author: Robert Watson <rwatson@FreeBSD.org> 2000-06-04 04:28:31 +0000
committer: Robert Watson <rwatson@FreeBSD.org> 2000-06-04 04:28:31 +0000
commit: 7cadc2663e77373c6aa646c06f75cb7705329842 (patch)
tree: 19aa5bf4a1f35db5b690dbfdd07f864a1436a12d /sys/kern/kern_jail.c
parent: a6cb9949a731955ca4a27553ae714ca42fa187ee (diff)
download: src-test2-7cadc2663e77373c6aa646c06f75cb7705329842.tar.gz
src-test2-7cadc2663e77373c6aa646c06f75cb7705329842.zip
1 files changed, 8 insertions, 1 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 90c9aa81a7d7..af18a5e68854 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -34,6 +34,11 @@ SYSCTL_INT(_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW,
     &jail_set_hostname_allowed, 0,
     "Processes in jail can set their hostnames");
 
+int	jail_socket_unixiproute_only = 1;
+SYSCTL_INT(_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW,
+    &jail_socket_unixiproute_only, 0,
+    "Processes in jail are limited to creating UNIX/IPv4/route sockets only");
+
 int
 jail(p, uap)
         struct proc *p;
@@ -126,7 +131,9 @@ prison_if(struct proc *p, struct sockaddr *sa)
 	struct sockaddr_in *sai = (struct sockaddr_in*) sa;
 	int ok;
 
-	if (sai->sin_family != AF_INET)
+	if ((sai->sin_family != AF_INET) && jail_socket_unixiproute_only)
+		ok = 1;
+	else if (sai->sin_family != AF_INET)
 		ok = 0;
 	else if (p->p_prison->pr_ip != ntohl(sai->sin_addr.s_addr))
 		ok = 1;
author	Robert Watson <rwatson@FreeBSD.org>	2000-06-04 04:28:31 +0000
committer	Robert Watson <rwatson@FreeBSD.org>	2000-06-04 04:28:31 +0000
commit	7cadc2663e77373c6aa646c06f75cb7705329842 (patch)
tree	19aa5bf4a1f35db5b690dbfdd07f864a1436a12d /sys/kern/kern_jail.c
parent	a6cb9949a731955ca4a27553ae714ca42fa187ee (diff)
download	src-test2-7cadc2663e77373c6aa646c06f75cb7705329842.tar.gz src-test2-7cadc2663e77373c6aa646c06f75cb7705329842.zip