1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-11-28 08:02:54 +00:00

Jails: Optionally prevent jailed root from binding to privileged ports

You may now optionally specify allow.noreserved_ports to prevent root
inside a jail from using privileged ports (less than 1024)

PR:		217728
Submitted by:	Matt Miller <mattm916@pulsar.neomailbox.ch>
Reviewed by:	jamie, cem, smh
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D10202
This commit is contained in:
Allan Jude 2017-06-06 02:15:00 +00:00
parent 24ffc64926
commit e28f9b7d03
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=319611
3 changed files with 22 additions and 6 deletions

View File

@ -199,6 +199,7 @@ static char *pr_allow_names[] = {
"allow.mount.fdescfs",
"allow.mount.linprocfs",
"allow.mount.linsysfs",
"allow.reserved_ports",
};
const size_t pr_allow_names_size = sizeof(pr_allow_names);
@ -218,10 +219,11 @@ static char *pr_allow_nonames[] = {
"allow.mount.nofdescfs",
"allow.mount.nolinprocfs",
"allow.mount.nolinsysfs",
"allow.noreserved_ports",
};
const size_t pr_allow_nonames_size = sizeof(pr_allow_nonames);
#define JAIL_DEFAULT_ALLOW PR_ALLOW_SET_HOSTNAME
#define JAIL_DEFAULT_ALLOW (PR_ALLOW_SET_HOSTNAME | PR_ALLOW_RESERVED_PORTS)
#define JAIL_DEFAULT_ENFORCE_STATFS 2
#define JAIL_DEFAULT_DEVFS_RSNUM 0
static unsigned jail_default_allow = JAIL_DEFAULT_ALLOW;
@ -3304,10 +3306,17 @@ prison_priv_check(struct ucred *cred, int priv)
return (EPERM);
/*
* Allow jailed root to bind reserved ports and reuse in-use
* ports.
* Conditionally allow jailed root to bind reserved ports.
*/
case PRIV_NETINET_RESERVEDPORT:
if (cred->cr_prison->pr_allow & PR_ALLOW_RESERVED_PORTS)
return (0);
else
return (EPERM);
/*
* Allow jailed root to reuse in-use ports.
*/
case PRIV_NETINET_REUSEPORT:
return (0);
@ -3788,6 +3797,8 @@ SYSCTL_JAIL_PARAM(_allow, quotas, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may set file quotas");
SYSCTL_JAIL_PARAM(_allow, socket_af, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may create sockets other than just UNIX/IPv4/IPv6/route");
SYSCTL_JAIL_PARAM(_allow, reserved_ports, CTLTYPE_INT | CTLFLAG_RW,
"B", "Jail may bind sockets to reserved ports");
SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,

View File

@ -230,7 +230,8 @@ struct prison_racct {
#define PR_ALLOW_MOUNT_FDESCFS 0x1000
#define PR_ALLOW_MOUNT_LINPROCFS 0x2000
#define PR_ALLOW_MOUNT_LINSYSFS 0x4000
#define PR_ALLOW_ALL 0x7fff
#define PR_ALLOW_RESERVED_PORTS 0x8000
#define PR_ALLOW_ALL 0xffff
/*
* OSD methods

View File

@ -25,7 +25,7 @@
.\"
.\" $FreeBSD$
.\"
.Dd April 30, 2016
.Dd June 5, 2017
.Dt JAIL 8
.Os
.Sh NAME
@ -483,7 +483,9 @@ and uname -K.
Some restrictions of the jail environment may be set on a per-jail
basis.
With the exception of
.Va allow.set_hostname ,
.Va allow.set_hostname
and
.Va allow.reserved_ports ,
these boolean parameters are off by default.
.Bl -tag -width indent
.It Va allow.set_hostname
@ -611,6 +613,8 @@ with non-jailed parts of the system.
Sockets within a jail are normally restricted to IPv4, IPv6, local
(UNIX), and route. This allows access to other protocol stacks that
have not had jail functionality added to them.
.It Va allow.reserved_ports
The jail root may bind to ports lower than 1024.
.El
.El
.Pp