Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 10 Dec 2018 09:34:49 -0700
From:      James Gritton <jamie@freebsd.org>
To:        =?UTF-8?Q?C=C3=A9dric_Maunoury?= <cedric.maunoury@gmail.com>
Cc:        freebsd-jail@freebsd.org, owner-freebsd-jail@freebsd.org
Subject:   Re: setfib allowed in jail
Message-ID:  <355cf761f1421e942941d5dee7569019@freebsd.org>
In-Reply-To: <B9D3F667-4F73-4163-B0DD-30BCEDA0EE0D@gmail.com>
References:  <B9D3F667-4F73-4163-B0DD-30BCEDA0EE0D@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 2018-12-09 13:11, Cédric Maunoury wrote:
> Hello everyone,
> 
> It’s my first mail on this mailing list... Thus, please forgive me if
> I do something wrong :)
> 
> I was playing on a FreeBSD 11.2 with jails and I was surprised to be
> able to succesfully launch setfib from inside a jail... that means I
> can use an other routing table than the one configured in the jail
> configuration file.
> 
> To me, it should be forbidden. The patch would be to add the following
> lines at the beginning of the function sys_setfib (sys/net/route.c) -
> not tested :
> ——
> if jailed(td->td_ucred)
>   return EPERM
> ——

If a jail isn't restricted to a particular FIB, then there should be no 
restriction on this system call.  So you would need to not only check if 
the process is jailed, but if that jail has its FIB restricted.  And 
that's where things take an unexpected turn: *no* jails have their FIBs 
restricted.

The exec.fib parameter, like all of exec.*, is among the 
pseudo-parameters that don't actually set anything in the jail but are 
just a convenience in setting up the jail creation environment.  In 
particular, if set it calls setfib(2) before executing anything inside 
the jail.  It never actually associated an FIB with the jail itself.

That doesn't mean there's no advantage to changing jails to have an FIB 
associated with them.  It's already an issue, in that jexec(8) isn't 
aware of these pseudo-parameters, and doesn't call setfib(2) before 
entering the jail.  It would make sense not only to do that, but also to 
be able to restrict a jail to a particular FIB.

- Jamie

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?355cf761f1421e942941d5dee7569019>