Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 20 Apr 2004 01:56:38 +0000
From:      "Christian S.J. Peron" <maneo@bsdpro.com>
To:        freebsd-hackers@FreeBSD.org
Cc:        freebsd-security@FreeBSD.org
Subject:   [patch] Raw sockets in jails
Message-ID:  <20040420015638.A84821@staff.seccuris.com>
next in thread | raw e-mail | index | archive | help 

        Although RAW sockets can be used when specifying the source
        address of packets (defeating one of the aspects of the jail)
        some people may find it usefull to use utilities like ping(8)
        or traceroute(8) from inside jails.

        Enclosed is a patch I have written which gives you the option
        of allowing prison-root to create raw sockets inside the prison,
        so that programs various network debugging programs like ping
        and traceroute etc can be used.

        This patch will create the security.jail.allow_raw_sockets sysctl
        MIB. I would appriciate any feed-back from testers

	See PR #:
	http://www.freebsd.org/cgi/query-pr.cgi?pr=65800

-------------------- SNIP SNIP ------------------------

--- sys/kern/kern_jail.c.bak	Mon Apr 19 16:55:40 2004
+++ sys/kern/kern_jail.c	Mon Apr 19 17:56:03 2004
@@ -53,6 +53,11 @@
     &jail_sysvipc_allowed, 0,
     "Processes in jail can use System V IPC primitives");
 
+int	jail_allow_raw_sockets = 0;
+SYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW,
+    &jail_allow_raw_sockets, 0,
+    "Prison root can create raw sockets");
+
 /* allprison, lastprid, and prisoncount are protected by allprison_mtx. */
 struct	prisonlist allprison;
 struct	mtx allprison_mtx;
--- sys/netinet/raw_ip.c.b	Mon Apr 19 16:23:57 2004
+++ sys/netinet/raw_ip.c	Mon Apr 19 17:55:08 2004
@@ -40,6 +40,7 @@
 #include "opt_random_ip_id.h"
 
 #include <sys/param.h>
+#include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/mac.h>
@@ -505,6 +506,7 @@
 	}
 }
 
+extern int jail_allow_raw_sockets;
 u_long	rip_sendspace = RIPSNDQ;
 u_long	rip_recvspace = RIPRCVQ;
 
@@ -527,7 +529,11 @@
 		INP_INFO_WUNLOCK(&ripcbinfo);
 		return EINVAL;
 	}
-	if (td && (error = suser(td)) != 0) {
+	if (td && jailed(td->td_ucred) && !jail_allow_raw_sockets) {
+		INP_INFO_WUNLOCK(&ripcbinfo);
+		return (EPERM);
+	}
+	if (td && (error = suser_cred(td->td_ucred, PRISON_ROOT)) != 0) {
 		INP_INFO_WUNLOCK(&ripcbinfo);
 		return error;
 	}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040420015638.A84821>