From owner-freebsd-questions@FreeBSD.ORG Tue May 20 06:23:07 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2106837B401 for ; Tue, 20 May 2003 06:23:07 -0700 (PDT) Received: from pip.lemonia.org (pc-80-192-57-7-az.blueyonder.co.uk [80.192.57.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id C69A743FD7 for ; Tue, 20 May 2003 06:23:05 -0700 (PDT) (envelope-from lemon@aldigital.co.uk) Received: (qmail 50810 invoked from network); 20 May 2003 13:23:54 -0000 Received: from unknown (HELO aldigital.co.uk) (192.168.1.3) by 192.168.1.4 with SMTP; 20 May 2003 13:23:54 -0000 Message-ID: <3ECA2C38.9080504@aldigital.co.uk> Date: Tue, 20 May 2003 14:23:04 +0100 From: lemon User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4a) Gecko/20030408 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <3ECA0EB6.3020500@aldigital.co.uk> In-Reply-To: <3ECA0EB6.3020500@aldigital.co.uk> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: jail manipulation of routing table X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2003 13:23:07 -0000 lemon wrote: > > > maybe i need to patch kern/uipc_socket.c's socreate to be less > permissive with the unixiproute_only sysctl (rendering it a misnomer, > perhaps another sysctl altogether would be better). > the trivial patch below certainly achieves this; i'm sending it now 'cos folk might know why it's a bad idea to deny jail routing sockets. regards, l. -- lemon@aldigital.co.uk +44 020 8742 0755 http://www.aldigital.co.uk/ system administrivia c6 h8 o7 http://www.thebunker.net/ --- sys/kern/kern_jail.c- Tue May 20 13:36:28 2003 +++ sys/kern/kern_jail.c Tue May 20 13:37:14 2003 @@ -34,10 +34,10 @@ &jail_set_hostname_allowed, 0, "Processes in jail can set their hostnames"); -int jail_socket_unixiproute_only = 1; -SYSCTL_INT(_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW, - &jail_socket_unixiproute_only, 0, - "Processes in jail are limited to creating UNIX/IPv4/route sockets only"); +int jail_socket_unixip_only = 1; +SYSCTL_INT(_jail, OID_AUTO, socket_unixip_only, CTLFLAG_RW, + &jail_socket_unixip_only, 0, + "Processes in jail are limited to creating UNIX/IPv4 sockets only"); int jail_sysvipc_allowed = 0; SYSCTL_INT(_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW, @@ -143,7 +143,7 @@ struct sockaddr_in *sai = (struct sockaddr_in*) sa; int ok; - if ((sai->sin_family != AF_INET) && jail_socket_unixiproute_only) + if ((sai->sin_family != AF_INET) && jail_socket_unixip_only) ok = 1; else if (sai->sin_family != AF_INET) ok = 0; --- sys/kern/uipc_socket.c- Tue May 20 13:37:26 2003 +++ sys/kern/uipc_socket.c Tue May 20 13:38:14 2003 @@ -140,10 +140,9 @@ if (prp == 0 || prp->pr_usrreqs->pru_attach == 0) return (EPROTONOSUPPORT); - if (p->p_prison && jail_socket_unixiproute_only && + if (p->p_prison && jail_socket_unixip_only && prp->pr_domain->dom_family != PF_LOCAL && - prp->pr_domain->dom_family != PF_INET && - prp->pr_domain->dom_family != PF_ROUTE) { + prp->pr_domain->dom_family != PF_INET) { return (EPROTONOSUPPORT); } --- sys/sys/jail.h- Tue May 20 13:51:28 2003 +++ sys/sys/jail.h Tue May 20 13:51:38 2003 @@ -47,7 +47,7 @@ * Sysctl-set variables that determine global jail policy */ extern int jail_set_hostname_allowed; -extern int jail_socket_unixiproute_only; +extern int jail_socket_unixip_only; extern int jail_sysvipc_allowed; #endif /* !_KERNEL */