From owner-freebsd-security@FreeBSD.ORG Mon Apr 19 18:56:39 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 582B316A4CF for ; Mon, 19 Apr 2004 18:56:39 -0700 (PDT) Received: from staff.seccuris.com (staff.seccuris.com [204.112.0.40]) by mx1.FreeBSD.org (Postfix) with SMTP id C22AB43D45 for ; Mon, 19 Apr 2004 18:56:38 -0700 (PDT) (envelope-from maneo@bsdpro.com) Received: (qmail 85734 invoked by uid 1006); 20 Apr 2004 01:56:38 -0000 Date: Tue, 20 Apr 2004 01:56:38 +0000 From: "Christian S.J. Peron" To: freebsd-hackers@FreeBSD.org Message-ID: <20040420015638.A84821@staff.seccuris.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Mailman-Approved-At: Tue, 20 Apr 2004 02:16:30 -0700 cc: freebsd-security@FreeBSD.org Subject: [patch] Raw sockets in jails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Apr 2004 01:56:39 -0000 Although RAW sockets can be used when specifying the source address of packets (defeating one of the aspects of the jail) some people may find it usefull to use utilities like ping(8) or traceroute(8) from inside jails. Enclosed is a patch I have written which gives you the option of allowing prison-root to create raw sockets inside the prison, so that programs various network debugging programs like ping and traceroute etc can be used. This patch will create the security.jail.allow_raw_sockets sysctl MIB. I would appriciate any feed-back from testers See PR #: http://www.freebsd.org/cgi/query-pr.cgi?pr=65800 -------------------- SNIP SNIP ------------------------ --- sys/kern/kern_jail.c.bak Mon Apr 19 16:55:40 2004 +++ sys/kern/kern_jail.c Mon Apr 19 17:56:03 2004 @@ -53,6 +53,11 @@ &jail_sysvipc_allowed, 0, "Processes in jail can use System V IPC primitives"); +int jail_allow_raw_sockets = 0; +SYSCTL_INT(_security_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW, + &jail_allow_raw_sockets, 0, + "Prison root can create raw sockets"); + /* allprison, lastprid, and prisoncount are protected by allprison_mtx. */ struct prisonlist allprison; struct mtx allprison_mtx; --- sys/netinet/raw_ip.c.b Mon Apr 19 16:23:57 2004 +++ sys/netinet/raw_ip.c Mon Apr 19 17:55:08 2004 @@ -40,6 +40,7 @@ #include "opt_random_ip_id.h" #include +#include #include #include #include @@ -505,6 +506,7 @@ } } +extern int jail_allow_raw_sockets; u_long rip_sendspace = RIPSNDQ; u_long rip_recvspace = RIPRCVQ; @@ -527,7 +529,11 @@ INP_INFO_WUNLOCK(&ripcbinfo); return EINVAL; } - if (td && (error = suser(td)) != 0) { + if (td && jailed(td->td_ucred) && !jail_allow_raw_sockets) { + INP_INFO_WUNLOCK(&ripcbinfo); + return (EPERM); + } + if (td && (error = suser_cred(td->td_ucred, PRISON_ROOT)) != 0) { INP_INFO_WUNLOCK(&ripcbinfo); return error; }