Hide the outer IP addresses of a tunnel interfaces (gif(4), gre(4))

from processes inside jails if the addresses do not belong to the jail. Originally reported by: Pieter de Boer via remko PR: kern/151119 Tested by: Piotr KUCHARSKI (nospam 42.pl) [gif] MFC after: 1 week
author: bz <bz@FreeBSD.org> 2011-03-02 21:39:08 +0000
committer: bz <bz@FreeBSD.org> 2011-03-02 21:39:08 +0000
commit: 209ebad7afe0e7749d0576ce93225b05fbbd0322 (patch)
tree: 30a6d1098a34879754cd4af6e0ce4afe1edb786b /sys/net/if_gif.c
parent: d456b2027b593444bd9b87f1422f78b394761f3b (diff)
download: FreeBSD-src-209ebad7afe0e7749d0576ce93225b05fbbd0322.zip
FreeBSD-src-209ebad7afe0e7749d0576ce93225b05fbbd0322.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/sys/net/if_gif.c b/sys/net/if_gif.c
index 7683839..4a8df34 100644
--- a/sys/net/if_gif.c
+++ b/sys/net/if_gif.c
@@ -35,6 +35,7 @@
 
 #include <sys/param.h>
 #include <sys/systm.h>
+#include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
@@ -817,6 +818,12 @@ gif_ioctl(ifp, cmd, data)
 		}
 		if (src->sa_len > size)
 			return EINVAL;
+		error = prison_if(curthread->td_ucred, src);
+		if (error != 0)
+			return (error);
+		error = prison_if(curthread->td_ucred, dst);
+		if (error != 0)
+			return (error);
 		bcopy((caddr_t)src, (caddr_t)dst, src->sa_len);
 #ifdef INET6
 		if (dst->sa_family == AF_INET6) {
author	bz <bz@FreeBSD.org>	2011-03-02 21:39:08 +0000
committer	bz <bz@FreeBSD.org>	2011-03-02 21:39:08 +0000
commit	209ebad7afe0e7749d0576ce93225b05fbbd0322 (patch)
tree	30a6d1098a34879754cd4af6e0ce4afe1edb786b /sys/net/if_gif.c
parent	d456b2027b593444bd9b87f1422f78b394761f3b (diff)
download	FreeBSD-src-209ebad7afe0e7749d0576ce93225b05fbbd0322.zip FreeBSD-src-209ebad7afe0e7749d0576ce93225b05fbbd0322.tar.gz