setfib allowed in jail

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

setfib allowed in jail

Cédric Maunoury
Hello everyone,

It’s my first mail on this mailing list... Thus, please forgive me if I do something wrong :)

I was playing on a FreeBSD 11.2 with jails and I was surprised to be able to succesfully launch setfib from inside a jail... that means I can use an other routing table than the one configured in the jail configuration file.

To me, it should be forbidden. The patch would be to add the following lines at the beginning of the function sys_setfib (sys/net/route.c) - not tested :
——
if jailed(td->td_ucred)
  return EPERM
——

Thanks,

Cédric
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: setfib allowed in jail

James Gritton-2
On 2018-12-09 13:11, Cédric Maunoury wrote:

> Hello everyone,
>
> It’s my first mail on this mailing list... Thus, please forgive me if
> I do something wrong :)
>
> I was playing on a FreeBSD 11.2 with jails and I was surprised to be
> able to succesfully launch setfib from inside a jail... that means I
> can use an other routing table than the one configured in the jail
> configuration file.
>
> To me, it should be forbidden. The patch would be to add the following
> lines at the beginning of the function sys_setfib (sys/net/route.c) -
> not tested :
> ——
> if jailed(td->td_ucred)
>   return EPERM
> ——

If a jail isn't restricted to a particular FIB, then there should be no
restriction on this system call.  So you would need to not only check if
the process is jailed, but if that jail has its FIB restricted.  And
that's where things take an unexpected turn: *no* jails have their FIBs
restricted.

The exec.fib parameter, like all of exec.*, is among the
pseudo-parameters that don't actually set anything in the jail but are
just a convenience in setting up the jail creation environment.  In
particular, if set it calls setfib(2) before executing anything inside
the jail.  It never actually associated an FIB with the jail itself.

That doesn't mean there's no advantage to changing jails to have an FIB
associated with them.  It's already an issue, in that jexec(8) isn't
aware of these pseudo-parameters, and doesn't call setfib(2) before
entering the jail.  It would make sense not only to do that, but also to
be able to restrict a jail to a particular FIB.

- Jamie
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"