svcj: add "routing" option

"routing" enables the jail allow.routing permission, which allows the jail to modify the system routing table. this can be used to run routing daemons (e.g., BIRD) in a service jail. Reviewed by: jamie, des Approved by: des (mentor) Differential Revision: https://reviews.freebsd.org/D49844
2026-06-09 00:32:25 -04:00 · 2025-05-11 03:01:10 +01:00 · 2025-05-11 03:01:10 +01:00 · 0268d03ba1
commit 0268d03ba1
parent 3a53fe2cc4
2 changed files with 6 additions and 1 deletions
--- a/libexec/rc/rc.subr
+++ b/libexec/rc/rc.subr
@ -1259,6 +1259,9 @@ run_rc_command()
 				nfsd)
 					_svcj_cmd_options="allow.nfsd enforce_statfs=1 ${_svcj_cmd_options}"
 					;;
+				routing)
+					_svcj_cmd_options="allow.routing ${_svcj_cmd_options}"
+					;;
 				settime)
 					_svcj_cmd_options="allow.settime ${_svcj_cmd_options}"
 					;;
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@ -22,7 +22,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd May 6, 2025
+.Dd May 11, 2025
 .Dt RC.CONF 5
 .Os
 .Sh NAME
@ -5019,6 +5019,8 @@ allows to open raw sockets, and allows to open sockets of protocol stacks that
 have not had jail functionality added to them.
 .It nfsd
 Allows to run nfsd and affiliated daemons.
+.It routing
+Allows to modify the system routing table.
 .It settime
 Allows to set and slew the system time.
 .It sysvipc