svn commit: r220478 - stable/8/sys/net
Bjoern A. Zeeb
bz at FreeBSD.org
Sat Apr 9 10:36:34 UTC 2011
Author: bz
Date: Sat Apr 9 10:36:33 2011
New Revision: 220478
URL: http://svn.freebsd.org/changeset/base/220478
Log:
MFC r219206:
Hide the outer IP addresses of a tunnel interfaces (gif(4), gre(4))
from processes inside jails if the addresses do not belong to the jail.
Originally reported by: Pieter de Boer via remko
Tested by: Piotr KUCHARSKI (nospam 42.pl) [gif]
PR: kern/151119
Modified:
stable/8/sys/net/if_gif.c
stable/8/sys/net/if_gre.c
Directory Properties:
stable/8/sys/ (props changed)
stable/8/sys/amd64/include/xen/ (props changed)
stable/8/sys/cddl/contrib/opensolaris/ (props changed)
stable/8/sys/contrib/dev/acpica/ (props changed)
stable/8/sys/contrib/pf/ (props changed)
Modified: stable/8/sys/net/if_gif.c
==============================================================================
--- stable/8/sys/net/if_gif.c Sat Apr 9 10:22:18 2011 (r220477)
+++ stable/8/sys/net/if_gif.c Sat Apr 9 10:36:33 2011 (r220478)
@@ -35,6 +35,7 @@
#include <sys/param.h>
#include <sys/systm.h>
+#include <sys/jail.h>
#include <sys/kernel.h>
#include <sys/malloc.h>
#include <sys/mbuf.h>
@@ -817,6 +818,12 @@ gif_ioctl(ifp, cmd, data)
}
if (src->sa_len > size)
return EINVAL;
+ error = prison_if(curthread->td_ucred, src);
+ if (error != 0)
+ return (error);
+ error = prison_if(curthread->td_ucred, dst);
+ if (error != 0)
+ return (error);
bcopy((caddr_t)src, (caddr_t)dst, src->sa_len);
#ifdef INET6
if (dst->sa_family == AF_INET6) {
Modified: stable/8/sys/net/if_gre.c
==============================================================================
--- stable/8/sys/net/if_gre.c Sat Apr 9 10:22:18 2011 (r220477)
+++ stable/8/sys/net/if_gre.c Sat Apr 9 10:36:33 2011 (r220478)
@@ -53,6 +53,7 @@
#include "opt_inet6.h"
#include <sys/param.h>
+#include <sys/jail.h>
#include <sys/kernel.h>
#include <sys/malloc.h>
#include <sys/module.h>
@@ -643,6 +644,9 @@ gre_ioctl(struct ifnet *ifp, u_long cmd,
si.sin_len = sizeof(struct sockaddr_in);
si.sin_addr.s_addr = sc->g_src.s_addr;
sa = sintosa(&si);
+ error = prison_if(curthread->td_ucred, sa);
+ if (error != 0)
+ break;
ifr->ifr_addr = *sa;
break;
case GREGADDRD:
@@ -651,6 +655,9 @@ gre_ioctl(struct ifnet *ifp, u_long cmd,
si.sin_len = sizeof(struct sockaddr_in);
si.sin_addr.s_addr = sc->g_dst.s_addr;
sa = sintosa(&si);
+ error = prison_if(curthread->td_ucred, sa);
+ if (error != 0)
+ break;
ifr->ifr_addr = *sa;
break;
case SIOCSIFPHYADDR:
@@ -714,8 +721,14 @@ gre_ioctl(struct ifnet *ifp, u_long cmd,
si.sin_family = AF_INET;
si.sin_len = sizeof(struct sockaddr_in);
si.sin_addr.s_addr = sc->g_src.s_addr;
+ error = prison_if(curthread->td_ucred, (struct sockaddr *)&si);
+ if (error != 0)
+ break;
memcpy(&lifr->addr, &si, sizeof(si));
si.sin_addr.s_addr = sc->g_dst.s_addr;
+ error = prison_if(curthread->td_ucred, (struct sockaddr *)&si);
+ if (error != 0)
+ break;
memcpy(&lifr->dstaddr, &si, sizeof(si));
break;
case SIOCGIFPSRCADDR:
@@ -730,6 +743,9 @@ gre_ioctl(struct ifnet *ifp, u_long cmd,
si.sin_family = AF_INET;
si.sin_len = sizeof(struct sockaddr_in);
si.sin_addr.s_addr = sc->g_src.s_addr;
+ error = prison_if(curthread->td_ucred, (struct sockaddr *)&si);
+ if (error != 0)
+ break;
bcopy(&si, &ifr->ifr_addr, sizeof(ifr->ifr_addr));
break;
case SIOCGIFPDSTADDR:
@@ -744,6 +760,9 @@ gre_ioctl(struct ifnet *ifp, u_long cmd,
si.sin_family = AF_INET;
si.sin_len = sizeof(struct sockaddr_in);
si.sin_addr.s_addr = sc->g_dst.s_addr;
+ error = prison_if(curthread->td_ucred, (struct sockaddr *)&si);
+ if (error != 0)
+ break;
bcopy(&si, &ifr->ifr_addr, sizeof(ifr->ifr_addr));
break;
case GRESKEY:
More information about the svn-src-stable-8
mailing list