jail manipulation of routing table
lemon
lemon at aldigital.co.uk
Tue May 20 06:23:07 PDT 2003
lemon wrote:
>
>
> maybe i need to patch kern/uipc_socket.c's socreate to be less
> permissive with the unixiproute_only sysctl (rendering it a misnomer,
> perhaps another sysctl altogether would be better).
>
the trivial patch below certainly achieves this; i'm sending it now 'cos
folk might know why it's a bad idea to deny jail routing sockets.
regards, l.
--
lemon at aldigital.co.uk +44 020 8742 0755 http://www.aldigital.co.uk/
system administrivia c6 h8 o7 http://www.thebunker.net/
--- sys/kern/kern_jail.c- Tue May 20 13:36:28 2003
+++ sys/kern/kern_jail.c Tue May 20 13:37:14 2003
@@ -34,10 +34,10 @@
&jail_set_hostname_allowed, 0,
"Processes in jail can set their hostnames");
-int jail_socket_unixiproute_only = 1;
-SYSCTL_INT(_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW,
- &jail_socket_unixiproute_only, 0,
- "Processes in jail are limited to creating UNIX/IPv4/route sockets
only");
+int jail_socket_unixip_only = 1;
+SYSCTL_INT(_jail, OID_AUTO, socket_unixip_only, CTLFLAG_RW,
+ &jail_socket_unixip_only, 0,
+ "Processes in jail are limited to creating UNIX/IPv4 sockets only");
int jail_sysvipc_allowed = 0;
SYSCTL_INT(_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW,
@@ -143,7 +143,7 @@
struct sockaddr_in *sai = (struct sockaddr_in*) sa;
int ok;
- if ((sai->sin_family != AF_INET) && jail_socket_unixiproute_only)
+ if ((sai->sin_family != AF_INET) && jail_socket_unixip_only)
ok = 1;
else if (sai->sin_family != AF_INET)
ok = 0;
--- sys/kern/uipc_socket.c- Tue May 20 13:37:26 2003
+++ sys/kern/uipc_socket.c Tue May 20 13:38:14 2003
@@ -140,10 +140,9 @@
if (prp == 0 || prp->pr_usrreqs->pru_attach == 0)
return (EPROTONOSUPPORT);
- if (p->p_prison && jail_socket_unixiproute_only &&
+ if (p->p_prison && jail_socket_unixip_only &&
prp->pr_domain->dom_family != PF_LOCAL &&
- prp->pr_domain->dom_family != PF_INET &&
- prp->pr_domain->dom_family != PF_ROUTE) {
+ prp->pr_domain->dom_family != PF_INET) {
return (EPROTONOSUPPORT);
}
--- sys/sys/jail.h- Tue May 20 13:51:28 2003
+++ sys/sys/jail.h Tue May 20 13:51:38 2003
@@ -47,7 +47,7 @@
* Sysctl-set variables that determine global jail policy
*/
extern int jail_set_hostname_allowed;
-extern int jail_socket_unixiproute_only;
+extern int jail_socket_unixip_only;
extern int jail_sysvipc_allowed;
#endif /* !_KERNEL */
More information about the freebsd-questions
mailing list