From owner-svn-src-all@freebsd.org Tue Jun 6 02:15:02 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A4CF7B94BB9; Tue, 6 Jun 2017 02:15:02 +0000 (UTC) (envelope-from allanjude@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5A6E078324; Tue, 6 Jun 2017 02:15:02 +0000 (UTC) (envelope-from allanjude@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v562F1qk035686; Tue, 6 Jun 2017 02:15:01 GMT (envelope-from allanjude@FreeBSD.org) Received: (from allanjude@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v562F167035683; Tue, 6 Jun 2017 02:15:01 GMT (envelope-from allanjude@FreeBSD.org) Message-Id: <201706060215.v562F167035683@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: allanjude set sender to allanjude@FreeBSD.org using -f From: Allan Jude Date: Tue, 6 Jun 2017 02:15:01 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r319611 - in head: sys/kern sys/sys usr.sbin/jail X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jun 2017 02:15:02 -0000 Author: allanjude Date: Tue Jun 6 02:15:00 2017 New Revision: 319611 URL: https://svnweb.freebsd.org/changeset/base/319611 Log: Jails: Optionally prevent jailed root from binding to privileged ports You may now optionally specify allow.noreserved_ports to prevent root inside a jail from using privileged ports (less than 1024) PR: 217728 Submitted by: Matt Miller Reviewed by: jamie, cem, smh Relnotes: yes Differential Revision: https://reviews.freebsd.org/D10202 Modified: head/sys/kern/kern_jail.c head/sys/sys/jail.h head/usr.sbin/jail/jail.8 Modified: head/sys/kern/kern_jail.c ============================================================================== --- head/sys/kern/kern_jail.c Tue Jun 6 02:03:22 2017 (r319610) +++ head/sys/kern/kern_jail.c Tue Jun 6 02:15:00 2017 (r319611) @@ -199,6 +199,7 @@ static char *pr_allow_names[] = { "allow.mount.fdescfs", "allow.mount.linprocfs", "allow.mount.linsysfs", + "allow.reserved_ports", }; const size_t pr_allow_names_size = sizeof(pr_allow_names); @@ -218,10 +219,11 @@ static char *pr_allow_nonames[] = { "allow.mount.nofdescfs", "allow.mount.nolinprocfs", "allow.mount.nolinsysfs", + "allow.noreserved_ports", }; const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); -#define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME +#define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS) #define JAIL_DEFAULT_ENFORCE_STATFS 2 #define JAIL_DEFAULT_DEVFS_RSNUM 0 static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW; @@ -3304,10 +3306,17 @@ prison_priv_check(struct ucred *cred, int priv) return (EPERM); /* - * Allow jailed root to bind reserved ports and reuse in-use - * ports. + * Conditionally allow jailed root to bind reserved ports. */ case PRIV_NETINET_RESERVEDPORT: + if (cred->cr_prison->pr_allow & PR_ALLOW_RESERVED_PORTS) + return (0); + else + return (EPERM); + + /* + * Allow jailed root to reuse in-use ports. + */ case PRIV_NETINET_REUSEPORT: return (0); @@ -3788,6 +3797,8 @@ SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLA "B", "Jail may set file quotas"); SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); +SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may bind sockets to reserved ports"); SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, Modified: head/sys/sys/jail.h ============================================================================== --- head/sys/sys/jail.h Tue Jun 6 02:03:22 2017 (r319610) +++ head/sys/sys/jail.h Tue Jun 6 02:15:00 2017 (r319611) @@ -230,7 +230,8 @@ struct prison_racct { #define PR_ALLOW_MOUNT_FDESCFS 0x1000 #define PR_ALLOW_MOUNT_LINPROCFS 0x2000 #define PR_ALLOW_MOUNT_LINSYSFS 0x4000 -#define PR_ALLOW_ALL 0x7fff +#define PR_ALLOW_RESERVED_PORTS 0x8000 +#define PR_ALLOW_ALL 0xffff /* * OSD methods Modified: head/usr.sbin/jail/jail.8 ============================================================================== --- head/usr.sbin/jail/jail.8 Tue Jun 6 02:03:22 2017 (r319610) +++ head/usr.sbin/jail/jail.8 Tue Jun 6 02:15:00 2017 (r319611) @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd April 30, 2016 +.Dd June 5, 2017 .Dt JAIL 8 .Os .Sh NAME @@ -483,7 +483,9 @@ and uname -K. Some restrictions of the jail environment may be set on a per-jail basis. With the exception of -.Va allow.set_hostname , +.Va allow.set_hostname +and +.Va allow.reserved_ports , these boolean parameters are off by default. .Bl -tag -width indent .It Va allow.set_hostname @@ -611,6 +613,8 @@ with non-jailed parts of the system. Sockets within a jail are normally restricted to IPv4, IPv6, local (UNIX), and route. This allows access to other protocol stacks that have not had jail functionality added to them. +.It Va allow.reserved_ports +The jail root may bind to ports lower than 1024. .El .El .Pp