Author: bz
Date: Wed Mar 2 21:39:08 2011
New Revision: 219206
URL: http://svn.freebsd.org/changeset/base/219206
Log:
Hide the outer IP addresses of a tunnel interfaces (gif(4), gre(4))
from processes inside jails if the addresses do not belong to the jail.
Originally reported by: Pieter de Boer via remko
PR: kern/151119
Tested by: Piotr KUCHARSKI (nospam 42.pl) [gif]
MFC after: 1 week
Modified:
head/sys/net/if_gif.c
head/sys/net/if_gre.c
Modified: head/sys/net/if_gif.c
==============================================================================
--- head/sys/net/if_gif.c Wed Mar 2 20:08:52 2011 (r219205)
+++ head/sys/net/if_gif.c Wed Mar 2 21:39:08 2011 (r219206)
@@ -35,6 +35,7 @@
#include <sys/param.h>
#include <sys/systm.h>
+#include <sys/jail.h>
#include <sys/kernel.h>
#include <sys/malloc.h>
#include <sys/mbuf.h>
@@ -817,6 +818,12 @@ gif_ioctl(ifp, cmd, data)
}
if (src->sa_len > size)
return EINVAL;
+ error = prison_if(curthread->td_ucred, src);
+ if (error != 0)
+ return (error);
+ error = prison_if(curthread->td_ucred, dst);
+ if (error != 0)
+ return (error);
bcopy((caddr_t)src, (caddr_t)dst, src->sa_len);
#ifdef INET6
if (dst->sa_family == AF_INET6) {
Modified: head/sys/net/if_gre.c
==============================================================================
--- head/sys/net/if_gre.c Wed Mar 2 20:08:52 2011 (r219205)
+++ head/sys/net/if_gre.c Wed Mar 2 21:39:08 2011 (r219206)
@@ -46,6 +46,7 @@
#include "opt_inet6.h"
#include <sys/param.h>
+#include <sys/jail.h>
#include <sys/kernel.h>
#include <sys/malloc.h>
#include <sys/module.h>
@@ -636,6 +637,9 @@ gre_ioctl(struct ifnet *ifp, u_long cmd,
si.sin_len = sizeof(struct sockaddr_in);
si.sin_addr.s_addr = sc->g_src.s_addr;
sa = sintosa(&si);
+ error = prison_if(curthread->td_ucred, sa);
+ if (error != 0)
+ break;
ifr->ifr_addr = *sa;
break;
case GREGADDRD:
@@ -644,6 +648,9 @@ gre_ioctl(struct ifnet *ifp, u_long cmd,
si.sin_len = sizeof(struct sockaddr_in);
si.sin_addr.s_addr = sc->g_dst.s_addr;
sa = sintosa(&si);
+ error = prison_if(curthread->td_ucred, sa);
+ if (error != 0)
+ break;
ifr->ifr_addr = *sa;
break;
case SIOCSIFPHYADDR:
@@ -707,8 +714,14 @@ gre_ioctl(struct ifnet *ifp, u_long cmd,
si.sin_family = AF_INET;
si.sin_len = sizeof(struct sockaddr_in);
si.sin_addr.s_addr = sc->g_src.s_addr;
+ error = prison_if(curthread->td_ucred, (struct sockaddr *)&si);
+ if (error != 0)
+ break;
memcpy(&lifr->addr, &si, sizeof(si));
si.sin_addr.s_addr = sc->g_dst.s_addr;
+ error = prison_if(curthread->td_ucred, (struct sockaddr *)&si);
+ if (error != 0)
+ break;
memcpy(&lifr->dstaddr, &si, sizeof(si));
break;
case SIOCGIFPSRCADDR:
@@ -723,6 +736,9 @@ gre_ioctl(struct ifnet *ifp, u_long cmd,
si.sin_family = AF_INET;
si.sin_len = sizeof(struct sockaddr_in);
si.sin_addr.s_addr = sc->g_src.s_addr;
+ error = prison_if(curthread->td_ucred, (struct sockaddr *)&si);
+ if (error != 0)
+ break;
bcopy(&si, &ifr->ifr_addr, sizeof(ifr->ifr_addr));
break;
case SIOCGIFPDSTADDR:
@@ -737,6 +753,9 @@ gre_ioctl(struct ifnet *ifp, u_long cmd,
si.sin_family = AF_INET;
si.sin_len = sizeof(struct sockaddr_in);
si.sin_addr.s_addr = sc->g_dst.s_addr;
+ error = prison_if(curthread->td_ucred, (struct sockaddr *)&si);
+ if (error != 0)
+ break;
bcopy(&si, &ifr->ifr_addr, sizeof(ifr->ifr_addr));
break;
case GRESKEY:
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
