Date: Mon, 10 Dec 2018 09:34:49 -0700 From: James Gritton <jamie@freebsd.org> To: =?UTF-8?Q?C=C3=A9dric_Maunoury?= <cedric.maunoury@gmail.com> Cc: freebsd-jail@freebsd.org, owner-freebsd-jail@freebsd.org Subject: Re: setfib allowed in jail Message-ID: <355cf761f1421e942941d5dee7569019@freebsd.org> In-Reply-To: <B9D3F667-4F73-4163-B0DD-30BCEDA0EE0D@gmail.com> References: <B9D3F667-4F73-4163-B0DD-30BCEDA0EE0D@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2018-12-09 13:11, Cédric Maunoury wrote: > Hello everyone, > > It’s my first mail on this mailing list... Thus, please forgive me if > I do something wrong :) > > I was playing on a FreeBSD 11.2 with jails and I was surprised to be > able to succesfully launch setfib from inside a jail... that means I > can use an other routing table than the one configured in the jail > configuration file. > > To me, it should be forbidden. The patch would be to add the following > lines at the beginning of the function sys_setfib (sys/net/route.c) - > not tested : > —— > if jailed(td->td_ucred) > return EPERM > —— If a jail isn't restricted to a particular FIB, then there should be no restriction on this system call. So you would need to not only check if the process is jailed, but if that jail has its FIB restricted. And that's where things take an unexpected turn: *no* jails have their FIBs restricted. The exec.fib parameter, like all of exec.*, is among the pseudo-parameters that don't actually set anything in the jail but are just a convenience in setting up the jail creation environment. In particular, if set it calls setfib(2) before executing anything inside the jail. It never actually associated an FIB with the jail itself. That doesn't mean there's no advantage to changing jails to have an FIB associated with them. It's already an issue, in that jexec(8) isn't aware of these pseudo-parameters, and doesn't call setfib(2) before entering the jail. It would make sense not only to do that, but also to be able to restrict a jail to a particular FIB. - Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?355cf761f1421e942941d5dee7569019>