git: 69e7d9b7e6b3 - main - fibs: restrict jail_attach(2) if process fibnum >= numfibs in the jail.

From: Alexander V. Chernikov <melifaro_at_FreeBSD.org>
Date: Sun, 12 Feb 2023 11:46:51 UTC
The branch main has been updated by melifaro:

URL: https://cgit.FreeBSD.org/src/commit/?id=69e7d9b7e6b369b760e1f189af2e25587b56a102

commit 69e7d9b7e6b369b760e1f189af2e25587b56a102
Author:     Alexander V. Chernikov <melifaro@FreeBSD.org>
AuthorDate: 2023-02-11 15:43:23 +0000
Commit:     Alexander V. Chernikov <melifaro@FreeBSD.org>
CommitDate: 2023-02-12 11:46:38 +0000

    fibs: restrict jail_attach(2) if process fibnum >= numfibs in the jail.
    
    Reported by:    olivier
    Tested by:      olivier
    Reviewed by:    kp, glebius
    Differential Revision: https://reviews.freebsd.org/D38505
    MFC after:      1 week
---
 sys/net/route/route_tables.c | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/sys/net/route/route_tables.c b/sys/net/route/route_tables.c
index 637a86573320..be67556915d0 100644
--- a/sys/net/route/route_tables.c
+++ b/sys/net/route/route_tables.c
@@ -42,6 +42,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/systm.h>
 #include <sys/malloc.h>
 #include <sys/jail.h>
+#include <sys/osd.h>
 #include <sys/proc.h>
 #include <sys/sysctl.h>
 #include <sys/syslog.h>
@@ -162,6 +163,39 @@ sys_setfib(struct thread *td, struct setfib_args *uap)
 	return (error);
 }
 
+static int
+rtables_check_proc_fib(void *obj, void *data)
+{
+	struct prison *pr = obj;
+	struct thread *td = data;
+	int error = 0;
+
+	if (TD_TO_VNET(td) != pr->pr_vnet) {
+		/* number of fibs may be lower in a new vnet */
+		CURVNET_SET(pr->pr_vnet);
+		if (td->td_proc->p_fibnum >= V_rt_numfibs)
+			error = EINVAL;
+		CURVNET_RESTORE();
+	}
+	return (error);
+}
+
+static void
+rtables_prison_destructor(void *data)
+{
+}
+
+static void
+rtables_init(void)
+{
+	osd_method_t methods[PR_MAXMETHOD] = {
+	    [PR_METHOD_ATTACH] =	rtables_check_proc_fib,
+	};
+	osd_jail_register(rtables_prison_destructor, methods);
+}
+SYSINIT(rtables_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_THIRD, rtables_init, NULL);
+
+
 /*
  * If required, copy interface routes from existing tables to the
  * newly-created routing table.