jail: add allow.routing jail permission

if allow.routing is set, the jail can modify the system routing table even if it's not a VNET jail. Reviewed by: kevans, des, adrian Approved by: kevans (mentor), des (mentor) Differential Revision: https://reviews.freebsd.org/D49843 (cherry picked from commit 3a53fe2cc4b7076003163376a7db65e432f6283e)
2026-02-19 02:30:08 -05:00 · 2025-05-11 03:01:25 +01:00 · 2025-05-11 03:01:25 +01:00 · b69907d463
commit b69907d463
parent 9e2362e370
4 changed files with 21 additions and 2 deletions
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@ -226,6 +226,7 @@ static struct bool_flags pr_flag_allow[NBBY * NBPW] = {
 #ifdef VIMAGE
 	{"allow.nfsd", "allow.nonfsd", PR_ALLOW_NFSD},
 #endif
+	{"allow.routing", "allow.norouting", PR_ALLOW_ROUTING},
 };
 static unsigned pr_allow_all = PR_ALLOW_ALL_STATIC;
 const size_t pr_flag_allow_size = sizeof(pr_flag_allow);
@ -4142,6 +4143,16 @@ prison_priv_check(struct ucred *cred, int priv)
 			return (0);
 		return (EPERM);

+		/*
+		 * Conditionally allow privileged process in the jail to modify
+		 * the routing table.
+		 */
+	case PRIV_NET_ROUTE:
+		if (cred->cr_prison->pr_allow & PR_ALLOW_ROUTING)
+			return (0);
+		else
+			return (EPERM);
+
 	default:
 		/*
 		 * In all remaining cases, deny the privilege request.  This
@ -4604,6 +4615,8 @@ SYSCTL_JAIL_PARAM(_allow, suser, CTLTYPE_INT | CTLFLAG_RW,
 SYSCTL_JAIL_PARAM(_allow, nfsd, CTLTYPE_INT | CTLFLAG_RW,
    "B", "Mountd/nfsd may run in the jail");
 #endif
+SYSCTL_JAIL_PARAM(_allow, routing, CTLTYPE_INT | CTLFLAG_RW,
+    "B", "Jail may modify routing table");

 SYSCTL_JAIL_PARAM_SUBNODE(allow, mount, "Jail mount/unmount permission flags");
 SYSCTL_JAIL_PARAM(_allow_mount, , CTLTYPE_INT | CTLFLAG_RW,
--- a/sys/netlink/route/rt.c
+++ b/sys/netlink/route/rt.c
@ -1118,12 +1118,14 @@ static const struct rtnl_cmd_handler cmd_handlers[] = {
 		.name = "RTM_DELROUTE",
 		.cb = &rtnl_handle_delroute,
 		.priv = PRIV_NET_ROUTE,
+		.flags = RTNL_F_ALLOW_NONVNET_JAIL,
 	},
 	{
 		.cmd = NL_RTM_NEWROUTE,
 		.name = "RTM_NEWROUTE",
 		.cb = &rtnl_handle_newroute,
 		.priv = PRIV_NET_ROUTE,
+		.flags = RTNL_F_ALLOW_NONVNET_JAIL,
 	}
 };

--- a/sys/sys/jail.h
+++ b/sys/sys/jail.h
@ -253,7 +253,8 @@ struct prison_racct {
 #define	PR_ALLOW_RESERVED_PORTS		0x00008000
 #define	PR_ALLOW_KMEM_ACCESS		0x00010000	/* reserved, not used yet */
 #define	PR_ALLOW_NFSD			0x00020000
-#define	PR_ALLOW_ALL_STATIC		0x000387ff
+#define	PR_ALLOW_ROUTING		0x00040000
+#define	PR_ALLOW_ALL_STATIC		0x000787ff

 /*
 * PR_ALLOW_DIFFERENCES determines which flags are able to be
--- a/usr.sbin/jail/jail.8
+++ b/usr.sbin/jail/jail.8
@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd September 19, 2024
+.Dd May 11, 2025
 .Dt JAIL 8
 .Os
 .Sh NAME
@ -642,6 +642,9 @@ sysctl.
 The super-user will be disabled automatically if its parent system has it
 disabled.
 The super-user is enabled by default.
+.It Va allow.routing
+Allow privileged process in the non-VNET jail to modify the system routing
+table.
 .El
 .El
 .Pp