netlink: allow netlink sockets in non-vnet jails.


netlink: allow netlink sockets in non-vnet jails.

This change allow to open Netlink sockets in the non-vnet jails, even for
unpriviledged processes.
The security model largely follows the existing one. To be more specific:

  • by default, every NETLINK_ROUTE command is NOT allowed in non-VNET jail UNLESS RTNL_F_ALLOW_NONVNET_JAIL flag is specified in the command handler.
  • All notifications are disabled for non-vnet jails (requests to subscribe for the notifications are ignored). This will change to be more fine-grained model once the first netlink provider requiring this gets committed.
  • Listing interfaces (RTM_GETLINK) is allowed w/o limits (including interfaces w/o any addresses attached to the jail). The value of this is questionable, but it follows the existing approach.
  • Listing ARP/NDP neighbours is forbidden. This is a change from the current approach - currently we list static ARP/ND entries belonging to the addresses attached to the jail.
  • Listing interface addresses is allowed, but the addresses are filtered to match only ones attached to the jail.
  • Listing routes is allowed, but the routes are filtered to provide only host routes matching the addresses attached to the jail.
  • By default, every NETLINK_GENERIC command is allowed in non-VNET jail (as sub-families may be unrelated to network at all). It is the goal of the family author to implement the restriction if necessary.

Differential Revision: https://reviews.freebsd.org/D39206
MFC after: 1 month


melifaroAuthored on Mar 26 2023, 8:42 AM
Differential Revision
D39206: netlink: allow netlink sockets in non-vnet jails.
rG2cda6a2fb0d9: routing: add public rt_is_exportable() version to check if