From nobody Sun Mar 26 08:38:33 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Pkq952rkGz41VRJ; Sun, 26 Mar 2023 08:38:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Pkq952Mzzz44Vv; Sun, 26 Mar 2023 08:38:33 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1679819913; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1UhhpDpBx/fwNO0z/ugz7Vr0URnT4vM0KaykJ2+kezs=; b=K9PB6fMTloRwIuJWwqL5JZRi9gcr9ongC5gFTNfaskAkwZ9kp/P+6EhX9lQXrBD84/W4XK xHnUdwshP0zLH1mwKXjhR7HrFRwmUChqNh8/MSV3fhrs8EqGnO0rMJBW/IpNzV4qLpLxVp DGmZ3fRnNjdnfIGLgs0YrgOfuX9EY9q1ovAz2pgDx2MQfcY6ODrsRWTc98t95Aqkq7RYGT SG7mfx8Er+U9j4nV2G/7ixICMKZpaIdZS6Tj+9EqDJbmT4b6Au1vhhdSCUMwu8Gl0osFXZ i16nWR+VX7clHLs+iAPzkQpyzz1g8F+tpaMMLYKroS9jDekq6hkoXG3EdDK0bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1679819913; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=1UhhpDpBx/fwNO0z/ugz7Vr0URnT4vM0KaykJ2+kezs=; b=JwheG/KRrMFhSx/PT+bkWGzzfAVfXcvcis9B+RpL2cBVTrdkSfgqUEC4fnTu35IlJJPhWG /sfPmEZ3aKhCvqLbKrM8PAOeJNnfIcwRlSrKRadSCVqdI3+QGLeqmCHwit83HhiL7iyfSR SgOYLy6+MDUkX77lq42HvYSwwRFMAHv9tUaVi7Ml7Xfta6Huk8R2yRurcjFkyvcp/2rzMn /JCAWmKLp1ECuTAmSf9Nb9BXTMCn/htqGWYV+yuNisUul1DZ1uAJ1AEY569+XEjqy2qWOI Hyd4nkSERlS/99GsjZ095DXPnmhU3VTCTqlav44R9vSrcZjkPfnuyLvV3R238Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1679819913; a=rsa-sha256; cv=none; b=b3q/QWn1A1Xm5ZZpD0nxeUVHCYI5G2Aj96q9Kg3L9O90ijr3qB/cHJmA3gDr1dwLzlop3R fkazqJ6DScl/I4wdFI28R4TTnmD/ijz9v0/Z1MunUA/cqZq+VQtJx0m/7LG3UMrKdztX3A OXfKcLWGyt6EJq0OK6SPmJ+q74K15vih11DKvgPrZ4CqIBlOnDVQU5kBcGkfApfbiuBCg3 fDgx89yOnOBZ+yTSJEks31ltgjR/nkub9wgRWFiJxu62fy3AYVIYs8nQE2Vv0X+RzJNIXz w41xHctfue3F+P1J4T6vETyR9jJxNG63FNd9L+rMrDGeCozY61iZuy0KwES3/A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Pkq951QGyzZ1N; Sun, 26 Mar 2023 08:38:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 32Q8cXQb006074; Sun, 26 Mar 2023 08:38:33 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 32Q8cXDH006073; Sun, 26 Mar 2023 08:38:33 GMT (envelope-from git) Date: Sun, 26 Mar 2023 08:38:33 GMT Message-Id: <202303260838.32Q8cXDH006073@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: "Alexander V. Chernikov" Subject: git: 2cda6a2fb0d9 - main - routing: add public rt_is_exportable() version to check if the route can be exported to userland when jailed. List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: melifaro X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 2cda6a2fb0d9473a53931dc2b0171af54dd79b04 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by melifaro: URL: https://cgit.FreeBSD.org/src/commit/?id=2cda6a2fb0d9473a53931dc2b0171af54dd79b04 commit 2cda6a2fb0d9473a53931dc2b0171af54dd79b04 Author: Alexander V. Chernikov AuthorDate: 2023-03-26 08:19:56 +0000 Commit: Alexander V. Chernikov CommitDate: 2023-03-26 08:24:27 +0000 routing: add public rt_is_exportable() version to check if the route can be exported to userland when jailed. Differential Revision: https://reviews.freebsd.org/D39204 MFC after: 2 weeks --- sys/net/route/route_ctl.h | 2 ++ sys/net/route/route_rtentry.c | 24 ++++++++++++++++++++++++ sys/net/rtsock.c | 29 ++++------------------------- 3 files changed, 30 insertions(+), 25 deletions(-) diff --git a/sys/net/route/route_ctl.h b/sys/net/route/route_ctl.h index e8560e681ddb..b65b64fcdaa0 100644 --- a/sys/net/route/route_ctl.h +++ b/sys/net/route/route_ctl.h @@ -121,6 +121,7 @@ void rib_foreach_table_walk_del(int family, rib_filter_f_t *filter_f, void *arg) struct nhop_object; struct nhgrp_object; +struct ucred; const struct rtentry *rib_lookup_prefix(uint32_t fibnum, int family, const struct sockaddr *dst, const struct sockaddr *netmask, @@ -133,6 +134,7 @@ bool rt_is_host(const struct rtentry *rt); sa_family_t rt_get_family(const struct rtentry *); struct nhop_object *rt_get_raw_nhop(const struct rtentry *rt); void rt_get_rnd(const struct rtentry *rt, struct route_nhop_data *rnd); +bool rt_is_exportable(const struct rtentry *rt, struct ucred *cred); #ifdef INET struct in_addr; void rt_get_inet_prefix_plen(const struct rtentry *rt, struct in_addr *paddr, diff --git a/sys/net/route/route_rtentry.c b/sys/net/route/route_rtentry.c index 0c3c8ddd7361..d57b5db80b89 100644 --- a/sys/net/route/route_rtentry.c +++ b/sys/net/route/route_rtentry.c @@ -35,6 +35,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -197,6 +198,29 @@ rt_get_rnd(const struct rtentry *rt, struct route_nhop_data *rnd) rnd->rnd_weight = rt->rt_weight; } +/* + * If the process in in jail w/o VNET, export only host routes for the + * addresses assigned to the jail. + * Otherwise, allow exporting the entire table. + */ +bool +rt_is_exportable(const struct rtentry *rt, struct ucred *cred) +{ + if (!rt_is_host(rt)) { + /* + * Performance optimisation: only host routes are allowed + * in the jail w/o vnet. + */ + if (jailed_without_vnet(cred)) + return (false); + } else { + if (prison_if(cred, rt_key_const(rt)) != 0) + return (false); + } + + return (true); +} + #ifdef INET /* * Stores IPv4 address and prefix length of @rt inside diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c index b77692d28588..548caf0ef23a 100644 --- a/sys/net/rtsock.c +++ b/sys/net/rtsock.c @@ -218,8 +218,6 @@ static int update_rtm_from_rc(struct rt_addrinfo *info, static void send_rtm_reply(struct socket *so, struct rt_msghdr *rtm, struct mbuf *m, sa_family_t saf, u_int fibnum, int rtm_errno); -static bool can_export_rte(struct ucred *td_ucred, bool rt_is_host, - const struct sockaddr *rt_dst); static void rtsock_notify_event(uint32_t fibnum, const struct rib_cmd_info *rc); static void rtsock_ifmsg(struct ifnet *ifp, int if_flags_mask); @@ -1168,11 +1166,8 @@ rts_send(struct socket *so, int flags, struct mbuf *m, senderr(error); nh = rc.rc_nh_new; - if (!can_export_rte(curthread->td_ucred, - info.rti_info[RTAX_NETMASK] == NULL, - info.rti_info[RTAX_DST])) { + if (!rt_is_exportable(rc.rc_rt, curthread->td_ucred)) senderr(ESRCH); - } break; default: @@ -2198,23 +2193,6 @@ rt_dispatch(struct mbuf *m, sa_family_t saf) netisr_queue(NETISR_ROUTE, m); /* mbuf is free'd on failure. */ } -/* - * Checks if rte can be exported w.r.t jails/vnets. - * - * Returns true if it can, false otherwise. - */ -static bool -can_export_rte(struct ucred *td_ucred, bool rt_is_host, - const struct sockaddr *rt_dst) -{ - - if ((!rt_is_host) ? jailed_without_vnet(td_ucred) - : prison_if(td_ucred, rt_dst) != 0) - return (false); - return (true); -} - - /* * This is used in dumping the kernel table via sysctl(). */ @@ -2226,9 +2204,10 @@ sysctl_dumpentry(struct rtentry *rt, void *vw) NET_EPOCH_ASSERT(); - export_rtaddrs(rt, w->dst, w->mask); - if (!can_export_rte(w->w_req->td->td_ucred, rt_is_host(rt), w->dst)) + if (!rt_is_exportable(rt, w->w_req->td->td_ucred)) return (0); + + export_rtaddrs(rt, w->dst, w->mask); nh = rt_get_raw_nhop(rt); #ifdef ROUTE_MPATH if (NH_IS_NHGRP(nh)) {