setfib allowed in jail

James Gritton

2018-12-10 16:34:49 UTC

Post by CÃ©dric Maunoury
Hello everyone,
It’s my first mail on this mailing list... Thus, please forgive me if
I do something wrong :)
I was playing on a FreeBSD 11.2 with jails and I was surprised to be
able to succesfully launch setfib from inside a jail... that means I
can use an other routing table than the one configured in the jail
configuration file.
To me, it should be forbidden. The patch would be to add the following
lines at the beginning of the function sys_setfib (sys/net/route.c) -
——
if jailed(td->td_ucred)
return EPERM
——

If a jail isn't restricted to a particular FIB, then there should be no
restriction on this system call. So you would need to not only check if
the process is jailed, but if that jail has its FIB restricted. And
that's where things take an unexpected turn: *no* jails have their FIBs
restricted.

The exec.fib parameter, like all of exec.*, is among the
pseudo-parameters that don't actually set anything in the jail but are
just a convenience in setting up the jail creation environment. In
particular, if set it calls setfib(2) before executing anything inside
the jail. It never actually associated an FIB with the jail itself.

That doesn't mean there's no advantage to changing jails to have an FIB
associated with them. It's already an issue, in that jexec(8) isn't
aware of these pseudo-parameters, and doesn't call setfib(2) before
entering the jail. It would make sense not only to do that, but also to
be able to restrict a jail to a particular FIB.

- Jamie