/?id=3a53fe2cc4b7076003163376a7db65e432f6283e

commit 3a53fe2cc4b7076003163376a7db65e432f6283e
Author:     Lexi Winter <ivy@FreeBSD.org>
AuthorDate: 2025-05-11 02:01:25 +0000
Commit:     Lexi Winter <ivy@FreeBSD.org>
CommitDate: 2025-05-12 22:13:18 +0000

    jail: add allow.routing jail permission
    
    if allow.routing is set, the jail can modify the system routing table
    even if it's not a VNET jail.
    
    Reviewed by:    kevans, des, adrian
    Approved by:    kevans (mentor), des (mentor)
    Differential Revision:  https://reviews.freebsd.org/D49843
---
 sys/kern/kern_jail.c   | 13 +++++++++++++
 sys/netlink/route/rt.c |  2 ++
 sys/sys/jail.h         |  3 ++-
 usr.sbin/jail/jail.8   |  5 ++++-
 4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index b0b0fa50e648..d4529e096929 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -231,6 +231,7 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = {
 	{"allow.extattr", "allow.noextattr", PR_ALLOW_EXTATTR},
 	{"allow.adjtime", "allow.noadjtime", PR_ALLOW_ADJTIME},
 	{"allow.settime", "allow.nosettime", PR_ALLOW_SETTIME},
+	{"allow.routing", "allow.norouting", PR_ALLOW_ROUTING},
 };
 static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC;
 const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
@@ -4224,6 +4225,16 @@ prison_priv_check(struct ucred *cred, int priv)
 		else
 			return (EPERM);
 
+		/*
+		 * Conditionally allow privileged process in the jail to modify
+		 * the routing table.
+		 */
+	case PRIV_NET_ROUTE:
+		if (cred->cr_prison->pr_allow & PR_ALLOW_ROUTING)
+			return (0);
+		else
+			return (EPERM);
+
 	default:
 		/*
 		 * In all remaining cases, deny the privilege request.  This
@@ -4692,6 +4703,8 @@ SYSCTL_JAIL_PARAM(_allow, adjtime, CTLTYPE_INT | CTLFLAG_RW,
     "B", "Jail may adjust system time");
 SYSCTL_JAIL_PARAM(_allow, settime, CTLTYPE_INT | CTLFLAG_RW,
     "B", "Jail may set system time");
+SYSCTL_JAIL_PARAM(_allow, routing, CTLTYPE_INT | CTLFLAG_RW,
+    "B", "Jail may modify routing table");
 
 SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
 SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c
index 30dab2b0d8cf..dcd19b43105c 100644
--- a/sys/netlink/route/rt.c
+++ b/sys/netlink/route/rt.c
@@ -1118,12 +1118,14 @@ static const struct rtnl_cmd_handler cmd_handlers[] = {
 		.name = "RTM_DELROUTE",
 		.cb = &rtnl_handle_delroute,
 		.priv = PRIV_NET_ROUTE,
+		.flags = RTNL_F_ALLOW_NONVNET_JAIL,
 	},
 	{
 		.cmd = NL_RTM_NEWROUTE,
 		.name = "RTM_NEWROUTE",
 		.cb = &rtnl_handle_newroute,
 		.priv = PRIV_NET_ROUTE,
+		.flags = RTNL_F_ALLOW_NONVNET_JAIL,
 	}
 };
 
diff --git a/sys/sys/jail.h b/sys/sys/jail.h
index 90fcf8cd5a47..08caa9f49270 100644
--- a/sys/sys/jail.h
+++ b/sys/sys/jail.h
@@ -259,7 +259,8 @@ struct prison_racct {
 #define	PR_ALLOW_EXTATTR		0x00040000
 #define	PR_ALLOW_ADJTIME		0x00080000
 #define	PR_ALLOW_SETTIME		0x00100000
-#define	PR_ALLOW_ALL_STATIC		0x001f87ff
+#define	PR_ALLOW_ROUTING		0x00200000
+#define	PR_ALLOW_ALL_STATIC		0x003f87ff
 
 /*
  * PR_ALLOW_DIFFERENCES determines which flags are able to be
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index 3426f4f0d600..8d7bc25a8694 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd September 19, 2024
+.Dd May 11, 2025
 .Dt JAIL 8
 .Os
 .Sh NAME
@@ -710,6 +710,9 @@ For example through utilities like
 .Xr date 1 .
 This permission includes also
 .Va allow.adjtime .
+.It Va allow.routing
+Allow privileged process in the non-VNET jail to modify the system routing
+table.
 .El
 .El
 .Pp