From owner-freebsd-net@freebsd.org  Sat Oct 24 01:00:42 2020
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 332B142A856;
 Sat, 24 Oct 2020 01:00:42 +0000 (UTC)
 (envelope-from dewayne.geraghty@heuristicsystems.com.au)
Received: from hermes.heuristicsystems.com.au (hermes.heuristicsystems.com.au
 [203.41.22.115])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (2560 bits) client-digest SHA256)
 (Client CN "hermes.heuristicsystems.com.au",
 Issuer "Heuristic Systems Type 4 Host CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4CJ2pJ2x1sz3XV9;
 Sat, 24 Oct 2020 01:00:38 +0000 (UTC)
 (envelope-from dewayne.geraghty@heuristicsystems.com.au)
Received: from [10.0.5.3] (noddy.hs [10.0.5.3]) (authenticated bits=0)
 by hermes.heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPSA id
 09O0woi1094942
 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT);
 Sat, 24 Oct 2020 11:58:51 +1100 (AEDT)
 (envelope-from dewayne.geraghty@heuristicsystems.com.au)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
 d=heuristicsystems.com.au; s=hsa; t=1603501131; x=1604105932;
 bh=Xv6l2z8cAbTRfP4eVgvJZoU9QKizrY4BmXkMYy5Oy1Y=;
 h=Subject:To:From:Message-ID:Date;
 b=NmDWeUgWxN03ERR8UdBysjOVEN9xQjwvEM33HHPodCpW6CfDeOOvou9kaGusZwGqS
 yKo+MeDhpBnRFHi7gymPxAKDAHS+vNuvzi2T8ypJyLvsD4hqtB1DNQTPLRDa1vF16G
 s1PKYZ1QZgx165Dv39n7dSo4q6FyOjhMaVDjTbwewtlzs8nVYO4vC
X-Authentication-Warning: b3.hs: Host noddy.hs [10.0.5.3] claimed to be
 [10.0.5.3]
Subject: Re: Allow PING(8) in jails without raw socket access permissions
To: carlos antonio neira bustos <cneirabustos@gmail.com>,
 freebsd-net <freebsd-net@freebsd.org>,
 FreeBSD Hackers <freebsd-hackers@freebsd.org>
References: <CACiB22jQTwR=yJQG8hxBuVU=xbn-rpJ1PZVQ=7xPzEV8en90=A@mail.gmail.com>
From: Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au>
Message-ID: <9ffe565d-65cb-cbfa-f0dc-189ee8d7215e@heuristicsystems.com.au>
Date: Sat, 24 Oct 2020 11:50:05 +1100
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:78.0) Gecko/20100101
 Thunderbird/78.3.2
MIME-Version: 1.0
In-Reply-To: <CACiB22jQTwR=yJQG8hxBuVU=xbn-rpJ1PZVQ=7xPzEV8en90=A@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4CJ2pJ2x1sz3XV9
X-Spamd-Bar: -
Authentication-Results: mx1.freebsd.org;
 dkim=fail (headers rsa verify failed) header.d=heuristicsystems.com.au
 header.s=hsa header.b=NmDWeUgW; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of dewayne.geraghty@heuristicsystems.com.au
 designates 203.41.22.115 as permitted sender)
 smtp.mailfrom=dewayne.geraghty@heuristicsystems.com.au
X-Spamd-Result: default: False [-1.60 / 15.00]; RCVD_TLS_ALL(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[];
 FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3];
 R_SPF_ALLOW(-0.20)[+mx];
 R_DKIM_REJECT(1.00)[heuristicsystems.com.au:s=hsa];
 MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; ARC_NA(0.00)[];
 DMARC_NA(0.00)[heuristicsystems.com.au];
 NEURAL_HAM_LONG(-0.83)[-0.825]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 TO_DN_ALL(0.00)[];
 RCVD_IN_DNSWL_MED(-0.20)[203.41.22.115:from];
 DKIM_TRACE(0.00)[heuristicsystems.com.au:-];
 NEURAL_HAM_SHORT(-0.54)[-0.539];
 NEURAL_HAM_MEDIUM(-0.74)[-0.739];
 FREEMAIL_TO(0.00)[gmail.com,freebsd.org];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:1221, ipnet:203.40.0.0/13, country:AU];
 RCVD_COUNT_TWO(0.00)[2];
 MAILMAN_DEST(0.00)[freebsd-hackers,freebsd-net]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Oct 2020 01:00:42 -0000

On 15/10/2020 9:00 am, carlos antonio neira bustos wrote:
> Hello,
> 
> I have currently a patch in review with jamie which is the current jail
> maintainer and kyle evans, if anyone else could comment/review this patch :
> https://reviews.freebsd.org/D26782
> 
> What has been done is the following :
> 
> Raw socket access is allowed for ICMP protocol as is required by
> PING(8) but option IP_HDRINCL is not allowed. to accomplish this
> a new privilege PRIV_NETINET_ICMP_ACCESS has been added by default for
> jails.
> 
> 
> Bests
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
> 
Thanks for the heads-up Carlos.  I have a use for allowing only icmp
traffic, so its beneficial.

However I do agree with BZ that it should not be enabled by default, as
it weakens the security model, enabling a broken jail to more easily
enumerate the wider network environment.