Date: Wed, 21 May 2025 03:40:23 GMT From: Lexi Winter <ivy@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 4b147fd312d5 - stable/14 - jail: add allow.routing jail permission Message-ID: <202505210340.54L3eNef088544@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/14 has been updated by ivy: URL: https://cgit.FreeBSD.org/src/commit/?id=4b147fd312d5b007bd15563fdaed74f5b9f74c56 commit 4b147fd312d5b007bd15563fdaed74f5b9f74c56 Author: Lexi Winter <ivy@FreeBSD.org> AuthorDate: 2025-05-11 02:01:25 +0000 Commit: Lexi Winter <ivy@FreeBSD.org> CommitDate: 2025-05-21 02:55:42 +0000 jail: add allow.routing jail permission if allow.routing is set, the jail can modify the system routing table even if it's not a VNET jail. Reviewed by: kevans, des, adrian Approved by: kevans (mentor), des (mentor) Differential Revision: https://reviews.freebsd.org/D49843 (cherry picked from commit 3a53fe2cc4b7076003163376a7db65e432f6283e) --- sys/kern/kern_jail.c | 13 +++++++++++++ sys/netlink/route/rt.c | 2 ++ sys/sys/jail.h | 3 ++- usr.sbin/jail/jail.8 | 5 ++++- 4 files changed, 21 insertions(+), 2 deletions(-) diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 99cf8f731c48..b14b3218ebb7 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -226,6 +226,7 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = { #ifdef VIMAGE {"allow.nfsd", "allow.nonfsd", PR_ALLOW_NFSD}, #endif + {"allow.routing", "allow.norouting", PR_ALLOW_ROUTING}, }; static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC; const size_t pr_flag_allow_size = sizeof(pr_flag_allow); @@ -4142,6 +4143,16 @@ prison_priv_check(struct ucred *cred, int priv) return (0); return (EPERM); + /* + * Conditionally allow privileged process in the jail to modify + * the routing table. + */ + case PRIV_NET_ROUTE: + if (cred->cr_prison->pr_allow & PR_ALLOW_ROUTING) + return (0); + else + return (EPERM); + default: /* * In all remaining cases, deny the privilege request. This @@ -4604,6 +4615,8 @@ SYSCTL_JAIL_PARAM(_allow, suser, CTLTYPE_INT | CTLFLAG_RW, SYSCTL_JAIL_PARAM(_allow, nfsd, CTLTYPE_INT | CTLFLAG_RW, "B", "Mountd/nfsd may run in the jail"); #endif +SYSCTL_JAIL_PARAM(_allow, routing, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may modify routing table"); SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c index 7cd6e0045f01..7a6ba6ef27c5 100644 --- a/sys/netlink/route/rt.c +++ b/sys/netlink/route/rt.c @@ -1118,12 +1118,14 @@ static const struct rtnl_cmd_handler cmd_handlers[] = { .name = "RTM_DELROUTE", .cb = &rtnl_handle_delroute, .priv = PRIV_NET_ROUTE, + .flags = RTNL_F_ALLOW_NONVNET_JAIL, }, { .cmd = NL_RTM_NEWROUTE, .name = "RTM_NEWROUTE", .cb = &rtnl_handle_newroute, .priv = PRIV_NET_ROUTE, + .flags = RTNL_F_ALLOW_NONVNET_JAIL, } }; diff --git a/sys/sys/jail.h b/sys/sys/jail.h index 0b0ee9cdde0f..7fbb71ee31f8 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -253,7 +253,8 @@ struct prison_racct { #define PR_ALLOW_RESERVED_PORTS 0x00008000 #define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */ #define PR_ALLOW_NFSD 0x00020000 -#define PR_ALLOW_ALL_STATIC 0x000387ff +#define PR_ALLOW_ROUTING 0x00040000 +#define PR_ALLOW_ALL_STATIC 0x000787ff /* * PR_ALLOW_DIFFERENCES determines which flags are able to be diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 7fc5357adfd3..73014315012b 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd September 19, 2024 +.Dd May 11, 2025 .Dt JAIL 8 .Os .Sh NAME @@ -642,6 +642,9 @@ sysctl. The super-user will be disabled automatically if its parent system has it disabled. The super-user is enabled by default. +.It Va allow.routing +Allow privileged process in the non-VNET jail to modify the system routing +table. .El .El .Pp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202505210340.54L3eNef088544>