Attachment #180751 for bug #217728

View | Details | Raw Unified | Return to bug 217728
Collapse All | Expand All




	"allow.mount.fdescfs",
	"allow.mount.linprocfs",
	"allow.mount.linsysfs",
	"allow.reserved_ports",
};
const size_t pr_allow_names_size = sizeof(pr_allow_names);


	"allow.mount.nofdescfs",
	"allow.mount.nolinprocfs",
	"allow.mount.nolinsysfs",
	"allow.noreserved_ports",
};
const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);

#define	JAIL_DEFAULT_ALLOW		(PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS)
#define	JAIL_DEFAULT_ENFORCE_STATFS	2
#define	JAIL_DEFAULT_DEVFS_RSNUM	0
static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW;

			return (EPERM);

		/*
		 * Conditionally allow jailed root to bind reserved ports.
		 * ports.
		 */
	case PRIV_NETINET_RESERVEDPORT:
		if (cred->cr_prison->pr_allow & PR_ALLOW_RESERVED_PORTS)
			return (0);
		else
			return (EPERM);

		/*
		 * Allow jailed root to reuse in-use ports.
		 */
	case PRIV_NETINET_REUSEPORT:
		return (0);


    "B", "Jail may set file quotas");
SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW,
    "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");
SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW,
    "B", "Jail may bind sockets to reserved ports");

SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,

Lines 230-236 Link Here

(-)sys/sys/jail.h (-1 / +2 lines)
230	#define PR_ALLOW_MOUNT_FDESCFS 0x1000	230	#define PR_ALLOW_MOUNT_FDESCFS 0x1000
231	#define PR_ALLOW_MOUNT_LINPROCFS 0x2000	231	#define PR_ALLOW_MOUNT_LINPROCFS 0x2000
232	#define PR_ALLOW_MOUNT_LINSYSFS 0x4000	232	#define PR_ALLOW_MOUNT_LINSYSFS 0x4000
233	#define PR_ALLOW_ALL 0x7fff	233	#define PR_ALLOW_RESERVED_PORTS 0x8000
		234	#define PR_ALLOW_ALL 0xffff
234		235
235	/*	236	/*
236	* OSD methods	237	* OSD methods

Lines 98-103 Link Here

(-)usr.sbin/jail/config.c (+1 lines)
98	[IP__OP] = {NULL, PF_CONV},	98	[IP__OP] = {NULL, PF_CONV},
99	[KP_ALLOW_CHFLAGS] = {"allow.chflags", 0},	99	[KP_ALLOW_CHFLAGS] = {"allow.chflags", 0},
100	[KP_ALLOW_MOUNT] = {"allow.mount", 0},	100	[KP_ALLOW_MOUNT] = {"allow.mount", 0},
		101	[KP_ALLOW_RESERVED_PORTS]= {"allow.reserved_ports",0},
101	[KP_ALLOW_RAW_SOCKETS] = {"allow.raw_sockets", 0},	102	[KP_ALLOW_RAW_SOCKETS] = {"allow.raw_sockets", 0},
102	[KP_ALLOW_SET_HOSTNAME]= {"allow.set_hostname", 0},	103	[KP_ALLOW_SET_HOSTNAME]= {"allow.set_hostname", 0},
103	[KP_ALLOW_SOCKET_AF] = {"allow.socket_af", 0},	104	[KP_ALLOW_SOCKET_AF] = {"allow.socket_af", 0},

Lines 483-489 Link Here

(-)usr.sbin/jail/jail.8 (-1 / +5 lines)
483	Some restrictions of the jail environment may be set on a per-jail	483	Some restrictions of the jail environment may be set on a per-jail
484	basis.	484	basis.
485	With the exception of	485	With the exception of
486	.Va allow.set_hostname ,	486	.Va allow.set_hostname
		487	and
		488	.Va allow.reserved_ports ,
487	these boolean parameters are off by default.	489	these boolean parameters are off by default.
488	.Bl -tag -width indent	490	.Bl -tag -width indent
489	.It Va allow.set_hostname	491	.It Va allow.set_hostname
Lines 611-616 Link Here
611	Sockets within a jail are normally restricted to IPv4, IPv6, local	613	Sockets within a jail are normally restricted to IPv4, IPv6, local
612	(UNIX), and route. This allows access to other protocol stacks that	614	(UNIX), and route. This allows access to other protocol stacks that
613	have not had jail functionality added to them.	615	have not had jail functionality added to them.
		616	.It Va allow.reserved_ports
		617	The jail root may bind to ports lower than 1024.
614	.El	618	.El
615	.El	619	.El
616	.Pp	620	.Pp

Lines 116-121 Link Here

(-)usr.sbin/jail/jailp.h (+1 lines)
116	KP_ALLOW_SET_HOSTNAME,	116	KP_ALLOW_SET_HOSTNAME,
117	KP_ALLOW_SOCKET_AF,	117	KP_ALLOW_SOCKET_AF,
118	KP_ALLOW_SYSVIPC,	118	KP_ALLOW_SYSVIPC,
		119	KP_ALLOW_RESERVED_PORTS,
119	KP_DEVFS_RULESET,	120	KP_DEVFS_RULESET,
120	KP_ENFORCE_STATFS,	121	KP_ENFORCE_STATFS,
121	KP_HOST_HOSTNAME,	122	KP_HOST_HOSTNAME,

Return to bug 217728

Lines 199-204 Link Here

(-)sys/kern/kern_jail.c (-3 / +14 lines)
199	"allow.mount.fdescfs",	199	"allow.mount.fdescfs",
200	"allow.mount.linprocfs",	200	"allow.mount.linprocfs",
201	"allow.mount.linsysfs",	201	"allow.mount.linsysfs",
		202	"allow.reserved_ports",
202	};	203	};
203	const size_t pr_allow_names_size = sizeof(pr_allow_names);	204	const size_t pr_allow_names_size = sizeof(pr_allow_names);
204		205
Lines 218-227 Link Here
218	"allow.mount.nofdescfs",	219	"allow.mount.nofdescfs",
219	"allow.mount.nolinprocfs",	220	"allow.mount.nolinprocfs",
220	"allow.mount.nolinsysfs",	221	"allow.mount.nolinsysfs",
		222	"allow.noreserved_ports",
221	};	223	};
222	const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);	224	const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
223		225
224	#define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME	226	#define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME \| PR_ALLOW_RESERVED_PORTS)
225	#define JAIL_DEFAULT_ENFORCE_STATFS 2	227	#define JAIL_DEFAULT_ENFORCE_STATFS 2
226	#define JAIL_DEFAULT_DEVFS_RSNUM 0	228	#define JAIL_DEFAULT_DEVFS_RSNUM 0
227	static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW;	229	static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW;
Lines 3304-3313 Link Here
3304	return (EPERM);	3306	return (EPERM);
3305		3307
3306	/*	3308	/*
3307	* Allow jailed root to bind reserved ports and reuse in-use	3309	* Conditionally allow jailed root to bind reserved ports.
3308	* ports.
3309	*/	3310	*/
3310	case PRIV_NETINET_RESERVEDPORT:	3311	case PRIV_NETINET_RESERVEDPORT:
		3312	if (cred->cr_prison->pr_allow & PR_ALLOW_RESERVED_PORTS)
		3313	return (0);
		3314	else
		3315	return (EPERM);
		3316
		3317	/*
		3318	* Allow jailed root to reuse in-use ports.
		3319	*/
3311	case PRIV_NETINET_REUSEPORT:	3320	case PRIV_NETINET_REUSEPORT:
3312	return (0);	3321	return (0);
3313		3322
Lines 3788-3793 Link Here
3788	"B", "Jail may set file quotas");	3797	"B", "Jail may set file quotas");
3789	SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT \| CTLFLAG_RW,	3798	SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT \| CTLFLAG_RW,
3790	"B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");	3799	"B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");
		3800	SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT \| CTLFLAG_RW,
		3801	"B", "Jail may bind sockets to reserved ports");
3791		3802
3792	SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");	3803	SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
3793	SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT \| CTLFLAG_RW,	3804	SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT \| CTLFLAG_RW,