[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-hackers
Subject:    Re: jail && (ping && traceroute)
From:       Pawel Jakub Dawidek <nick () garage ! freebsd ! pl>
Date:       2003-05-31 7:44:08
[Download RAW message or body]


On Fri, May 30, 2003 at 05:35:42PM +0300, Alexandr Kovalenko wrote:
+> I have 2 questions:
+> 
+>  - where in code should I search for icmp socket binding prohibition in
+>    jail?;
+>  - what bad consequences will appear if I remove those checks and
+>    prohibition?.

This is nasty to allow all jailed process to open RAW sockets.
You can use CerbNG to allow only selected jailed process to open RAW socket.
General policy is here:

	http://cerber.sourceforge.net/policies/jailed-icmp.cb

but you can easly rewrite it to allow only selected process for this.

Project's page is here:

	http://cerber.sourceforge.net

And rest of policies:

	http://cerber.sourceforge.net/policies/

CerbNG works only on 4-STABLE systems for now and there will be soon
1.0-RC2 version, but I've started porting it to -CURRENT.

-- 
Pawel Jakub Dawidek                       pawel@dawidek.net
UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]