Page MenuHomeFreeBSD
Files F153317517

D49843.id153694.diff
No OneTemporary
Actions

D49843.id153694.diff
View Options

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -231,6 +231,7 @@
{"allow.extattr", "allow.noextattr", PR_ALLOW_EXTATTR},
{"allow.adjtime", "allow.noadjtime", PR_ALLOW_ADJTIME},
{"allow.settime", "allow.nosettime", PR_ALLOW_SETTIME},
+ {"allow.routing", "allow.norouting", PR_ALLOW_ROUTING},
};
static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC;
const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
@@ -4223,6 +4224,16 @@
else
return (EPERM);
+ /*
+ * Conditionally allow privileged process in the jail to modify
+ * the routing table.
+ */
+ case PRIV_NET_ROUTE:
+ if (cred->cr_prison->pr_allow & PR_ALLOW_ROUTING)
+ return (0);
+ else
+ return (EPERM);
+
default:
/*
* In all remaining cases, deny the privilege request. This
@@ -4691,6 +4702,8 @@
"B", "Jail may adjust system time");
SYSCTL_JAIL_PARAM(_allow, settime, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may set system time");
+SYSCTL_JAIL_PARAM(_allow, routing, CTLTYPE_INT | CTLFLAG_RW,
+ "B", "Jail may modify routing table");
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c
--- a/sys/netlink/route/rt.c
+++ b/sys/netlink/route/rt.c
@@ -1118,12 +1118,14 @@
.name = "RTM_DELROUTE",
.cb = &rtnl_handle_delroute,
.priv = PRIV_NET_ROUTE,
+ .flags = RTNL_F_ALLOW_NONVNET_JAIL,
},
{
.cmd = NL_RTM_NEWROUTE,
.name = "RTM_NEWROUTE",
.cb = &rtnl_handle_newroute,
.priv = PRIV_NET_ROUTE,
+ .flags = RTNL_F_ALLOW_NONVNET_JAIL,
}
};
diff --git a/sys/sys/jail.h b/sys/sys/jail.h
--- a/sys/sys/jail.h
+++ b/sys/sys/jail.h
@@ -259,7 +259,8 @@
#define PR_ALLOW_EXTATTR 0x00040000
#define PR_ALLOW_ADJTIME 0x00080000
#define PR_ALLOW_SETTIME 0x00100000
-#define PR_ALLOW_ALL_STATIC 0x001f87ff
+#define PR_ALLOW_ROUTING 0x00200000
+#define PR_ALLOW_ALL_STATIC 0x003f87ff
/*
* PR_ALLOW_DIFFERENCES determines which flags are able to be
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -710,6 +710,9 @@
.Xr date 1 .
This permission includes also
.Va allow.adjtime .
+.It Va allow.routing
+Allow privileged process in the non-VNET jail to modify the system routing
+table.
.El
.El
.Pp

File Metadata

Mime Type
text/plain
Expires
Tue, Apr 21, 10:59 AM (18 h, 58 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
31905978
Default Alt Text
D49843.id153694.diff (2 KB)

Event Timeline