From owner-freebsd-current@FreeBSD.ORG  Mon May 31 17:30:39 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2AD1A16A4D3
	for <current@freebsd.org>; Mon, 31 May 2004 17:30:39 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2391F43D1F
	for <current@freebsd.org>; Mon, 31 May 2004 17:30:39 -0700 (PDT)
	(envelope-from csjp@freebsd.org)
Received: from freefall.freebsd.org (csjp@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i510UQCg076827
	for <current@freebsd.org>; Mon, 31 May 2004 17:30:26 -0700 (PDT)
	(envelope-from csjp@freebsd.org)
Received: (from csjp@localhost)
	by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i510UQ3A076826
	for current@FreeBSD.org; Mon, 31 May 2004 17:30:26 -0700 (PDT)
	(envelope-from csjp@freebsd.org)
X-Authentication-Warning: freefall.freebsd.org: csjp set sender to
	csjp@freebsd.org using -f
Date: Mon, 31 May 2004 17:30:26 -0700
From: "Christian S.J. Peron" <csjp@freebsd.org>
To: current@freebsd.org
Message-ID: <20040601003026.GA76645@freefall.freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
Subject: raw socket+prison warning
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Jun 2004 00:30:39 -0000

For those of you not subscribed to src-committers@FreeBSD.org,
cvs-src@FreeBSD.org or cvs-all@FreeBSD.org, I just committed
a warning note in jail(8) for the security.jail.allow_raw_sockets
sysctl MIB about the risks of enabling raw sockets in prisons.

Because raw sockets can be used to configure and interact
with various network subsystems, extra caution should be
used where privileged access to jails is given out to
untrusted parties. As such, by default this option is disabled.

A few others and I are currently auditing the kernel
source code to ensure that the use of raw sockets by
privledged prison users is safe.

--
Christian S.J. Peron
csjp@FreeBSD.org
FreeBSD committer