FreeBSD Bugzilla – Attachment 180751 Details for
Bug 217728
[patch] restrict access to reserved ports in jails
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch to add the allow.reserved_port option to jail(8)
jail-allow-reserved-ports.diff (text/plain), 3.78 KB, created by
Matt Miller
on 2017-03-12 17:00:01 UTC
(
hide
)
Description:
patch to add the allow.reserved_port option to jail(8)
Filename:
MIME Type:
Creator:
Matt Miller
Created:
2017-03-12 17:00:01 UTC
Size:
3.78 KB
patch
obsolete
>Index: sys/kern/kern_jail.c >=================================================================== >--- sys/kern/kern_jail.c (revision 315076) >+++ sys/kern/kern_jail.c (working copy) >@@ -199,6 +199,7 @@ > "allow.mount.fdescfs", > "allow.mount.linprocfs", > "allow.mount.linsysfs", >+ "allow.reserved_ports", > }; > const size_t pr_allow_names_size = sizeof(pr_allow_names); > >@@ -218,10 +219,11 @@ > "allow.mount.nofdescfs", > "allow.mount.nolinprocfs", > "allow.mount.nolinsysfs", >+ "allow.noreserved_ports", > }; > const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames); > >-#define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME >+#define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS) > #define JAIL_DEFAULT_ENFORCE_STATFS 2 > #define JAIL_DEFAULT_DEVFS_RSNUM 0 > static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW; >@@ -3304,10 +3306,17 @@ > return (EPERM); > > /* >- * Allow jailed root to bind reserved ports and reuse in-use >- * ports. >+ * Conditionally allow jailed root to bind reserved ports. > */ > case PRIV_NETINET_RESERVEDPORT: >+ if (cred->cr_prison->pr_allow & PR_ALLOW_RESERVED_PORTS) >+ return (0); >+ else >+ return (EPERM); >+ >+ /* >+ * Allow jailed root to reuse in-use ports. >+ */ > case PRIV_NETINET_REUSEPORT: > return (0); > >@@ -3788,6 +3797,8 @@ > "B", "Jail may set file quotas"); > SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW, > "B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route"); >+SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW, >+ "B", "Jail may bind sockets to reserved ports"); > > SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags"); > SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW, >Index: sys/sys/jail.h >=================================================================== >--- sys/sys/jail.h (revision 315076) >+++ sys/sys/jail.h (working copy) >@@ -230,7 +230,8 @@ > #define PR_ALLOW_MOUNT_FDESCFS 0x1000 > #define PR_ALLOW_MOUNT_LINPROCFS 0x2000 > #define PR_ALLOW_MOUNT_LINSYSFS 0x4000 >-#define PR_ALLOW_ALL 0x7fff >+#define PR_ALLOW_RESERVED_PORTS 0x8000 >+#define PR_ALLOW_ALL 0xffff > > /* > * OSD methods >Index: usr.sbin/jail/config.c >=================================================================== >--- usr.sbin/jail/config.c (revision 315076) >+++ usr.sbin/jail/config.c (working copy) >@@ -98,6 +98,7 @@ > [IP__OP] = {NULL, PF_CONV}, > [KP_ALLOW_CHFLAGS] = {"allow.chflags", 0}, > [KP_ALLOW_MOUNT] = {"allow.mount", 0}, >+ [KP_ALLOW_RESERVED_PORTS]= {"allow.reserved_ports",0}, > [KP_ALLOW_RAW_SOCKETS] = {"allow.raw_sockets", 0}, > [KP_ALLOW_SET_HOSTNAME]= {"allow.set_hostname", 0}, > [KP_ALLOW_SOCKET_AF] = {"allow.socket_af", 0}, >Index: usr.sbin/jail/jail.8 >=================================================================== >--- usr.sbin/jail/jail.8 (revision 315076) >+++ usr.sbin/jail/jail.8 (working copy) >@@ -483,7 +483,9 @@ > Some restrictions of the jail environment may be set on a per-jail > basis. > With the exception of >-.Va allow.set_hostname , >+.Va allow.set_hostname >+and >+.Va allow.reserved_ports , > these boolean parameters are off by default. > .Bl -tag -width indent > .It Va allow.set_hostname >@@ -611,6 +613,8 @@ > Sockets within a jail are normally restricted to IPv4, IPv6, local > (UNIX), and route. This allows access to other protocol stacks that > have not had jail functionality added to them. >+.It Va allow.reserved_ports >+The jail root may bind to ports lower than 1024. > .El > .El > .Pp >Index: usr.sbin/jail/jailp.h >=================================================================== >--- usr.sbin/jail/jailp.h (revision 315076) >+++ usr.sbin/jail/jailp.h (working copy) >@@ -116,6 +116,7 @@ > KP_ALLOW_SET_HOSTNAME, > KP_ALLOW_SOCKET_AF, > KP_ALLOW_SYSVIPC, >+ KP_ALLOW_RESERVED_PORTS, > KP_DEVFS_RULESET, > KP_ENFORCE_STATFS, > KP_HOST_HOSTNAME,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=180751">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 217728
: 180751