Date: Thu, 5 Feb 2009 14:15:18 +0000 (UTC) From: Jamie Gritton <jamie@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r188146 - in head/sys: kern sys Message-ID: <200902051415.n15EFIMY029070@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jamie Date: Thu Feb 5 14:15:18 2009 New Revision: 188146 URL: http://svn.freebsd.org/changeset/base/188146 Log: Don't allow creating a socket with a protocol family that the current jail doesn't support. This involves a new function prison_check_af, like prison_check_ip[46] but that checks only the family. With this change, most of the errors generated by jailed sockets shouldn't ever occur, at least until jails are changeable. Approved by: bz (mentor) Modified: head/sys/kern/kern_jail.c head/sys/kern/uipc_socket.c head/sys/sys/jail.h Modified: head/sys/kern/kern_jail.c ============================================================================== --- head/sys/kern/kern_jail.c Thu Feb 5 14:06:43 2009 (r188145) +++ head/sys/kern/kern_jail.c Thu Feb 5 14:15:18 2009 (r188146) @@ -1099,6 +1099,48 @@ prison_check_ip6(struct ucred *cred, str #endif /* + * Check if a jail supports the given address family. + * + * Returns 0 if not jailed or the address family is supported, EAFNOSUPPORT + * if not. + */ +int +prison_check_af(struct ucred *cred, int af) +{ + int error; + + KASSERT(cred != NULL, ("%s: cred is NULL", __func__)); + + + if (!jailed(cred)) + return (0); + + error = 0; + switch (af) + { +#ifdef INET + case AF_INET: + if (cred->cr_prison->pr_ip4 == NULL) + error = EAFNOSUPPORT; + break; +#endif +#ifdef INET6 + case AF_INET6: + if (cred->cr_prison->pr_ip6 == NULL) + error = EAFNOSUPPORT; + break; +#endif + case AF_LOCAL: + case AF_ROUTE: + break; + default: + if (jail_socket_unixiproute_only) + error = EAFNOSUPPORT; + } + return (error); +} + +/* * Check if given address belongs to the jail referenced by cred (wrapper to * prison_check_ip[46]). * Modified: head/sys/kern/uipc_socket.c ============================================================================== --- head/sys/kern/uipc_socket.c Thu Feb 5 14:06:43 2009 (r188145) +++ head/sys/kern/uipc_socket.c Thu Feb 5 14:15:18 2009 (r188146) @@ -347,15 +347,8 @@ socreate(int dom, struct socket **aso, i prp->pr_usrreqs->pru_attach == pru_attach_notsupp) return (EPROTONOSUPPORT); - if (jailed(cred) && jail_socket_unixiproute_only && - prp->pr_domain->dom_family != PF_LOCAL && - prp->pr_domain->dom_family != PF_INET && -#ifdef INET6 - prp->pr_domain->dom_family != PF_INET6 && -#endif - prp->pr_domain->dom_family != PF_ROUTE) { + if (prison_check_af(cred, prp->pr_domain->dom_family) != 0) return (EPROTONOSUPPORT); - } if (prp->pr_type != type) return (EPROTOTYPE); Modified: head/sys/sys/jail.h ============================================================================== --- head/sys/sys/jail.h Thu Feb 5 14:06:43 2009 (r188145) +++ head/sys/sys/jail.h Thu Feb 5 14:15:18 2009 (r188146) @@ -191,6 +191,7 @@ int prison_local_ip6(struct ucred *, str int prison_remote_ip6(struct ucred *, struct in6_addr *); int prison_check_ip6(struct ucred *, struct in6_addr *); #endif +int prison_check_af(struct ucred *cred, int af); int prison_if(struct ucred *cred, struct sockaddr *sa); int prison_priv_check(struct ucred *cred, int priv);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200902051415.n15EFIMY029070>