D26782.id78226.diff
No OneTemporary
Actions

Size

2 KB

Referenced Files

None

Subscribers

None

D26782.id78226.diff
View Options

	Index: kern/kern_jail.c
	===================================================================
	--- kern/kern_jail.c
	+++ kern/kern_jail.c
	@@ -200,7 +200,7 @@
	};
	const size_t pr_flag_allow_size = sizeof(pr_flag_allow);

	-#define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME \| PR_ALLOW_RESERVED_PORTS)
	+#define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME \| PR_ALLOW_RESERVED_PORTS\| PR_ALLOW_ICMP_ACCESS)
	#define JAIL_DEFAULT_ENFORCE_STATFS 2
	#define JAIL_DEFAULT_DEVFS_RSNUM 0
	static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW;
	@@ -3168,6 +3168,7 @@
	case PRIV_NETINET_CARP:
	case PRIV_NETINET_MROUTE:
	case PRIV_NETINET_RAW:
	+ case PRIV_NETINET_ICMP_ACCESS:
	case PRIV_NETINET_ADDRCTRL6:
	case PRIV_NETINET_ND6:
	case PRIV_NETINET_SCOPE6:
	@@ -3386,6 +3387,14 @@
	return (0);
	else
	return (EPERM);
	+ /*
	+ * Conditionally allow ping.
	+ */
	+ case PRIV_NETINET_ICMP_ACCESS:
	+ if (cred->cr_prison->pr_allow & PR_ALLOW_ICMP_ACCESS)
	+ return (0);
	+ else
	+ return (EPERM);

	/*
	* Since jail implements its own visibility limits on netstat
	Index: netinet/raw_ip.c
	===================================================================
	--- netinet/raw_ip.c
	+++ netinet/raw_ip.c
	@@ -685,6 +685,10 @@
	case SOPT_SET:
	switch (sopt->sopt_name) {
	case IP_HDRINCL:
	+ error = priv_check(curthread, PRIV_NETINET_RAW);
	+ if (error != 0)
	+ return (error);
	+
	error = sooptcopyin(sopt, &optval, sizeof optval,
	sizeof optval);
	if (error)
	@@ -858,7 +862,12 @@
	inp = sotoinpcb(so);
	KASSERT(inp == NULL, ("rip_attach: inp != NULL"));

	- error = priv_check(td, PRIV_NETINET_RAW);
	+ if (proto == IPPROTO_ICMP)
	+ error = priv_check(td, PRIV_NETINET_ICMP_ACCESS) &&
	+ priv_check(td, PRIV_NETINET_RAW);
	+ else
	+ error = priv_check(td, PRIV_NETINET_RAW);
	+
	if (error)
	return (error);
	if (proto >= IPPROTO_MAX \|\| proto < 0)
	Index: sys/jail.h
	===================================================================
	--- sys/jail.h
	+++ sys/jail.h
	@@ -231,6 +231,7 @@
	#define PR_ALLOW_SOCKET_AF 0x00000040
	#define PR_ALLOW_MLOCK 0x00000080
	#define PR_ALLOW_READ_MSGBUF 0x00000100
	+#define PR_ALLOW_ICMP_ACCESS 0x00000200
	#define PR_ALLOW_RESERVED_PORTS 0x00008000
	#define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */
	#define PR_ALLOW_ALL_STATIC 0x000181ff
	Index: sys/priv.h
	===================================================================
	--- sys/priv.h
	+++ sys/priv.h
	@@ -400,6 +400,7 @@
	#define PRIV_NETINET_SETHDROPTS 505 /* Set certain IPv4/6 header options. */
	#define PRIV_NETINET_BINDANY 506 /* Allow bind to any address. */
	#define PRIV_NETINET_HASHKEY 507 /* Get and set hash keys for IPv4/6. */
	+#define PRIV_NETINET_ICMP_ACCESS 508 /* Allow ICMP ping. */

	/*
	* Placeholders for IPX/SPX privileges, not supported any more.

File Metadata

Mime Type: text/plain
Expires: Sat, Mar 21, 5:23 AM (10 h, 45 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 30063007
Default Alt Text: D26782.id78226.diff (2 KB)

D26782.id78226.diffNo OneTemporaryActions

D26782.id78226.diffView Options

File Metadata

Event Timeline

D26782.id78226.diff
No OneTemporary
Actions

D26782.id78226.diff
View Options