svn commit: r319611 - in head: sys/kern sys/sys usr.sbin/jail
Allan Jude
allanjude at FreeBSD.org
Tue Jun 6 02:15:02 UTC 2017
Author: allanjude
Date: Tue Jun 6 02:15:00 2017
New Revision: 319611
URL: https://svnweb.freebsd.org/changeset/base/319611
Log:
Jails: Optionally prevent jailed root from binding to privileged ports
You may now optionally specify allow.noreserved_ports to prevent root
inside a jail from using privileged ports (less than 1024)
PR: 217728
Submitted by: Matt Miller <mattm916 at pulsar.neomailbox.ch>
Reviewed by: jamie, cem, smh
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D10202
Modified:
head/sys/kern/kern_jail.c
head/sys/sys/jail.h
head/usr.sbin/jail/jail.8
Modified: head/sys/kern/kern_jail.c
==============================================================================
--- head/sys/kern/kern_jail.c Tue Jun 6 02:03:22 2017 (r319610)
+++ head/sys/kern/kern_jail.c Tue Jun 6 02:15:00 2017 (r319611)
@@ -199,6 +199,7 @@ static char *pr_allow_names[] = {
"allow.mount.fdescfs",
"allow.mount.linprocfs",
"allow.mount.linsysfs",
+ "allow.reserved_ports",
};
const size_t pr_allow_names_size = sizeof(pr_allow_names);
@@ -218,10 +219,11 @@ static char *pr_allow_nonames[] = {
"allow.mount.nofdescfs",
"allow.mount.nolinprocfs",
"allow.mount.nolinsysfs",
+ "allow.noreserved_ports",
};
const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
-#define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME
+#define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS)
#define JAIL_DEFAULT_ENFORCE_STATFS 2
#define JAIL_DEFAULT_DEVFS_RSNUM 0
static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW;
@@ -3304,10 +3306,17 @@ prison_priv_check(struct ucred *cred, int priv)
return (EPERM);
/*
- * Allow jailed root to bind reserved ports and reuse in-use
- * ports.
+ * Conditionally allow jailed root to bind reserved ports.
*/
case PRIV_NETINET_RESERVEDPORT:
+ if (cred->cr_prison->pr_allow & PR_ALLOW_RESERVED_PORTS)
+ return (0);
+ else
+ return (EPERM);
+
+ /*
+ * Allow jailed root to reuse in-use ports.
+ */
case PRIV_NETINET_REUSEPORT:
return (0);
@@ -3788,6 +3797,8 @@ SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLA
"B", "Jail may set file quotas");
SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");
+SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW,
+ "B", "Jail may bind sockets to reserved ports");
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
Modified: head/sys/sys/jail.h
==============================================================================
--- head/sys/sys/jail.h Tue Jun 6 02:03:22 2017 (r319610)
+++ head/sys/sys/jail.h Tue Jun 6 02:15:00 2017 (r319611)
@@ -230,7 +230,8 @@ struct prison_racct {
#define PR_ALLOW_MOUNT_FDESCFS 0x1000
#define PR_ALLOW_MOUNT_LINPROCFS 0x2000
#define PR_ALLOW_MOUNT_LINSYSFS 0x4000
-#define PR_ALLOW_ALL 0x7fff
+#define PR_ALLOW_RESERVED_PORTS 0x8000
+#define PR_ALLOW_ALL 0xffff
/*
* OSD methods
Modified: head/usr.sbin/jail/jail.8
==============================================================================
--- head/usr.sbin/jail/jail.8 Tue Jun 6 02:03:22 2017 (r319610)
+++ head/usr.sbin/jail/jail.8 Tue Jun 6 02:15:00 2017 (r319611)
@@ -25,7 +25,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd April 30, 2016
+.Dd June 5, 2017
.Dt JAIL 8
.Os
.Sh NAME
@@ -483,7 +483,9 @@ and uname -K.
Some restrictions of the jail environment may be set on a per-jail
basis.
With the exception of
-.Va allow.set_hostname ,
+.Va allow.set_hostname
+and
+.Va allow.reserved_ports ,
these boolean parameters are off by default.
.Bl -tag -width indent
.It Va allow.set_hostname
@@ -611,6 +613,8 @@ with non-jailed parts of the system.
Sockets within a jail are normally restricted to IPv4, IPv6, local
(UNIX), and route. This allows access to other protocol stacks that
have not had jail functionality added to them.
+.It Va allow.reserved_ports
+The jail root may bind to ports lower than 1024.
.El
.El
.Pp
More information about the svn-src-head
mailing list