Allow PING(8) in jails without raw socket access permissions
carlos antonio neira bustos
cneirabustos at gmail.com
Wed Nov 11 14:52:57 UTC 2020
Thank you all for the feedback.
I'll resume work on this taking your comments into account.
Thanks again!
On Fri, Oct 23, 2020 at 10:00 PM Dewayne Geraghty <
dewayne.geraghty at heuristicsystems.com.au> wrote:
> On 15/10/2020 9:00 am, carlos antonio neira bustos wrote:
> > Hello,
> >
> > I have currently a patch in review with jamie which is the current jail
> > maintainer and kyle evans, if anyone else could comment/review this
> patch :
> > https://reviews.freebsd.org/D26782
> >
> > What has been done is the following :
> >
> > Raw socket access is allowed for ICMP protocol as is required by
> > PING(8) but option IP_HDRINCL is not allowed. to accomplish this
> > a new privilege PRIV_NETINET_ICMP_ACCESS has been added by default for
> > jails.
> >
> >
> > Bests
> > _______________________________________________
> > freebsd-net at freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-net
> > To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
> >
> Thanks for the heads-up Carlos. I have a use for allowing only icmp
> traffic, so its beneficial.
>
> However I do agree with BZ that it should not be enabled by default, as
> it weakens the security model, enabling a broken jail to more easily
> enumerate the wider network environment.
>
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>
More information about the freebsd-net
mailing list