Allow PING(8) in jails without raw socket access permissions

Dewayne Geraghty dewayne.geraghty at heuristicsystems.com.au
Sat Oct 24 01:00:42 UTC 2020


On 15/10/2020 9:00 am, carlos antonio neira bustos wrote:
> Hello,
> 
> I have currently a patch in review with jamie which is the current jail
> maintainer and kyle evans, if anyone else could comment/review this patch :
> https://reviews.freebsd.org/D26782
> 
> What has been done is the following :
> 
> Raw socket access is allowed for ICMP protocol as is required by
> PING(8) but option IP_HDRINCL is not allowed. to accomplish this
> a new privilege PRIV_NETINET_ICMP_ACCESS has been added by default for
> jails.
> 
> 
> Bests
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
> 
Thanks for the heads-up Carlos.  I have a use for allowing only icmp
traffic, so its beneficial.

However I do agree with BZ that it should not be enabled by default, as
it weakens the security model, enabling a broken jail to more easily
enumerate the wider network environment.



More information about the freebsd-hackers mailing list