[patch] Raw sockets in jails
Julian Elischer
julian at elischer.org
Tue Apr 20 16:09:08 PDT 2004
hooray!
Jails are used for a lot mor ethan just security stuff..
We use them for enviromment isolation. Security to us is just a minor
point..
If I could I'd like to be able to turn off:
blocking of raw sockets.
blocking of chflags.
only problem is I'd need it against 4.x..
(I guess I can manage that....)
On Tue, 20 Apr 2004, Christian S.J. Peron wrote:
>
> Although RAW sockets can be used when specifying the source
> address of packets (defeating one of the aspects of the jail)
> some people may find it usefull to use utilities like ping(8)
> or traceroute(8) from inside jails.
>
> Enclosed is a patch I have written which gives you the option
> of allowing prison-root to create raw sockets inside the prison,
> so that programs various network debugging programs like ping
> and traceroute etc can be used.
>
> This patch will create the security.jail.allow_raw_sockets sysctl
> MIB. I would appriciate any feed-back from testers
>
> See PR #:
> http://www.freebsd.org/cgi/query-pr.cgi?pr=65800
>
> -------------------- SNIP SNIP ------------------------
>
> --- sys/kern/kern_jail.c.bak Mon Apr 19 16:55:40 2004
> +++ sys/kern/kern_jail.c Mon Apr 19 17:56:03 2004
> @@ -53,6 +53,11 @@
> &jail_sysvipc_allowed, 0,
> "Processes in jail can use System V IPC primitives");
>
> +int jail_allow_raw_sockets = 0;
> +SYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW,
> + &jail_allow_raw_sockets, 0,
> + "Prison root can create raw sockets");
> +
> /* allprison, lastprid, and prisoncount are protected by allprison_mtx. */
> struct prisonlist allprison;
> struct mtx allprison_mtx;
> --- sys/netinet/raw_ip.c.b Mon Apr 19 16:23:57 2004
> +++ sys/netinet/raw_ip.c Mon Apr 19 17:55:08 2004
> @@ -40,6 +40,7 @@
> #include "opt_random_ip_id.h"
>
> #include <sys/param.h>
> +#include <sys/jail.h>
> #include <sys/kernel.h>
> #include <sys/lock.h>
> #include <sys/mac.h>
> @@ -505,6 +506,7 @@
> }
> }
>
> +extern int jail_allow_raw_sockets;
> u_long rip_sendspace = RIPSNDQ;
> u_long rip_recvspace = RIPRCVQ;
>
> @@ -527,7 +529,11 @@
> INP_INFO_WUNLOCK(&ripcbinfo);
> return EINVAL;
> }
> - if (td && (error = suser(td)) != 0) {
> + if (td && jailed(td->td_ucred) && !jail_allow_raw_sockets) {
> + INP_INFO_WUNLOCK(&ripcbinfo);
> + return (EPERM);
> + }
> + if (td && (error = suser_cred(td->td_ucred, PRISON_ROOT)) != 0) {
> INP_INFO_WUNLOCK(&ripcbinfo);
> return error;
> }
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
More information about the freebsd-hackers
mailing list