diff options
| author | csjp <csjp@FreeBSD.org> | 2004-08-21 17:38:57 +0000 |
|---|---|---|
| committer | csjp <csjp@FreeBSD.org> | 2004-08-21 17:38:57 +0000 |
| commit | 657b6f650c97ec6e28dbd41f3a5baaf2da4f29b2 (patch) | |
| tree | d9657877b873a08307b6bdb9bcba6755051cef81 | |
| parent | 56ad5a3d5e2da4f2c312a20ace62e0e24ad77d9e (diff) | |
| download | FreeBSD-src-657b6f650c97ec6e28dbd41f3a5baaf2da4f29b2.zip FreeBSD-src-657b6f650c97ec6e28dbd41f3a5baaf2da4f29b2.tar.gz | |
When a prison is given the ability to create raw sockets (when the
security.jail.allow_raw_sockets sysctl MIB is set to 1) where privileged
access to jails is given out, it is possible for prison root to manipulate
various network parameters which effect the host environment. This commit
plugs a number of security holes associated with the use of raw sockets
and prisons.
This commit makes the following changes:
- Add a comment to rtioctl warning developers that if they add
any ioctl commands, they should use super-user checks where necessary,
as it is possible for PRISON root to make it this far in execution.
- Add super-user checks for the execution of the SIOCGETVIFCNT
and SIOCGETSGCNT IP multicast ioctl commands.
- Add a super-user check to rip_ctloutput(). If the calling cred
is PRISON root, make sure the socket option name is IP_HDRINCL,
otherwise deny the request.
Although this patch corrects a number of security problems associated
with raw sockets and prisons, the warning in jail(8) should still
apply, and by default we should keep the default value of
security.jail.allow_raw_sockets MIB to 0 (or disabled) until
we are certain that we have tracked down all the problems.
Looking forward, we will probably want to eliminate the
references to curthread.
This may be a MFC candidate for RELENG_5.
Reviewed by: rwatson
Approved by: bmilekic (mentor)
| -rw-r--r-- | sys/net/route.c | 7 | ||||
| -rw-r--r-- | sys/netinet/ip_mroute.c | 8 | ||||
| -rw-r--r-- | sys/netinet/raw_ip.c | 10 |
3 files changed, 25 insertions, 0 deletions
diff --git a/sys/net/route.c b/sys/net/route.c index c6c8b57..f2db78c 100644 --- a/sys/net/route.c +++ b/sys/net/route.c @@ -416,6 +416,13 @@ out: int rtioctl(u_long req, caddr_t data) { + + /* + * If more ioctl commands are added here, make sure the proper + * super-user checks are being performed because it is possible for + * prison-root to make it this far if raw sockets have been enabled + * in jails. + */ #ifdef INET /* Multicast goop, grrr... */ return mrt_ioctl ? mrt_ioctl(req, data) : EOPNOTSUPP; diff --git a/sys/netinet/ip_mroute.c b/sys/netinet/ip_mroute.c index b0490a4..94781e0 100644 --- a/sys/netinet/ip_mroute.c +++ b/sys/netinet/ip_mroute.c @@ -526,6 +526,14 @@ X_mrt_ioctl(int cmd, caddr_t data) { int error = 0; + /* + * Currently the only function calling this ioctl routine is rtioctl(). + * Typically, only root can create the raw socket in order to execute + * this ioctl method, however the request might be coming from a prison + */ + error = suser(curthread); + if (error) + return (error); switch (cmd) { case (SIOCGETVIFCNT): error = get_vif_cnt((struct sioc_vif_req *)data); diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index f8796f1..96e9b0a 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -344,6 +344,16 @@ rip_ctloutput(struct socket *so, struct sockopt *sopt) if (sopt->sopt_level != IPPROTO_IP) return (EINVAL); + /* + * Even though super-user is required to create a raw socket, the + * calling cred could be prison root. If so we want to restrict the + * access to IP_HDRINCL only. + */ + if (sopt->sopt_name != IP_HDRINCL) { + error = suser(curthread); + if (error != 0) + return (error); + } error = 0; switch (sopt->sopt_dir) { |
