git: 3a53fe2cc4b7 - main - jail: add allow.routing jail permission
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 12 May 2025 22:27:18 UTC
The branch main has been updated by ivy:
URL: https://cgit.FreeBSD.org/src/commit/?id=3a53fe2cc4b7076003163376a7db65e432f6283e
commit 3a53fe2cc4b7076003163376a7db65e432f6283e
Author: Lexi Winter <ivy@FreeBSD.org>
AuthorDate: 2025-05-11 02:01:25 +0000
Commit: Lexi Winter <ivy@FreeBSD.org>
CommitDate: 2025-05-12 22:13:18 +0000
jail: add allow.routing jail permission
if allow.routing is set, the jail can modify the system routing table
even if it's not a VNET jail.
Reviewed by: kevans, des, adrian
Approved by: kevans (mentor), des (mentor)
Differential Revision: https://reviews.freebsd.org/D49843
---
sys/kern/kern_jail.c | 13 +++++++++++++
sys/netlink/route/rt.c | 2 ++
sys/sys/jail.h | 3 ++-
usr.sbin/jail/jail.8 | 5 ++++-
4 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index b0b0fa50e648..d4529e096929 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -231,6 +231,7 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = {
{"allow.extattr", "allow.noextattr", PR_ALLOW_EXTATTR},
{"allow.adjtime", "allow.noadjtime", PR_ALLOW_ADJTIME},
{"allow.settime", "allow.nosettime", PR_ALLOW_SETTIME},
+ {"allow.routing", "allow.norouting", PR_ALLOW_ROUTING},
};
static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC;
const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
@@ -4224,6 +4225,16 @@ prison_priv_check(struct ucred *cred, int priv)
else
return (EPERM);
+ /*
+ * Conditionally allow privileged process in the jail to modify
+ * the routing table.
+ */
+ case PRIV_NET_ROUTE:
+ if (cred->cr_prison->pr_allow & PR_ALLOW_ROUTING)
+ return (0);
+ else
+ return (EPERM);
+
default:
/*
* In all remaining cases, deny the privilege request. This
@@ -4692,6 +4703,8 @@ SYSCTL_JAIL_PARAM(_allow, adjtime, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may adjust system time");
SYSCTL_JAIL_PARAM(_allow, settime, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may set system time");
+SYSCTL_JAIL_PARAM(_allow, routing, CTLTYPE_INT | CTLFLAG_RW,
+ "B", "Jail may modify routing table");
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c
index 30dab2b0d8cf..dcd19b43105c 100644
--- a/sys/netlink/route/rt.c
+++ b/sys/netlink/route/rt.c
@@ -1118,12 +1118,14 @@ static const struct rtnl_cmd_handler cmd_handlers[] = {
.name = "RTM_DELROUTE",
.cb = &rtnl_handle_delroute,
.priv = PRIV_NET_ROUTE,
+ .flags = RTNL_F_ALLOW_NONVNET_JAIL,
},
{
.cmd = NL_RTM_NEWROUTE,
.name = "RTM_NEWROUTE",
.cb = &rtnl_handle_newroute,
.priv = PRIV_NET_ROUTE,
+ .flags = RTNL_F_ALLOW_NONVNET_JAIL,
}
};
diff --git a/sys/sys/jail.h b/sys/sys/jail.h
index 90fcf8cd5a47..08caa9f49270 100644
--- a/sys/sys/jail.h
+++ b/sys/sys/jail.h
@@ -259,7 +259,8 @@ struct prison_racct {
#define PR_ALLOW_EXTATTR 0x00040000
#define PR_ALLOW_ADJTIME 0x00080000
#define PR_ALLOW_SETTIME 0x00100000
-#define PR_ALLOW_ALL_STATIC 0x001f87ff
+#define PR_ALLOW_ROUTING 0x00200000
+#define PR_ALLOW_ALL_STATIC 0x003f87ff
/*
* PR_ALLOW_DIFFERENCES determines which flags are able to be
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index 3426f4f0d600..8d7bc25a8694 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd September 19, 2024
+.Dd May 11, 2025
.Dt JAIL 8
.Os
.Sh NAME
@@ -710,6 +710,9 @@ For example through utilities like
.Xr date 1 .
This permission includes also
.Va allow.adjtime .
+.It Va allow.routing
+Allow privileged process in the non-VNET jail to modify the system routing
+table.
.El
.El
.Pp