diff options
| author | bz <bz@FreeBSD.org> | 2009-01-09 21:57:49 +0000 |
|---|---|---|
| committer | bz <bz@FreeBSD.org> | 2009-01-09 21:57:49 +0000 |
| commit | ffd24214075016efd0b3aac50a2a5127600c3a77 (patch) | |
| tree | 81cfbe8d787e92899aba974fc233f3ae9a1d16a6 /sys/netinet6/in6.c | |
| parent | cfaeba182119e176d612c86eb266960a42314107 (diff) | |
| download | FreeBSD-src-ffd24214075016efd0b3aac50a2a5127600c3a77.zip FreeBSD-src-ffd24214075016efd0b3aac50a2a5127600c3a77.tar.gz | |
Restrict arp, ndp and theoretically the FIB listing (if not
read with libkvm) to the addresses of a prison, when inside a
jail. [1]
As the patch from the PR was pre-'new-arp', add checks to the
llt_dump handlers as well.
While touching RTM_GET in route_output(), consistently use
curthread credentials rather than the creds from the socket
there. [2]
PR: kern/68189
Submitted by: Mark Delany <sxcg2-fuwxj@qmda.emu.st> [1]
Discussed with: rwatson [2]
Reviewed by: rwatson
MFC after: 4 weeks
Diffstat (limited to 'sys/netinet6/in6.c')
| -rw-r--r-- | sys/netinet6/in6.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/netinet6/in6.c b/sys/netinet6/in6.c index e36c2dd..b7c5111 100644 --- a/sys/netinet6/in6.c +++ b/sys/netinet6/in6.c @@ -2240,6 +2240,10 @@ in6_lltable_dump(struct lltable *llt, struct sysctl_req *wr) /* skip deleted or invalid entries */ if ((lle->la_flags & (LLE_DELETED|LLE_VALID)) != LLE_VALID) continue; + /* Skip if jailed and not a valid IP of the prison. */ + if (jailed(wr->td->td_ucred) && + !prison_if(wr->td->td_ucred, L3_ADDR(lle))) + continue; /* * produce a msg made of: * struct rt_msghdr; |
