[patch] Raw sockets in jails

Julian Elischer julian at elischer.org
Tue Apr 20 16:09:08 PDT 2004 

hooray!

Jails are used for a lot mor ethan just security stuff..
We use them for enviromment isolation. Security to us is just a minor
point..
If I could I'd like to be able to turn off:
blocking of raw sockets.
blocking of chflags.

only problem is I'd need it against 4.x.. 
(I guess I can manage that....)

On Tue, 20 Apr 2004, Christian S.J. Peron wrote:

> 
>         Although RAW sockets can be used when specifying the source
>         address of packets (defeating one of the aspects of the jail)
>         some people may find it usefull to use utilities like ping(8)
>         or traceroute(8) from inside jails.
> 
>         Enclosed is a patch I have written which gives you the option
>         of allowing prison-root to create raw sockets inside the prison,
>         so that programs various network debugging programs like ping
>         and traceroute etc can be used.
> 
>         This patch will create the security.jail.allow_raw_sockets sysctl
>         MIB. I would appriciate any feed-back from testers
> 
> 	See PR #:
> 	http://www.freebsd.org/cgi/query-pr.cgi?pr=65800
> 
> -------------------- SNIP SNIP ------------------------
> 
> --- sys/kern/kern_jail.c.bak	Mon Apr 19 16:55:40 2004
> +++ sys/kern/kern_jail.c	Mon Apr 19 17:56:03 2004
> @@ -53,6 +53,11 @@
>      &jail_sysvipc_allowed, 0,
>      "Processes in jail can use System V IPC primitives");
>  
> +int	jail_allow_raw_sockets = 0;
> +SYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW,
> +    &jail_allow_raw_sockets, 0,
> +    "Prison root can create raw sockets");
> +
>  /* allprison, lastprid, and prisoncount are protected by allprison_mtx. */
>  struct	prisonlist allprison;
>  struct	mtx allprison_mtx;
> --- sys/netinet/raw_ip.c.b	Mon Apr 19 16:23:57 2004
> +++ sys/netinet/raw_ip.c	Mon Apr 19 17:55:08 2004
> @@ -40,6 +40,7 @@
>  #include "opt_random_ip_id.h"
>  
>  #include <sys/param.h>
> +#include <sys/jail.h>
>  #include <sys/kernel.h>
>  #include <sys/lock.h>
>  #include <sys/mac.h>
> @@ -505,6 +506,7 @@
>  	}
>  }
>  
> +extern int jail_allow_raw_sockets;
>  u_long	rip_sendspace = RIPSNDQ;
>  u_long	rip_recvspace = RIPRCVQ;
>  
> @@ -527,7 +529,11 @@
>  		INP_INFO_WUNLOCK(&ripcbinfo);
>  		return EINVAL;
>  	}
> -	if (td && (error = suser(td)) != 0) {
> +	if (td && jailed(td->td_ucred) && !jail_allow_raw_sockets) {
> +		INP_INFO_WUNLOCK(&ripcbinfo);
> +		return (EPERM);
> +	}
> +	if (td && (error = suser_cred(td->td_ucred, PRISON_ROOT)) != 0) {
>  		INP_INFO_WUNLOCK(&ripcbinfo);
>  		return error;
>  	}
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>

More information about the freebsd-hackers mailing list