Author: jamie
Date: Wed Jun 24 21:39:50 2009
New Revision: 194915
URL: http://svn.freebsd.org/changeset/base/194915
Log:
In case of prisons with their own network stack, permit
additional privileges as well as not restricting the type of
sockets a user can open.
Note: the VIMAGE/vnet fetaure of of jails is still considered
experimental and cannot guarantee that privileged users
can be kept imprisoned if enabled.
Reviewed by: rwatson
Approved by: bz (mentor)
Modified:
head/sys/kern/kern_jail.c
Modified: head/sys/kern/kern_jail.c
==============================================================================
--- head/sys/kern/kern_jail.c Wed Jun 24 21:37:38 2009 (r194914)
+++ head/sys/kern/kern_jail.c Wed Jun 24 21:39:50 2009 (r194915)
@@ -3151,6 +3151,10 @@ prison_check_af(struct ucred *cred, int
KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
pr = cred->cr_prison;
+ /* Prisons with their own network stack are not limited. */
+ if (pr->pr_flags & PR_VNET)
+ return (0);
+
error = 0;
switch (af)
{
@@ -3412,6 +3416,130 @@ prison_priv_check(struct ucred *cred, in
if (!jailed(cred))
return (0);
+#ifdef VIMAGE
+ /*
+ * Privileges specific to prisons with a virtual network stack.
+ * There might be a duplicate entry here in case the privilege
+ * is only granted conditionally in the legacy jail case.
+ */
+ switch (priv) {
+#ifdef notyet
+ /*
+ * NFS-specific privileges.
+ */
+ case PRIV_NFS_DAEMON:
+ case PRIV_NFS_LOCKD:
+#endif
+ /*
+ * Network stack privileges.
+ */
+ case PRIV_NET_BRIDGE:
+ case PRIV_NET_GRE:
+ case PRIV_NET_BPF:
+ case PRIV_NET_RAW: /* Dup, cond. in legacy jail case. */
+ case PRIV_NET_ROUTE:
+ case PRIV_NET_TAP:
+ case PRIV_NET_SETIFMTU:
+ case PRIV_NET_SETIFFLAGS:
+ case PRIV_NET_SETIFCAP:
+ case PRIV_NET_SETIFNAME :
+ case PRIV_NET_SETIFMETRIC:
+ case PRIV_NET_SETIFPHYS:
+ case PRIV_NET_SETIFMAC:
+ case PRIV_NET_ADDMULTI:
+ case PRIV_NET_DELMULTI:
+ case PRIV_NET_HWIOCTL:
+ case PRIV_NET_SETLLADDR:
+ case PRIV_NET_ADDIFGROUP:
+ case PRIV_NET_DELIFGROUP:
+ case PRIV_NET_IFCREATE:
+ case PRIV_NET_IFDESTROY:
+ case PRIV_NET_ADDIFADDR:
+ case PRIV_NET_DELIFADDR:
+ case PRIV_NET_LAGG:
+ case PRIV_NET_GIF:
+ case PRIV_NET_SETIFVNET:
+
+ /*
+ * 802.11-related privileges.
+ */
+ case PRIV_NET80211_GETKEY:
+#ifdef notyet
+ case PRIV_NET80211_MANAGE: /* XXX-BZ discuss with sam@ */
+#endif
+
+#ifdef notyet
+ /*
+ * AppleTalk privileges.
+ */
+ case PRIV_NETATALK_RESERVEDPORT:
+
+ /*
+ * ATM privileges.
+ */
+ case PRIV_NETATM_CFG:
+ case PRIV_NETATM_ADD:
+ case PRIV_NETATM_DEL:
+ case PRIV_NETATM_SET:
+
+ /*
+ * Bluetooth privileges.
+ */
+ case PRIV_NETBLUETOOTH_RAW:
+#endif
+
+ /*
+ * Netgraph and netgraph module privileges.
+ */
+ case PRIV_NETGRAPH_CONTROL:
+#ifdef notyet
+ case PRIV_NETGRAPH_TTY:
+#endif
+
+ /*
+ * IPv4 and IPv6 privileges.
+ */
+ case PRIV_NETINET_IPFW:
+ case PRIV_NETINET_DIVERT:
+ case PRIV_NETINET_PF:
+ case PRIV_NETINET_DUMMYNET:
+ case PRIV_NETINET_CARP:
+ case PRIV_NETINET_MROUTE:
+ case PRIV_NETINET_RAW:
+ case PRIV_NETINET_ADDRCTRL6:
+ case PRIV_NETINET_ND6:
+ case PRIV_NETINET_SCOPE6:
+ case PRIV_NETINET_ALIFETIME6:
+ case PRIV_NETINET_IPSEC:
+ case PRIV_NETINET_BINDANY:
+
+#ifdef notyet
+ /*
+ * IPX/SPX privileges.
+ */
+ case PRIV_NETIPX_RESERVEDPORT:
+ case PRIV_NETIPX_RAW:
+
+ /*
+ * NCP privileges.
+ */
+ case PRIV_NETNCP:
+
+ /*
+ * SMB privileges.
+ */
+ case PRIV_NETSMB:
+#endif
+
+ /*
+ * No default: or deny here.
+ * In case of no permit fall through to next switch().
+ */
+ if (cred->cr_prison->pr_flags & PR_VNET)
+ return (0);
+ }
+#endif /* VIMAGE */
+
switch (priv) {
/*
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
