Page Menu
Home
FreeBSD
Search
Configure Global Search
Log In
Files
F153317517
D49843.id153694.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Flag For Later
Award Token
Size
2 KB
Referenced Files
None
Subscribers
None
D49843.id153694.diff
View Options
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -231,6 +231,7 @@
{"allow.extattr", "allow.noextattr", PR_ALLOW_EXTATTR},
{"allow.adjtime", "allow.noadjtime", PR_ALLOW_ADJTIME},
{"allow.settime", "allow.nosettime", PR_ALLOW_SETTIME},
+ {"allow.routing", "allow.norouting", PR_ALLOW_ROUTING},
};
static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC;
const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
@@ -4223,6 +4224,16 @@
else
return (EPERM);
+ /*
+ * Conditionally allow privileged process in the jail to modify
+ * the routing table.
+ */
+ case PRIV_NET_ROUTE:
+ if (cred->cr_prison->pr_allow & PR_ALLOW_ROUTING)
+ return (0);
+ else
+ return (EPERM);
+
default:
/*
* In all remaining cases, deny the privilege request. This
@@ -4691,6 +4702,8 @@
"B", "Jail may adjust system time");
SYSCTL_JAIL_PARAM(_allow, settime, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may set system time");
+SYSCTL_JAIL_PARAM(_allow, routing, CTLTYPE_INT | CTLFLAG_RW,
+ "B", "Jail may modify routing table");
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c
--- a/sys/netlink/route/rt.c
+++ b/sys/netlink/route/rt.c
@@ -1118,12 +1118,14 @@
.name = "RTM_DELROUTE",
.cb = &rtnl_handle_delroute,
.priv = PRIV_NET_ROUTE,
+ .flags = RTNL_F_ALLOW_NONVNET_JAIL,
},
{
.cmd = NL_RTM_NEWROUTE,
.name = "RTM_NEWROUTE",
.cb = &rtnl_handle_newroute,
.priv = PRIV_NET_ROUTE,
+ .flags = RTNL_F_ALLOW_NONVNET_JAIL,
}
};
diff --git a/sys/sys/jail.h b/sys/sys/jail.h
--- a/sys/sys/jail.h
+++ b/sys/sys/jail.h
@@ -259,7 +259,8 @@
#define PR_ALLOW_EXTATTR 0x00040000
#define PR_ALLOW_ADJTIME 0x00080000
#define PR_ALLOW_SETTIME 0x00100000
-#define PR_ALLOW_ALL_STATIC 0x001f87ff
+#define PR_ALLOW_ROUTING 0x00200000
+#define PR_ALLOW_ALL_STATIC 0x003f87ff
/*
* PR_ALLOW_DIFFERENCES determines which flags are able to be
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -710,6 +710,9 @@
.Xr date 1 .
This permission includes also
.Va allow.adjtime .
+.It Va allow.routing
+Allow privileged process in the non-VNET jail to modify the system routing
+table.
.El
.El
.Pp
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Tue, Apr 21, 10:59 AM (18 h, 58 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
31905978
Default Alt Text
D49843.id153694.diff (2 KB)
Attached To
Mode
D49843: jail: add allow.routing jail permission
Attached
Detach File
Event Timeline
Log In to Comment