Page MenuHomeFreeBSD
Files F142741837

D10202.id26848.diff
No OneTemporary
Actions

D10202.id26848.diff
View Options

Index: sys/kern/kern_jail.c
===================================================================
--- sys/kern/kern_jail.c
+++ sys/kern/kern_jail.c
@@ -199,6 +199,7 @@
"allow.mount.fdescfs",
"allow.mount.linprocfs",
"allow.mount.linsysfs",
+ "allow.reserved_ports",
};
const size_t pr_allow_names_size = sizeof(pr_allow_names);
@@ -218,10 +219,11 @@
"allow.mount.nofdescfs",
"allow.mount.nolinprocfs",
"allow.mount.nolinsysfs",
+ "allow.noreserved_ports",
};
const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
-#define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME
+#define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS)
#define JAIL_DEFAULT_ENFORCE_STATFS 2
#define JAIL_DEFAULT_DEVFS_RSNUM 0
static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW;
@@ -3304,10 +3306,17 @@
return (EPERM);
/*
- * Allow jailed root to bind reserved ports and reuse in-use
- * ports.
+ * Conditionally allow jailed root to bind reserved ports.
*/
case PRIV_NETINET_RESERVEDPORT:
+ if (cred->cr_prison->pr_allow & PR_ALLOW_RESERVED_PORTS)
+ return (0);
+ else
+ return (EPERM);
+
+ /*
+ * Allow jailed root to reuse in-use ports.
+ */
case PRIV_NETINET_REUSEPORT:
return (0);
@@ -3788,6 +3797,8 @@
"B", "Jail may set file quotas");
SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");
+SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW,
+ "B", "Jail may bind sockets to reserved ports");
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
Index: sys/sys/jail.h
===================================================================
--- sys/sys/jail.h
+++ sys/sys/jail.h
@@ -230,7 +230,8 @@
#define PR_ALLOW_MOUNT_FDESCFS 0x1000
#define PR_ALLOW_MOUNT_LINPROCFS 0x2000
#define PR_ALLOW_MOUNT_LINSYSFS 0x4000
-#define PR_ALLOW_ALL 0x7fff
+#define PR_ALLOW_RESERVED_PORTS 0x8000
+#define PR_ALLOW_ALL 0xffff
/*
* OSD methods
Index: usr.sbin/jail/config.c
===================================================================
--- usr.sbin/jail/config.c
+++ usr.sbin/jail/config.c
@@ -98,6 +98,8 @@
[IP__OP] = {NULL, PF_CONV},
[KP_ALLOW_CHFLAGS] = {"allow.chflags", 0},
[KP_ALLOW_MOUNT] = {"allow.mount", 0},
+ [KP_ALLOW_RESERVED_PORTS]= {"allow.reserved_ports",
+ 0},
[KP_ALLOW_RAW_SOCKETS] = {"allow.raw_sockets", 0},
[KP_ALLOW_SET_HOSTNAME]= {"allow.set_hostname", 0},
[KP_ALLOW_SOCKET_AF] = {"allow.socket_af", 0},
Index: usr.sbin/jail/jail.8
===================================================================
--- usr.sbin/jail/jail.8
+++ usr.sbin/jail/jail.8
@@ -483,7 +483,9 @@
Some restrictions of the jail environment may be set on a per-jail
basis.
With the exception of
-.Va allow.set_hostname ,
+.Va allow.set_hostname
+and
+.Va allow.reserved_ports ,
these boolean parameters are off by default.
.Bl -tag -width indent
.It Va allow.set_hostname
@@ -611,6 +613,8 @@
Sockets within a jail are normally restricted to IPv4, IPv6, local
(UNIX), and route. This allows access to other protocol stacks that
have not had jail functionality added to them.
+.It Va allow.reserved_ports
+The jail root may bind to ports lower than 1024.
.El
.El
.Pp
Index: usr.sbin/jail/jailp.h
===================================================================
--- usr.sbin/jail/jailp.h
+++ usr.sbin/jail/jailp.h
@@ -116,6 +116,7 @@
KP_ALLOW_SET_HOSTNAME,
KP_ALLOW_SOCKET_AF,
KP_ALLOW_SYSVIPC,
+ KP_ALLOW_RESERVED_PORTS,
KP_DEVFS_RULESET,
KP_ENFORCE_STATFS,
KP_HOST_HOSTNAME,

File Metadata

Mime Type
text/plain
Expires
Fri, Jan 23, 11:31 PM (2 h, 41 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
27891693
Default Alt Text
D10202.id26848.diff (3 KB)

Event Timeline