Date: Tue, 6 Jun 2017 02:15:01 +0000 (UTC) From: Allan Jude <allanjude@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r319611 - in head: sys/kern sys/sys usr.sbin/jail Message-ID: <201706060215.v562F167035683@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: allanjude Date: Tue Jun 6 02:15:00 2017 New Revision: 319611 URL: https://svnweb.freebsd.org/changeset/base/319611 Log: Jails: Optionally prevent jailed root from binding to privileged ports You may now optionally specify allow.noreserved_ports to prevent root inside a jail from using privileged ports (less than 1024) PR: 217728 Submitted by: Matt Miller <mattm916@pulsar.neomailbox.ch> Reviewed by: jamie, cem, smh Relnotes: yes Differential Revision: https://reviews.freebsd.org/D10202 Modified: head/sys/kern/kern_jail.c head/sys/sys/jail.h head/usr.sbin/jail/jail.8 Modified: head/sys/kern/kern_jail.c ============================================================================== --- head/sys/kern/kern_jail.c Tue Jun 6 02:03:22 2017 (r319610) +++ head/sys/kern/kern_jail.c Tue Jun 6 02:15:00 2017 (r319611) @@ -199,6 +199,7 @@ static char *pr_allow_names[] = { "allow.mount.fdescfs", "allow.mount.linprocfs", "allow.mount.linsysfs", + "allow.reserved_ports", }; const size_t pr_allow_names_size = sizeof(pr_allow_names); @@ -218,10 +219,11 @@ static char *pr_allow_nonames[] = { "allow.mount.nofdescfs", "allow.mount.nolinprocfs", "allow.mount.nolinsysfs", + "allow.noreserved_ports", }; const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); -#define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME +#define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS) #define JAIL_DEFAULT_ENFORCE_STATFS 2 #define JAIL_DEFAULT_DEVFS_RSNUM 0 static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW; @@ -3304,10 +3306,17 @@ prison_priv_check(struct ucred *cred, int priv) return (EPERM); /* - * Allow jailed root to bind reserved ports and reuse in-use - * ports. + * Conditionally allow jailed root to bind reserved ports. */ case PRIV_NETINET_RESERVEDPORT: + if (cred->cr_prison->pr_allow & PR_ALLOW_RESERVED_PORTS) + return (0); + else + return (EPERM); + + /* + * Allow jailed root to reuse in-use ports. + */ case PRIV_NETINET_REUSEPORT: return (0); @@ -3788,6 +3797,8 @@ SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLA "B", "Jail may set file quotas"); SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); +SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW, + "B", "Jail may bind sockets to reserved ports"); SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, Modified: head/sys/sys/jail.h ============================================================================== --- head/sys/sys/jail.h Tue Jun 6 02:03:22 2017 (r319610) +++ head/sys/sys/jail.h Tue Jun 6 02:15:00 2017 (r319611) @@ -230,7 +230,8 @@ struct prison_racct { #define PR_ALLOW_MOUNT_FDESCFS 0x1000 #define PR_ALLOW_MOUNT_LINPROCFS 0x2000 #define PR_ALLOW_MOUNT_LINSYSFS 0x4000 -#define PR_ALLOW_ALL 0x7fff +#define PR_ALLOW_RESERVED_PORTS 0x8000 +#define PR_ALLOW_ALL 0xffff /* * OSD methods Modified: head/usr.sbin/jail/jail.8 ============================================================================== --- head/usr.sbin/jail/jail.8 Tue Jun 6 02:03:22 2017 (r319610) +++ head/usr.sbin/jail/jail.8 Tue Jun 6 02:15:00 2017 (r319611) @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd April 30, 2016 +.Dd June 5, 2017 .Dt JAIL 8 .Os .Sh NAME @@ -483,7 +483,9 @@ and uname -K. Some restrictions of the jail environment may be set on a per-jail basis. With the exception of -.Va allow.set_hostname , +.Va allow.set_hostname +and +.Va allow.reserved_ports , these boolean parameters are off by default. .Bl -tag -width indent .It Va allow.set_hostname @@ -611,6 +613,8 @@ with non-jailed parts of the system. Sockets within a jail are normally restricted to IPv4, IPv6, local (UNIX), and route. This allows access to other protocol stacks that have not had jail functionality added to them. +.It Va allow.reserved_ports +The jail root may bind to ports lower than 1024. .El .El .Pp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201706060215.v562F167035683>