git: 4b147fd312d5 - stable/14 - jail: add allow.routing jail permission
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 21 May 2025 03:40:23 UTC
The branch stable/14 has been updated by ivy:
URL: https://cgit.FreeBSD.org/src/commit/?id=4b147fd312d5b007bd15563fdaed74f5b9f74c56
commit 4b147fd312d5b007bd15563fdaed74f5b9f74c56
Author: Lexi Winter <ivy@FreeBSD.org>
AuthorDate: 2025-05-11 02:01:25 +0000
Commit: Lexi Winter <ivy@FreeBSD.org>
CommitDate: 2025-05-21 02:55:42 +0000
jail: add allow.routing jail permission
if allow.routing is set, the jail can modify the system routing table
even if it's not a VNET jail.
Reviewed by: kevans, des, adrian
Approved by: kevans (mentor), des (mentor)
Differential Revision: https://reviews.freebsd.org/D49843
(cherry picked from commit 3a53fe2cc4b7076003163376a7db65e432f6283e)
---
sys/kern/kern_jail.c | 13 +++++++++++++
sys/netlink/route/rt.c | 2 ++
sys/sys/jail.h | 3 ++-
usr.sbin/jail/jail.8 | 5 ++++-
4 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 99cf8f731c48..b14b3218ebb7 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -226,6 +226,7 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = {
#ifdef VIMAGE
{"allow.nfsd", "allow.nonfsd", PR_ALLOW_NFSD},
#endif
+ {"allow.routing", "allow.norouting", PR_ALLOW_ROUTING},
};
static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC;
const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
@@ -4142,6 +4143,16 @@ prison_priv_check(struct ucred *cred, int priv)
return (0);
return (EPERM);
+ /*
+ * Conditionally allow privileged process in the jail to modify
+ * the routing table.
+ */
+ case PRIV_NET_ROUTE:
+ if (cred->cr_prison->pr_allow & PR_ALLOW_ROUTING)
+ return (0);
+ else
+ return (EPERM);
+
default:
/*
* In all remaining cases, deny the privilege request. This
@@ -4604,6 +4615,8 @@ SYSCTL_JAIL_PARAM(_allow, suser, CTLTYPE_INT | CTLFLAG_RW,
SYSCTL_JAIL_PARAM(_allow, nfsd, CTLTYPE_INT | CTLFLAG_RW,
"B", "Mountd/nfsd may run in the jail");
#endif
+SYSCTL_JAIL_PARAM(_allow, routing, CTLTYPE_INT | CTLFLAG_RW,
+ "B", "Jail may modify routing table");
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c
index 7cd6e0045f01..7a6ba6ef27c5 100644
--- a/sys/netlink/route/rt.c
+++ b/sys/netlink/route/rt.c
@@ -1118,12 +1118,14 @@ static const struct rtnl_cmd_handler cmd_handlers[] = {
.name = "RTM_DELROUTE",
.cb = &rtnl_handle_delroute,
.priv = PRIV_NET_ROUTE,
+ .flags = RTNL_F_ALLOW_NONVNET_JAIL,
},
{
.cmd = NL_RTM_NEWROUTE,
.name = "RTM_NEWROUTE",
.cb = &rtnl_handle_newroute,
.priv = PRIV_NET_ROUTE,
+ .flags = RTNL_F_ALLOW_NONVNET_JAIL,
}
};
diff --git a/sys/sys/jail.h b/sys/sys/jail.h
index 0b0ee9cdde0f..7fbb71ee31f8 100644
--- a/sys/sys/jail.h
+++ b/sys/sys/jail.h
@@ -253,7 +253,8 @@ struct prison_racct {
#define PR_ALLOW_RESERVED_PORTS 0x00008000
#define PR_ALLOW_KMEM_ACCESS 0x00010000 /* reserved, not used yet */
#define PR_ALLOW_NFSD 0x00020000
-#define PR_ALLOW_ALL_STATIC 0x000387ff
+#define PR_ALLOW_ROUTING 0x00040000
+#define PR_ALLOW_ALL_STATIC 0x000787ff
/*
* PR_ALLOW_DIFFERENCES determines which flags are able to be
diff --git a/usr.sbin/jail/jail.8 b/usr.sbin/jail/jail.8
index 7fc5357adfd3..73014315012b 100644
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd September 19, 2024
+.Dd May 11, 2025
.Dt JAIL 8
.Os
.Sh NAME
@@ -642,6 +642,9 @@ sysctl.
The super-user will be disabled automatically if its parent system has it
disabled.
The super-user is enabled by default.
+.It Va allow.routing
+Allow privileged process in the non-VNET jail to modify the system routing
+table.
.El
.El
.Pp