svn commit: r319611 - in head: sys/kern sys/sys usr.sbin/jail
Fabian Keil
freebsd-listen at fabiankeil.de
Tue Jun 6 09:47:07 UTC 2017
Allan Jude <allanjude at FreeBSD.org> wrote:
> Author: allanjude
> Date: Tue Jun 6 02:15:00 2017
> New Revision: 319611
> URL: https://svnweb.freebsd.org/changeset/base/319611
>
> Log:
> Jails: Optionally prevent jailed root from binding to privileged ports
>
> You may now optionally specify allow.noreserved_ports to prevent root
> inside a jail from using privileged ports (less than 1024)
>
> PR: 217728
> Submitted by: Matt Miller <mattm916 at pulsar.neomailbox.ch>
> Reviewed by: jamie, cem, smh
> Relnotes: yes
> Differential Revision: https://reviews.freebsd.org/D10202
>
> Modified:
> head/sys/kern/kern_jail.c
> head/sys/sys/jail.h
> head/usr.sbin/jail/jail.8
[...]
> @@ -611,6 +613,8 @@ with non-jailed parts of the system.
> Sockets within a jail are normally restricted to IPv4, IPv6, local
> (UNIX), and route. This allows access to other protocol stacks that
> have not had jail functionality added to them.
> +.It Va allow.reserved_ports
> +The jail root may bind to ports lower than 1024.
This description seems to imply that net.inet.ip.portrange.reservedhigh
isn't honoured while it actually is.
Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-src-all/attachments/20170606/ef812ca1/attachment.sig>
More information about the svn-src-all
mailing list