Date: Tue, 20 Apr 2004 16:08:59 -0700 (PDT) From: Julian Elischer <julian@elischer.org> To: "Christian S.J. Peron" <maneo@bsdpro.com> Cc: freebsd-security@FreeBSD.org Subject: Re: [patch] Raw sockets in jails Message-ID: <Pine.BSF.4.21.0404201606070.64627-100000@InterJet.elischer.org> In-Reply-To: <20040420015638.A84821@staff.seccuris.com>
next in thread | previous in thread | raw e-mail | index | archive | help
hooray! Jails are used for a lot mor ethan just security stuff.. We use them for enviromment isolation. Security to us is just a minor point.. If I could I'd like to be able to turn off: blocking of raw sockets. blocking of chflags. only problem is I'd need it against 4.x.. (I guess I can manage that....) On Tue, 20 Apr 2004, Christian S.J. Peron wrote: > > Although RAW sockets can be used when specifying the source > address of packets (defeating one of the aspects of the jail) > some people may find it usefull to use utilities like ping(8) > or traceroute(8) from inside jails. > > Enclosed is a patch I have written which gives you the option > of allowing prison-root to create raw sockets inside the prison, > so that programs various network debugging programs like ping > and traceroute etc can be used. > > This patch will create the security.jail.allow_raw_sockets sysctl > MIB. I would appriciate any feed-back from testers > > See PR #: > http://www.freebsd.org/cgi/query-pr.cgi?pr=65800 > > -------------------- SNIP SNIP ------------------------ > > --- sys/kern/kern_jail.c.bak Mon Apr 19 16:55:40 2004 > +++ sys/kern/kern_jail.c Mon Apr 19 17:56:03 2004 > @@ -53,6 +53,11 @@ > &jail_sysvipc_allowed, 0, > "Processes in jail can use System V IPC primitives"); > > +int jail_allow_raw_sockets = 0; > +SYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW, > + &jail_allow_raw_sockets, 0, > + "Prison root can create raw sockets"); > + > /* allprison, lastprid, and prisoncount are protected by allprison_mtx. */ > struct prisonlist allprison; > struct mtx allprison_mtx; > --- sys/netinet/raw_ip.c.b Mon Apr 19 16:23:57 2004 > +++ sys/netinet/raw_ip.c Mon Apr 19 17:55:08 2004 > @@ -40,6 +40,7 @@ > #include "opt_random_ip_id.h" > > #include <sys/param.h> > +#include <sys/jail.h> > #include <sys/kernel.h> > #include <sys/lock.h> > #include <sys/mac.h> > @@ -505,6 +506,7 @@ > } > } > > +extern int jail_allow_raw_sockets; > u_long rip_sendspace = RIPSNDQ; > u_long rip_recvspace = RIPRCVQ; > > @@ -527,7 +529,11 @@ > INP_INFO_WUNLOCK(&ripcbinfo); > return EINVAL; > } > - if (td && (error = suser(td)) != 0) { > + if (td && jailed(td->td_ucred) && !jail_allow_raw_sockets) { > + INP_INFO_WUNLOCK(&ripcbinfo); > + return (EPERM); > + } > + if (td && (error = suser_cred(td->td_ucred, PRISON_ROOT)) != 0) { > INP_INFO_WUNLOCK(&ripcbinfo); > return error; > } > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0404201606070.64627-100000>