diff options
| author | bz <bz@FreeBSD.org> | 2009-12-28 14:40:58 +0000 |
|---|---|---|
| committer | bz <bz@FreeBSD.org> | 2009-12-28 14:40:58 +0000 |
| commit | 11fd663e35cd3983dcc1f4c8ad16df25a555089c (patch) | |
| tree | aad0882289b1fbceebc45e846c5f3cd55df34ed3 /sys/netinet6/raw_ip6.c | |
| parent | dc0dae367e0a62c520a6859bb2fead3fcdddbf51 (diff) | |
| download | FreeBSD-src-11fd663e35cd3983dcc1f4c8ad16df25a555089c.zip FreeBSD-src-11fd663e35cd3983dcc1f4c8ad16df25a555089c.tar.gz | |
MFC r200473:
Throughout the network stack we have a few places of
if (jailed(cred))
left. If you are running with a vnet (virtual network stack) those will
return true and defer you to classic IP-jails handling and thus things
will be "denied" or returned with an error.
Work around this problem by introducing another "jailed()" function,
jailed_without_vnet(), that also takes vnets into account, and permits
the calls, should the jail from the given cred have its own virtual
network stack.
We cannot change the classic jailed() call to do that, as it is used
outside the network stack as well.
Discussed with: julian, zec, jamie, rwatson (back in Sept)
Diffstat (limited to 'sys/netinet6/raw_ip6.c')
| -rw-r--r-- | sys/netinet6/raw_ip6.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c index 335eff5..9f1236a 100644 --- a/sys/netinet6/raw_ip6.c +++ b/sys/netinet6/raw_ip6.c @@ -184,7 +184,7 @@ rip6_input(struct mbuf **mp, int *offp, int proto) if (!IN6_IS_ADDR_UNSPECIFIED(&in6p->in6p_faddr) && !IN6_ARE_ADDR_EQUAL(&in6p->in6p_faddr, &ip6->ip6_src)) continue; - if (jailed(in6p->inp_cred)) { + if (jailed_without_vnet(in6p->inp_cred)) { /* * Allow raw socket in jail to receive multicast; * assume process had PRIV_NETINET_RAW at attach, |
