[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-hackers
Subject: Re: Allow PING(8) in jails without raw socket access permissions
From: Dewayne Geraghty <dewayne.geraghty () heuristicsystems ! com ! au>
Date: 2020-10-24 0:50:05
Message-ID: 9ffe565d-65cb-cbfa-f0dc-189ee8d7215e () heuristicsystems ! com ! au
[Download RAW message or body]
On 15/10/2020 9:00 am, carlos antonio neira bustos wrote:
> Hello,
>
> I have currently a patch in review with jamie which is the current jail
> maintainer and kyle evans, if anyone else could comment/review this patch :
> https://reviews.freebsd.org/D26782
>
> What has been done is the following :
>
> Raw socket access is allowed for ICMP protocol as is required by
> PING(8) but option IP_HDRINCL is not allowed. to accomplish this
> a new privilege PRIV_NETINET_ICMP_ACCESS has been added by default for
> jails.
>
>
> Bests
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
Thanks for the heads-up Carlos. I have a use for allowing only icmp
traffic, so its beneficial.
However I do agree with BZ that it should not be enabled by default, as
it weakens the security model, enabling a broken jail to more easily
enumerate the wider network environment.
_______________________________________________
freebsd-hackers@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic