Re: [patch] Raw sockets in jails
In message <20040420015638.A84821@staff.seccuris.com>, "Christian S.J. Peron" w
rites:
>
> Although RAW sockets can be used when specifying the source
> address of packets (defeating one of the aspects of the jail)
> some people may find it usefull to use utilities like ping(8)
> or traceroute(8) from inside jails.
>
> Enclosed is a patch I have written which gives you the option
> of allowing prison-root to create raw sockets inside the prison,
> so that programs various network debugging programs like ping
> and traceroute etc can be used.
>
> This patch will create the security.jail.allow_raw_sockets sysctl
> MIB. I would appriciate any feed-back from testers
>
> See PR #:
> http://www.freebsd.org/cgi/query-pr.cgi?pr=65800
Could you take a peek and see how hard it would be to enforce source-IP
compliance with the jail restriction ?
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 2 之 7 篇):