Allow PING(8) in jails without raw socket access permissions
Dewayne Geraghty
dewayne.geraghty at heuristicsystems.com.au
Sat Oct 24 01:00:42 UTC 2020
On 15/10/2020 9:00 am, carlos antonio neira bustos wrote:
> Hello,
>
> I have currently a patch in review with jamie which is the current jail
> maintainer and kyle evans, if anyone else could comment/review this patch :
> https://reviews.freebsd.org/D26782
>
> What has been done is the following :
>
> Raw socket access is allowed for ICMP protocol as is required by
> PING(8) but option IP_HDRINCL is not allowed. to accomplish this
> a new privilege PRIV_NETINET_ICMP_ACCESS has been added by default for
> jails.
>
>
> Bests
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
Thanks for the heads-up Carlos. I have a use for allowing only icmp
traffic, so its beneficial.
However I do agree with BZ that it should not be enabled by default, as
it weakens the security model, enabling a broken jail to more easily
enumerate the wider network environment.
More information about the freebsd-net
mailing list