From nobody Wed May 21 03:40:23 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4b2HHr3l46z5wjJb; Wed, 21 May 2025 03:40:24 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4b2HHq4Ff2z43Ny; Wed, 21 May 2025 03:40:23 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1747798823; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xHknzoHqGK2/7jHDCRzSNvwoLknrfvRVf4e7JhSHenQ=; b=smXmdxQAA0cMr5MwwwDXl84J6mF9nUpDX26fKyXSA2af7AZBJ07ZlNXI708jBPMWX1LQo/ qfNxKhnUgA7cNcL8XOtJExsPah3h3qx7ovVp4InDJMlFx7vOjQRXJAWT2PF4VZ2GAWHMH4 WciW/rbUtC1imzj/I8zsfT8GvDeZSA5J4lmSINwmDuZna6tuUmCNTHd1gRO4UBK/L4T5Yz DWW3B7OkDNC6nCVpAdCnQNBdiqxpDCqHjN+isQ2+bLi29Zp5Z4eW3Uyh2YgJjTWXSomER1 BdjEjou2qJ2pbIuRtVSPLMI/sqFNNHjBqeADqQn5mmJT03t70Ukewkylk1VFww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1747798823; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xHknzoHqGK2/7jHDCRzSNvwoLknrfvRVf4e7JhSHenQ=; b=HiJEgkwuujHzf/qsNbqqcrA9HqgxFbMjqIpDHcdCaSFV/OQQpQt7GwGdGlutT6QO4FYIy1 gWqTDS7zVU5lLK7DZ4wpxZY9DvTc5ejkL7YreMHwU+8ARlyH8HJGVaLsj/PUHoAK3JAdda rT12MPZCBAZ57AKD4zxkVd1toHPa2wHkQn17qYgkofVKd2aXVfrrKUPr8aHyVsQX1IkFb8 PBv5LqKIN3hTM+J6k2GcfxD+Li6LQphBx0Y3KuWcho8lGhpaVZzlIYtQjeP/2VRLXGwl7I ZIpcG1/irxDfBlWB5zsLx2kPoj7qxDuH+F7ahX/ZqDEMv7+8brpu6VlX+ndiyQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1747798823; a=rsa-sha256; cv=none; b=fwyfLKx/I4cW8UV8eFO5Wo3TMf06S3pETueIyJuHm9gW2Y6uQ9FGRTp8PJjB8BV32jdre1 9Eg9EzlfSxfHLVpHchUfbMWWPGLnX+Wi6k95yQxN37bhpNtBfDeIM3QKxHGMPgIyYZOKA8 /xi6MJicML5GcrsphOCQTZPboXXn/9Lo/cIP/quicH5+fuA/uMyEjGeffDdaFKpm0w/usP GlYtBewLeIUMnhkIOACRjoyS+jGtxI+9pGssrx96/4+0c7Ffria5W3PZUrmtWpyOK6UUrQ lL+pnPLoWGlz1Ptan8Vw6Ql8pheLfaLiHPt6/We0/X4WMWGDKF9s6fDvQRWEwQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4b2HHq2zjhz3Bq; Wed, 21 May 2025 03:40:23 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 54L3eNSS088547; Wed, 21 May 2025 03:40:23 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 54L3eNef088544; Wed, 21 May 2025 03:40:23 GMT (envelope-from git) Date: Wed, 21 May 2025 03:40:23 GMT Message-Id: <202505210340.54L3eNef088544@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Lexi Winter Subject: git: 4b147fd312d5 - stable/14 - jail: add allow.routing jail permission List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ivy X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 4b147fd312d5b007bd15563fdaed74f5b9f74c56 Auto-Submitted: auto-generated The branch stable/14 has been updated by ivy: URL: https://cgit.FreeBSD.org/src/commit/?id=4b147fd312d5b007bd15563fdaed74f5b9f74c56 commit 4b147fd312d5b007bd15563fdaed74f5b9f74c56 Author: Lexi Winter AuthorDate: 2025-05-11 02:01:25 +0000 Commit: Lexi Winter CommitDate: 2025-05-21 02:55:42 +0000 jail: add allow.routing jail permission if allow.routing is set, the jail can modify the system routing table even if it's not a VNET jail. Reviewed by: kevans, des, adrian Approved by: kevans (mentor), des (mentor) Differential Revision: https://reviews.freebsd.org/D49843 (cherry picked from commit 3a53fe2cc4b7076003163376a7db65e432f6283e) --- sys/kern/kern_jail.c | 13 +++++++++++++ sys/netlink/route/rt.c | 2 ++ sys/sys/jail.h | 3 ++- usr.sbin/jail/jail.8 | 5 ++++- 4 files changed, 21 insertions(+), 2 deletions(-) diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index 99cf8f731c48..b14b3218ebb7 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -226,6 +226,7 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = { #ifdef VIMAGE {"allow.nfsd", "allow.nonfsd", PR_ALLOW_NFSD}, #endif + {"allow.routing", "allow.norouting", PR_ALLOW_ROUTING}, }; static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC; const size_t pr_flag_allow_size = sizeof(pr_flag_allow); @@ -4142,6 +4143,16 @@ prison_priv_check(struct ucred *cred, int priv) return (0); return (EPERM); + /* + * Conditionally allow privileged process in the jail to modify + * the routing table. + */ + case PRIV_NET_ROUTE: + if (cred->cr_prison->pr_allow & PR_ALLOW_ROUTING) + return (0); + else + return (EPERM); + default: /* * In all remaining cases, deny the privilege request. This @@ -4604,6 +4615,8 @@ SYSCTL_JAIL_PARAM(_allow, suser, CTLTYPE_INT | CTLFLAG_RW, SYSCTL_JAIL_PARAM(_allow, nfsd, CTLTYPE_INT | CTLFLAG_RW, "B", "Mountd/nfsd may run in the jail"); #endif +SYSCTL_JAIL_PARAM(_allow, routing, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may modify routing table"); SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c index 7cd6e0045f01..7a6ba6ef27c5 100644 --- a/sys/netlink/route/rt.c +++ b/sys/netlink/route/rt.c @@ -1118,12 +1118,14 @@ static const struct rtnl_cmd_handler cmd_handlers[] = { .name = "RTM_DELROUTE", .cb = &rtnl_handle_delroute, .priv = PRIV_NET_ROUTE, + .flags = RTNL_F_ALLOW_NONVNET_JAIL, }, { .cmd = NL_RTM_NEWROUTE, .name = "RTM_NEWROUTE", .cb = &rtnl_handle_newroute, .priv = PRIV_NET_ROUTE, + .flags = RTNL_F_ALLOW_NONVNET_JAIL, } }; diff --git a/sys/sys/jail.h b/sys/sys/jail.h index 0b0ee9cdde0f..7fbb71ee31f8 100644 --- a/sys/sys/jail.h +++ b/sys/sys/jail.h @@ -253,7 +253,8 @@ struct prison_racct { #define PR_ALLOW_RESERVED_PORTS 0x00008000 #define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */ #define PR_ALLOW_NFSD 0x00020000 -#define PR_ALLOW_ALL_STATIC 0x000387ff +#define PR_ALLOW_ROUTING 0x00040000 +#define PR_ALLOW_ALL_STATIC 0x000787ff /* * PR_ALLOW_DIFFERENCES determines which flags are able to be diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8 index 7fc5357adfd3..73014315012b 100644 --- a/usr.sbin/jail/jail.8 +++ b/usr.sbin/jail/jail.8 @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd September 19, 2024 +.Dd May 11, 2025 .Dt JAIL 8 .Os .Sh NAME @@ -642,6 +642,9 @@ sysctl. The super-user will be disabled automatically if its parent system has it disabled. The super-user is enabled by default. +.It Va allow.routing +Allow privileged process in the non-VNET jail to modify the system routing +table. .El .El .Pp