From owner-freebsd-jail@freebsd.org Sun Dec 9 20:11:35 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B3B1A132D9CB for ; Sun, 9 Dec 2018 20:11:35 +0000 (UTC) (envelope-from cedric.maunoury@gmail.com) Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D669779796 for ; Sun, 9 Dec 2018 20:11:34 +0000 (UTC) (envelope-from cedric.maunoury@gmail.com) Received: by mail-wr1-x42e.google.com with SMTP id x10so8440396wrs.8 for ; Sun, 09 Dec 2018 12:11:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:content-transfer-encoding:mime-version:date:subject:message-id :to; bh=K3N7P3xYQCc/2nTTvo4qFeFTEKgQRaG2blQZC/bTJlM=; b=WOWEz+jVdLALC7MxRprwdRe0ZHe17IQxS4QERHlyqm+0uEvcn45lm63i5tqlBo/Peq a0C5WbiSPQfoQ/38h/J0+Lqhz+mX7DJJ4U/IjUzfJO6Wni5sdzViR/aqCb5kA09r/B2c c30KPtVCv79LVPAKPOC6pClpNr1gcSYpuqXoUjJvL8aujb4l6v5aZtAYCJysmKqu+RGx OnWXsYl6U/YbWOOUcXO9x2nir2M+gg1sfgnaoOoy7SQoayvxYKm6RxuNdaHsfgjD9Ki1 5/q/0jiDDUXE1/rzETkw6ZMCd5MzaqA/28Z57A+sPmMUQiEko/D/5NgasxMgkKyMXsyf /+Sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version:date :subject:message-id:to; bh=K3N7P3xYQCc/2nTTvo4qFeFTEKgQRaG2blQZC/bTJlM=; b=h+9+HtFwd84Zwu9KKvwpvkaiQokYFvrUXXLcCQ+Iv9sFWEkz6nFTJLCCNq05O7CRQ0 EnkPrcJSC8wH2SsfnpTxI862JoTZye+bZH4BvB7IlLkoxRoXWQ/qm9grgu9dwKEt0ge1 ZksdGJaJa57oQB+hEZmfhQVw9UpRnmNwxnqX0ElHJs+FZZq/yEHy1gNy+8hdAS4qDfhs myZtCB062ZkrueE9ME16wU8DhY7gUrnFVbeeVqNZAu6HMJDKpO2rE8TXZWYfA4Vi73Pa C3sWkzEb7isYTYGCjdG87fuj78XpgkqM3RAWH3M5KiKW/n3qZY1UvCVeZ9qKt3bZlP7r k1kQ== X-Gm-Message-State: AA+aEWbfS1l+QZWfxvexGAYn84WbS5i39X3Cxjujr8cpqDsmYGkKwQ/6 qmhx/Vhdie69zQ8iPSt3z6xCqgx1 X-Google-Smtp-Source: AFSGD/UaJmAOgjiKTfUth6yYONxKq+FWGSDPvqlDJbAgI+W9Es+/u7UEYhqPEwzYHNTl9uNCGAeFhw== X-Received: by 2002:adf:de91:: with SMTP id w17mr8361046wrl.320.1544386293495; Sun, 09 Dec 2018 12:11:33 -0800 (PST) Received: from [192.168.1.14] (lfbn-1-1436-244.w86-253.abo.wanadoo.fr. [86.253.64.244]) by smtp.gmail.com with ESMTPSA id p74sm11694433wmd.29.2018.12.09.12.11.32 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 09 Dec 2018 12:11:32 -0800 (PST) From: =?utf-8?Q?C=C3=A9dric_Maunoury?= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (1.0) Date: Sun, 9 Dec 2018 21:11:27 +0100 Subject: setfib allowed in jail Message-Id: To: freebsd-jail@freebsd.org X-Mailer: iPhone Mail (15G77) X-Rspamd-Queue-Id: D669779796 X-Spamd-Result: default: False [-5.25 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; MV_CASE(0.50)[]; TO_DN_NONE(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; RCVD_COUNT_THREE(0.00)[3]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.96)[-0.956,0]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(-2.29)[ip: (-8.53), ipnet: 2a00:1450::/32(-1.52), asn: 15169(-1.30), country: US(-0.09)]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TAGGED_FROM(0.00)[]; ARC_NA(0.00)[]; SUBJECT_ENDS_SPACES(0.50)[]; R_DKIM_ALLOW(-0.20)[gmail.com]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; RCPT_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[e.2.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Dec 2018 20:11:36 -0000 Hello everyone, It=E2=80=99s my first mail on this mailing list... Thus, please forgive me i= f I do something wrong :) I was playing on a FreeBSD 11.2 with jails and I was surprised to be able to= succesfully launch setfib from inside a jail... that means I can use an oth= er routing table than the one configured in the jail configuration file. To me, it should be forbidden. The patch would be to add the following lines= at the beginning of the function sys_setfib (sys/net/route.c) - not tested := =E2=80=94=E2=80=94 if jailed(td->td_ucred) return EPERM =E2=80=94=E2=80=94 Thanks, C=C3=A9dric=20= From owner-freebsd-jail@freebsd.org Mon Dec 10 16:50:17 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EE95B132C4A2; Mon, 10 Dec 2018 16:50:16 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org (gritton.org [199.192.165.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client CN "gritton.org", Issuer "gritton.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 58B718286A; Mon, 10 Dec 2018 16:50:16 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org ([127.0.0.131]) by gritton.org (8.15.2/8.15.2) with ESMTP id wBAGYnjB090513; Mon, 10 Dec 2018 09:34:49 -0700 (MST) (envelope-from jamie@freebsd.org) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Mon, 10 Dec 2018 09:34:49 -0700 From: James Gritton To: =?UTF-8?Q?C=C3=A9dric_Maunoury?= Cc: freebsd-jail@freebsd.org, owner-freebsd-jail@freebsd.org Subject: Re: setfib allowed in jail In-Reply-To: References: Message-ID: <355cf761f1421e942941d5dee7569019@freebsd.org> X-Sender: jamie@freebsd.org User-Agent: Roundcube Webmail/1.3.8 X-Rspamd-Queue-Id: 58B718286A X-Spamd-Result: default: False [-2.97 / 15.00]; TAGGED_RCPT(0.00)[]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_SHORT(-0.98)[-0.979,0]; NEURAL_HAM_MEDIUM(-0.99)[-0.995,0]; ASN(0.00)[asn:30247, ipnet:199.192.164.0/22, country:US]; NEURAL_HAM_LONG(-0.99)[-0.992,0] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Dec 2018 16:50:17 -0000 On 2018-12-09 13:11, Cédric Maunoury wrote: > Hello everyone, > > It’s my first mail on this mailing list... Thus, please forgive me if > I do something wrong :) > > I was playing on a FreeBSD 11.2 with jails and I was surprised to be > able to succesfully launch setfib from inside a jail... that means I > can use an other routing table than the one configured in the jail > configuration file. > > To me, it should be forbidden. The patch would be to add the following > lines at the beginning of the function sys_setfib (sys/net/route.c) - > not tested : > —— > if jailed(td->td_ucred) > return EPERM > —— If a jail isn't restricted to a particular FIB, then there should be no restriction on this system call. So you would need to not only check if the process is jailed, but if that jail has its FIB restricted. And that's where things take an unexpected turn: *no* jails have their FIBs restricted. The exec.fib parameter, like all of exec.*, is among the pseudo-parameters that don't actually set anything in the jail but are just a convenience in setting up the jail creation environment. In particular, if set it calls setfib(2) before executing anything inside the jail. It never actually associated an FIB with the jail itself. That doesn't mean there's no advantage to changing jails to have an FIB associated with them. It's already an issue, in that jexec(8) isn't aware of these pseudo-parameters, and doesn't call setfib(2) before entering the jail. It would make sense not only to do that, but also to be able to restrict a jail to a particular FIB. - Jamie