From owner-freebsd-bugs@FreeBSD.ORG  Mon Apr 19 18:50:21 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6C0FC16A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 19 Apr 2004 18:50:21 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4FF1943D49
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 19 Apr 2004 18:50:21 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	i3K1oLbv007728	for <freebsd-bugs@freefall.freebsd.org>;
	Mon, 19 Apr 2004 18:50:21 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i3K1oLYN007726;
	Mon, 19 Apr 2004 18:50:21 -0700 (PDT)
	(envelope-from gnats)
Resent-Date: Mon, 19 Apr 2004 18:50:21 -0700 (PDT)
Resent-Message-Id: <200404200150.i3K1oLYN007726@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	"Christian S.J.Peron" <maneo@bsdpro.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0DA3116A507
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 19 Apr 2004 18:43:08 -0700 (PDT)
Received: from staff.seccuris.com (staff.seccuris.com [204.112.0.40])
	by mx1.FreeBSD.org (Postfix) with SMTP id 7B50B43D4C
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 19 Apr 2004 18:43:07 -0700 (PDT)
	(envelope-from cperon@staff.seccuris.com)
Received: (qmail 84813 invoked by uid 1006); 20 Apr 2004 01:43:06 -0000
Message-Id: <20040420014306.84812.qmail@staff.seccuris.com>
Date: 20 Apr 2004 01:43:06 -0000
From: "Christian S.J.Peron" <maneo@bsdpro.com>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: kern/65800: [patch] support for raw sockets in jails
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: "Christian S.J.Peron" <maneo@bsdpro.com>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2004 01:50:21 -0000


>Number:         65800
>Category:       kern
>Synopsis:       [patch] support for raw sockets in jails
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 19 18:50:20 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Christian S.J. Peron
>Release:        FreeBSD 5.2.1-RELEASE-p4 i386
>Organization:
>Environment:
System: FreeBSD movl 5.2.1-RELEASE-p4 FreeBSD 5.2.1-RELEASE-p4 #13: Mon Apr 19 17:31:41 GMT 2004     cperon@movl:/usr/src/sys/i386/compile/XOR  i386

	
>Description:
	Although RAW sockets can be used when specifying the source
	address of packets (defeating one of the aspects of the jail)
	some people may find it usefull to use utilities like ping(8)
	or traceroute(8) from inside jails.

	Enclosed is a patch I have written which gives you the option
	of allowing prison-root to create raw sockets inside the prison,
	so that programs various network debugging programs like ping
	and traceroute etc can be used.

	This patch will create the security.jail.allow_raw_sockets sysctl
	MIB. I would appriciate any feed-back from testers

>How-To-Repeat:
N/A
>Fix:

--- sys/kern/kern_jail.c.bak	Mon Apr 19 16:55:40 2004
+++ sys/kern/kern_jail.c	Mon Apr 19 17:56:03 2004
@@ -53,6 +53,11 @@
     &jail_sysvipc_allowed, 0,
     "Processes in jail can use System V IPC primitives");
 
+int	jail_allow_raw_sockets = 0;
+SYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW,
+    &jail_allow_raw_sockets, 0,
+    "Prison root can create raw sockets");
+
 /* allprison, lastprid, and prisoncount are protected by allprison_mtx. */
 struct	prisonlist allprison;
 struct	mtx allprison_mtx;
--- sys/netinet/raw_ip.c.b	Mon Apr 19 16:23:57 2004
+++ sys/netinet/raw_ip.c	Mon Apr 19 17:55:08 2004
@@ -40,6 +40,7 @@
 #include "opt_random_ip_id.h"
 
 #include <sys/param.h>
+#include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/mac.h>
@@ -505,6 +506,7 @@
 	}
 }
 
+extern int jail_allow_raw_sockets;
 u_long	rip_sendspace = RIPSNDQ;
 u_long	rip_recvspace = RIPRCVQ;
 
@@ -527,7 +529,11 @@
 		INP_INFO_WUNLOCK(&ripcbinfo);
 		return EINVAL;
 	}
-	if (td && (error = suser(td)) != 0) {
+	if (td && jailed(td->td_ucred) && !jail_allow_raw_sockets) {
+		INP_INFO_WUNLOCK(&ripcbinfo);
+		return (EPERM);
+	}
+	if (td && (error = suser_cred(td->td_ucred, PRISON_ROOT)) != 0) {
 		INP_INFO_WUNLOCK(&ripcbinfo);
 		return error;
 	}
>Release-Note:
>Audit-Trail:
>Unformatted: