From 0268d03ba1955c5cc3cbef9a86691718e516a77c Mon Sep 17 00:00:00 2001 From: Lexi Winter Date: Sun, 11 May 2025 03:01:10 +0100 Subject: [PATCH] svcj: add "routing" option "routing" enables the jail allow.routing permission, which allows the jail to modify the system routing table. this can be used to run routing daemons (e.g., BIRD) in a service jail. Reviewed by: jamie, des Approved by: des (mentor) Differential Revision: https://reviews.freebsd.org/D49844 --- libexec/rc/rc.subr | 3 +++ share/man/man5/rc.conf.5 | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/libexec/rc/rc.subr b/libexec/rc/rc.subr index c74cbcef9d6..2261ab0461e 100644 --- a/libexec/rc/rc.subr +++ b/libexec/rc/rc.subr @@ -1259,6 +1259,9 @@ run_rc_command() nfsd) _svcj_cmd_options="allow.nfsd enforce_statfs=1 ${_svcj_cmd_options}" ;; + routing) + _svcj_cmd_options="allow.routing ${_svcj_cmd_options}" + ;; settime) _svcj_cmd_options="allow.settime ${_svcj_cmd_options}" ;; diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index 7dbea16d51f..4b15db07a12 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -22,7 +22,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd May 6, 2025 +.Dd May 11, 2025 .Dt RC.CONF 5 .Os .Sh NAME @@ -5019,6 +5019,8 @@ allows to open raw sockets, and allows to open sockets of protocol stacks that have not had jail functionality added to them. .It nfsd Allows to run nfsd and affiliated daemons. +.It routing +Allows to modify the system routing table. .It settime Allows to set and slew the system time. .It sysvipc