Index: kern/kern_jail.c
===================================================================
--- kern/kern_jail.c
+++ kern/kern_jail.c
@@ -200,7 +200,7 @@
 };
 const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
 
-#define	JAIL_DEFAULT_ALLOW		(PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS)
+#define	JAIL_DEFAULT_ALLOW		(PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS| PR_ALLOW_ICMP_ACCESS)
 #define	JAIL_DEFAULT_ENFORCE_STATFS	2
 #define	JAIL_DEFAULT_DEVFS_RSNUM	0
 static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW;
@@ -3168,6 +3168,7 @@
 	case PRIV_NETINET_CARP:
 	case PRIV_NETINET_MROUTE:
 	case PRIV_NETINET_RAW:
+	case PRIV_NETINET_ICMP_ACCESS:
 	case PRIV_NETINET_ADDRCTRL6:
 	case PRIV_NETINET_ND6:
 	case PRIV_NETINET_SCOPE6:
@@ -3386,6 +3387,14 @@
 			return (0);
 		else
 			return (EPERM);
+		/*
+		 * Conditionally allow ping.
+		 */
+	case PRIV_NETINET_ICMP_ACCESS:
+		if (cred->cr_prison->pr_allow & PR_ALLOW_ICMP_ACCESS)
+			return (0);
+		else
+			return (EPERM);
 
 		/*
 		 * Since jail implements its own visibility limits on netstat
Index: netinet/raw_ip.c
===================================================================
--- netinet/raw_ip.c
+++ netinet/raw_ip.c
@@ -685,6 +685,10 @@
 	case SOPT_SET:
 		switch (sopt->sopt_name) {
 		case IP_HDRINCL:
+			error = priv_check(curthread, PRIV_NETINET_RAW);
+			if (error != 0)
+				return (error);
+
 			error = sooptcopyin(sopt, &optval, sizeof optval,
 					    sizeof optval);
 			if (error)
@@ -858,7 +862,12 @@
 	inp = sotoinpcb(so);
 	KASSERT(inp == NULL, ("rip_attach: inp != NULL"));
 
-	error = priv_check(td, PRIV_NETINET_RAW);
+	if (proto == IPPROTO_ICMP)
+		error = priv_check(td, PRIV_NETINET_ICMP_ACCESS) &&
+			priv_check(td, PRIV_NETINET_RAW);
+	else
+		error = priv_check(td, PRIV_NETINET_RAW);
+
 	if (error)
 		return (error);
 	if (proto >= IPPROTO_MAX || proto < 0)
Index: sys/jail.h
===================================================================
--- sys/jail.h
+++ sys/jail.h
@@ -231,6 +231,7 @@
 #define	PR_ALLOW_SOCKET_AF		0x00000040
 #define	PR_ALLOW_MLOCK			0x00000080
 #define	PR_ALLOW_READ_MSGBUF		0x00000100
+#define	PR_ALLOW_ICMP_ACCESS		0x00000200
 #define	PR_ALLOW_RESERVED_PORTS		0x00008000
 #define	PR_ALLOW_KMEM_ACCESS		0x00010000	/* reserved, not used yet */
 #define	PR_ALLOW_ALL_STATIC		0x000181ff
Index: sys/priv.h
===================================================================
--- sys/priv.h
+++ sys/priv.h
@@ -400,6 +400,7 @@
 #define	PRIV_NETINET_SETHDROPTS	505	/* Set certain IPv4/6 header options. */
 #define	PRIV_NETINET_BINDANY	506	/* Allow bind to any address. */
 #define	PRIV_NETINET_HASHKEY	507	/* Get and set hash keys for IPv4/6. */
+#define	PRIV_NETINET_ICMP_ACCESS 508 	/* Allow ICMP ping. */
 
 /*
  * Placeholders for IPX/SPX privileges, not supported any more.