jail manipulation of routing table

Tue May 20 06:23:07 PDT 2003

lemon wrote:
> 
> 
> maybe i need to patch kern/uipc_socket.c's socreate to be less 
> permissive with the unixiproute_only sysctl (rendering it a misnomer, 
> perhaps another sysctl altogether would be better).
> 

the trivial patch below certainly achieves this; i'm sending it now 'cos 
folk might know why it's a bad idea to deny jail routing sockets.

regards, l.

-- 
lemon at aldigital.co.uk	+44 020 8742 0755   http://www.aldigital.co.uk/
system administrivia         c6 h8 o7         http://www.thebunker.net/

--- sys/kern/kern_jail.c-       Tue May 20 13:36:28 2003
+++ sys/kern/kern_jail.c        Tue May 20 13:37:14 2003
@@ -34,10 +34,10 @@
      &jail_set_hostname_allowed, 0,
      "Processes in jail can set their hostnames");

-int    jail_socket_unixiproute_only = 1;
-SYSCTL_INT(_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW,
-    &jail_socket_unixiproute_only, 0,
-    "Processes in jail are limited to creating UNIX/IPv4/route sockets 
only");
+int    jail_socket_unixip_only = 1;
+SYSCTL_INT(_jail, OID_AUTO, socket_unixip_only, CTLFLAG_RW,
+    &jail_socket_unixip_only, 0,
+    "Processes in jail are limited to creating UNIX/IPv4 sockets only");

  int    jail_sysvipc_allowed = 0;
  SYSCTL_INT(_jail, OID_AUTO, sysvipc_allowed, CTLFLAG_RW,
@@ -143,7 +143,7 @@
         struct sockaddr_in *sai = (struct sockaddr_in*) sa;
         int ok;

-       if ((sai->sin_family != AF_INET) && jail_socket_unixiproute_only)
+       if ((sai->sin_family != AF_INET) && jail_socket_unixip_only)
                 ok = 1;
         else if (sai->sin_family != AF_INET)
                 ok = 0;
--- sys/kern/uipc_socket.c-     Tue May 20 13:37:26 2003
+++ sys/kern/uipc_socket.c      Tue May 20 13:38:14 2003
@@ -140,10 +140,9 @@
         if (prp == 0 || prp->pr_usrreqs->pru_attach == 0)
                 return (EPROTONOSUPPORT);

-       if (p->p_prison && jail_socket_unixiproute_only &&
+       if (p->p_prison && jail_socket_unixip_only &&
             prp->pr_domain->dom_family != PF_LOCAL &&
-           prp->pr_domain->dom_family != PF_INET &&
-           prp->pr_domain->dom_family != PF_ROUTE) {
+           prp->pr_domain->dom_family != PF_INET) {
                 return (EPROTONOSUPPORT);
         }

--- sys/sys/jail.h-     Tue May 20 13:51:28 2003
+++ sys/sys/jail.h      Tue May 20 13:51:38 2003
@@ -47,7 +47,7 @@
   * Sysctl-set variables that determine global jail policy
   */
  extern int     jail_set_hostname_allowed;
-extern int     jail_socket_unixiproute_only;
+extern int     jail_socket_unixip_only;
  extern int     jail_sysvipc_allowed;

  #endif /* !_KERNEL */


