fibs: restrict jail_attach(2) if process fibnum >= numfibs in the jail.

Reported by:	olivier
Tested by:	olivier
Reviewed by:	kp, glebius
Differential Revision: https://reviews.freebsd.org/D38505
MFC after:	1 week

(cherry picked from commit 69e7d9b7e6b369b760e1f189af2e25587b56a102)

1 files changed, 34 insertions, 0 deletions

diff --git a/sys/net/route/route_tables.c b/sys/net/route/route_tables.c
index 65829676d76f..406bedc4c769 100644
--- a/sys/net/route/route_tables.c
+++ b/sys/net/route/route_tables.c
@@ -42,6 +42,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/systm.h>
 #include <sys/malloc.h>
 #include <sys/jail.h>
+#include <sys/osd.h>
 #include <sys/proc.h>
 #include <sys/sysctl.h>
 #include <sys/syslog.h>
@@ -162,6 +163,39 @@ sys_setfib(struct thread *td, struct setfib_args *uap)
 	return (error);
 }
 
+static int
+rtables_check_proc_fib(void *obj, void *data)
+{
+	struct prison *pr = obj;
+	struct thread *td = data;
+	int error = 0;
+
+	if (TD_TO_VNET(td) != pr->pr_vnet) {
+		/* number of fibs may be lower in a new vnet */
+		CURVNET_SET(pr->pr_vnet);
+		if (td->td_proc->p_fibnum >= V_rt_numfibs)
+			error = EINVAL;
+		CURVNET_RESTORE();
+	}
+	return (error);
+}
+
+static void
+rtables_prison_destructor(void *data)
+{
+}
+
+static void
+rtables_init(void)
+{
+	osd_method_t methods[PR_MAXMETHOD] = {
+	    [PR_METHOD_ATTACH] =	rtables_check_proc_fib,
+	};
+	osd_jail_register(rtables_prison_destructor, methods);
+}
+SYSINIT(rtables_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_THIRD, rtables_init, NULL);
+
+
 /*
  * If required, copy interface routes from existing tables to the
  * newly-created routing table.