Date: Tue, 20 May 2003 14:23:04 +0100 From: lemon <lemon@aldigital.co.uk> To: freebsd-questions@freebsd.org Subject: Re: jail manipulation of routing table Message-ID: <3ECA2C38.9080504@aldigital.co.uk> In-Reply-To: <3ECA0EB6.3020500@aldigital.co.uk> References: <3ECA0EB6.3020500@aldigital.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
lemon wrote: > > > maybe i need to patch kern/uipc_socket.c's socreate to be less > permissive with the unixiproute_only sysctl (rendering it a misnomer, > perhaps another sysctl altogether would be better). > the trivial patch below certainly achieves this; i'm sending it now 'cos folk might know why it's a bad idea to deny jail routing sockets. regards, l. -- lemon@aldigital.co.uk +44 020 8742 0755 http://www.aldigital.co.uk/ system administrivia c6 h8 o7 http://www.thebunker.net/ --- sys/kern/kern_jail.c- Tue May 20 13:36:28 2003 +++ sys/kern/kern_jail.c Tue May 20 13:37:14 2003 @@ -34,10 +34,10 @@ &jail_set_hostname_allowed, 0, "Processes in jail can set their hostnames"); -int jail_socket_unixiproute_only = 1; -SYSCTL_INT(_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW, - &jail_socket_unixiproute_only, 0, - "Processes in jail are limited to creating UNIX/IPv4/route sockets only"); +int jail_socket_unixip_only = 1; +SYSCTL_INT(_jail, OID_AUTO, socket_unixip_only, CTLFLAG_RW, + &jail_socket_unixip_only, 0, + "Processes in jail are limited to creating UNIX/IPv4 sockets only"); int jail_sysvipc_allowed = 0; SYSCTL_INT(_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW, @@ -143,7 +143,7 @@ struct sockaddr_in *sai = (struct sockaddr_in*) sa; int ok; - if ((sai->sin_family != AF_INET) && jail_socket_unixiproute_only) + if ((sai->sin_family != AF_INET) && jail_socket_unixip_only) ok = 1; else if (sai->sin_family != AF_INET) ok = 0; --- sys/kern/uipc_socket.c- Tue May 20 13:37:26 2003 +++ sys/kern/uipc_socket.c Tue May 20 13:38:14 2003 @@ -140,10 +140,9 @@ if (prp == 0 || prp->pr_usrreqs->pru_attach == 0) return (EPROTONOSUPPORT); - if (p->p_prison && jail_socket_unixiproute_only && + if (p->p_prison && jail_socket_unixip_only && prp->pr_domain->dom_family != PF_LOCAL && - prp->pr_domain->dom_family != PF_INET && - prp->pr_domain->dom_family != PF_ROUTE) { + prp->pr_domain->dom_family != PF_INET) { return (EPROTONOSUPPORT); } --- sys/sys/jail.h- Tue May 20 13:51:28 2003 +++ sys/sys/jail.h Tue May 20 13:51:38 2003 @@ -47,7 +47,7 @@ * Sysctl-set variables that determine global jail policy */ extern int jail_set_hostname_allowed; -extern int jail_socket_unixiproute_only; +extern int jail_socket_unixip_only; extern int jail_sysvipc_allowed; #endif /* !_KERNEL */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ECA2C38.9080504>