svn commit: r220477 - stable/7/sys/net

Bjoern A. Zeeb bz at FreeBSD.org
Sat Apr 9 10:22:18 UTC 2011


Author: bz
Date: Sat Apr  9 10:22:18 2011
New Revision: 220477
URL: http://svn.freebsd.org/changeset/base/220477

Log:
  MFC r219206:
  
    Hide the outer IP addresses of a tunnel interfaces (gif(4), gre(4))
    from processes inside jails if the addresses do not belong to the jail.
  
    Originally reported by: Pieter de Boer via remko
    Tested by:	Piotr KUCHARSKI (nospam 42.pl) [gif]
  PR:		kern/151119

Modified:
  stable/7/sys/net/if_gif.c
  stable/7/sys/net/if_gre.c
Directory Properties:
  stable/7/sys/   (props changed)
  stable/7/sys/cddl/contrib/opensolaris/   (props changed)
  stable/7/sys/contrib/dev/acpica/   (props changed)
  stable/7/sys/contrib/pf/   (props changed)

Modified: stable/7/sys/net/if_gif.c
==============================================================================
--- stable/7/sys/net/if_gif.c	Sat Apr  9 10:19:25 2011	(r220476)
+++ stable/7/sys/net/if_gif.c	Sat Apr  9 10:22:18 2011	(r220477)
@@ -36,6 +36,7 @@
 
 #include <sys/param.h>
 #include <sys/systm.h>
+#include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
@@ -811,6 +812,12 @@ gif_ioctl(ifp, cmd, data)
 		}
 		if (src->sa_len > size)
 			return EINVAL;
+		error = prison_if(curthread->td_ucred, src);
+		if (error != 0)
+			return (error);
+		error = prison_if(curthread->td_ucred, dst);
+		if (error != 0)
+			return (error);
 		bcopy((caddr_t)src, (caddr_t)dst, src->sa_len);
 #ifdef INET6
 		if (dst->sa_family == AF_INET6) {

Modified: stable/7/sys/net/if_gre.c
==============================================================================
--- stable/7/sys/net/if_gre.c	Sat Apr  9 10:19:25 2011	(r220476)
+++ stable/7/sys/net/if_gre.c	Sat Apr  9 10:22:18 2011	(r220477)
@@ -53,6 +53,7 @@
 #include "opt_inet6.h"
 
 #include <sys/param.h>
+#include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/malloc.h>
 #include <sys/module.h>
@@ -642,6 +643,9 @@ gre_ioctl(struct ifnet *ifp, u_long cmd,
 		si.sin_len = sizeof(struct sockaddr_in);
 		si.sin_addr.s_addr = sc->g_src.s_addr;
 		sa = sintosa(&si);
+		error = prison_if(curthread->td_ucred, sa);
+		if (error != 0)
+			break;
 		ifr->ifr_addr = *sa;
 		break;
 	case GREGADDRD:
@@ -650,6 +654,9 @@ gre_ioctl(struct ifnet *ifp, u_long cmd,
 		si.sin_len = sizeof(struct sockaddr_in);
 		si.sin_addr.s_addr = sc->g_dst.s_addr;
 		sa = sintosa(&si);
+		error = prison_if(curthread->td_ucred, sa);
+		if (error != 0)
+			break;
 		ifr->ifr_addr = *sa;
 		break;
 	case SIOCSIFPHYADDR:
@@ -713,8 +720,14 @@ gre_ioctl(struct ifnet *ifp, u_long cmd,
 		si.sin_family = AF_INET;
 		si.sin_len = sizeof(struct sockaddr_in);
 		si.sin_addr.s_addr = sc->g_src.s_addr;
+		error = prison_if(curthread->td_ucred, (struct sockaddr *)&si);
+		if (error != 0)
+			break;
 		memcpy(&lifr->addr, &si, sizeof(si));
 		si.sin_addr.s_addr = sc->g_dst.s_addr;
+		error = prison_if(curthread->td_ucred, (struct sockaddr *)&si);
+		if (error != 0)
+			break;
 		memcpy(&lifr->dstaddr, &si, sizeof(si));
 		break;
 	case SIOCGIFPSRCADDR:
@@ -729,6 +742,9 @@ gre_ioctl(struct ifnet *ifp, u_long cmd,
 		si.sin_family = AF_INET;
 		si.sin_len = sizeof(struct sockaddr_in);
 		si.sin_addr.s_addr = sc->g_src.s_addr;
+		error = prison_if(curthread->td_ucred, (struct sockaddr *)&si);
+		if (error != 0)
+			break;
 		bcopy(&si, &ifr->ifr_addr, sizeof(ifr->ifr_addr));
 		break;
 	case SIOCGIFPDSTADDR:
@@ -743,6 +759,9 @@ gre_ioctl(struct ifnet *ifp, u_long cmd,
 		si.sin_family = AF_INET;
 		si.sin_len = sizeof(struct sockaddr_in);
 		si.sin_addr.s_addr = sc->g_dst.s_addr;
+		error = prison_if(curthread->td_ucred, (struct sockaddr *)&si);
+		if (error != 0)
+			break;
 		bcopy(&si, &ifr->ifr_addr, sizeof(ifr->ifr_addr));
 		break;
 	case GRESKEY:


More information about the svn-src-all mailing list