diff options
| -rw-r--r-- | sys/net/route.c | 7 | ||||
| -rw-r--r-- | sys/netinet/ip_mroute.c | 8 | ||||
| -rw-r--r-- | sys/netinet/raw_ip.c | 10 |
3 files changed, 25 insertions, 0 deletions
diff --git a/sys/net/route.c b/sys/net/route.c index c6c8b57..f2db78c 100644 --- a/sys/net/route.c +++ b/sys/net/route.c @@ -416,6 +416,13 @@ out: int rtioctl(u_long req, caddr_t data) { + + /* + * If more ioctl commands are added here, make sure the proper + * super-user checks are being performed because it is possible for + * prison-root to make it this far if raw sockets have been enabled + * in jails. + */ #ifdef INET /* Multicast goop, grrr... */ return mrt_ioctl ? mrt_ioctl(req, data) : EOPNOTSUPP; diff --git a/sys/netinet/ip_mroute.c b/sys/netinet/ip_mroute.c index b0490a4..94781e0 100644 --- a/sys/netinet/ip_mroute.c +++ b/sys/netinet/ip_mroute.c @@ -526,6 +526,14 @@ X_mrt_ioctl(int cmd, caddr_t data) { int error = 0; + /* + * Currently the only function calling this ioctl routine is rtioctl(). + * Typically, only root can create the raw socket in order to execute + * this ioctl method, however the request might be coming from a prison + */ + error = suser(curthread); + if (error) + return (error); switch (cmd) { case (SIOCGETVIFCNT): error = get_vif_cnt((struct sioc_vif_req *)data); diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index f8796f1..96e9b0a 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -344,6 +344,16 @@ rip_ctloutput(struct socket *so, struct sockopt *sopt) if (sopt->sopt_level != IPPROTO_IP) return (EINVAL); + /* + * Even though super-user is required to create a raw socket, the + * calling cred could be prison root. If so we want to restrict the + * access to IP_HDRINCL only. + */ + if (sopt->sopt_name != IP_HDRINCL) { + error = suser(curthread); + if (error != 0) + return (error); + } error = 0; switch (sopt->sopt_dir) { |
