diff options
author | bz <bz@FreeBSD.org> | 2009-01-09 21:57:49 +0000 |
---|---|---|
committer | bz <bz@FreeBSD.org> | 2009-01-09 21:57:49 +0000 |
commit | ffd24214075016efd0b3aac50a2a5127600c3a77 (patch) | |
tree | 81cfbe8d787e92899aba974fc233f3ae9a1d16a6 /sys/netinet/in.c | |
parent | cfaeba182119e176d612c86eb266960a42314107 (diff) | |
download | FreeBSD-src-ffd24214075016efd0b3aac50a2a5127600c3a77.zip FreeBSD-src-ffd24214075016efd0b3aac50a2a5127600c3a77.tar.gz |
Restrict arp, ndp and theoretically the FIB listing (if not
read with libkvm) to the addresses of a prison, when inside a
jail. [1]
As the patch from the PR was pre-'new-arp', add checks to the
llt_dump handlers as well.
While touching RTM_GET in route_output(), consistently use
curthread credentials rather than the creds from the socket
there. [2]
PR: kern/68189
Submitted by: Mark Delany <sxcg2-fuwxj@qmda.emu.st> [1]
Discussed with: rwatson [2]
Reviewed by: rwatson
MFC after: 4 weeks
Diffstat (limited to 'sys/netinet/in.c')
-rw-r--r-- | sys/netinet/in.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/netinet/in.c b/sys/netinet/in.c index 18a3155..aaad7d5 100644 --- a/sys/netinet/in.c +++ b/sys/netinet/in.c @@ -1201,6 +1201,10 @@ in_lltable_dump(struct lltable *llt, struct sysctl_req *wr) /* skip deleted entries */ if ((lle->la_flags & (LLE_DELETED|LLE_VALID)) != LLE_VALID) continue; + /* Skip if jailed and not a valid IP of the prison. */ + if (jailed(wr->td->td_ucred) && + !prison_if(wr->td->td_ucred, L3_ADDR(lle))) + continue; /* * produce a msg made of: * struct rt_msghdr; |