diff options
author | Bjoern A. Zeeb <bz@FreeBSD.org> | 2011-03-02 21:39:08 +0000 |
---|---|---|
committer | Bjoern A. Zeeb <bz@FreeBSD.org> | 2011-03-02 21:39:08 +0000 |
commit | e3416ab0c06b3efe5cd1c651387984da69acc294 (patch) | |
tree | 30a6d1098a34879754cd4af6e0ce4afe1edb786b /sys/net/if_gif.c | |
parent | 66f01f2e791b21687fec91f1724d1a6535479e70 (diff) | |
download | src-e3416ab0c06b3efe5cd1c651387984da69acc294.tar.gz src-e3416ab0c06b3efe5cd1c651387984da69acc294.zip |
Hide the outer IP addresses of a tunnel interfaces (gif(4), gre(4))
from processes inside jails if the addresses do not belong to the jail.
Originally reported by: Pieter de Boer via remko
PR: kern/151119
Tested by: Piotr KUCHARSKI (nospam 42.pl) [gif]
MFC after: 1 week
Notes
Notes:
svn path=/head/; revision=219206
Diffstat (limited to 'sys/net/if_gif.c')
-rw-r--r-- | sys/net/if_gif.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/sys/net/if_gif.c b/sys/net/if_gif.c index 76838396bc44..4a8df34b811f 100644 --- a/sys/net/if_gif.c +++ b/sys/net/if_gif.c @@ -35,6 +35,7 @@ #include <sys/param.h> #include <sys/systm.h> +#include <sys/jail.h> #include <sys/kernel.h> #include <sys/malloc.h> #include <sys/mbuf.h> @@ -817,6 +818,12 @@ gif_ioctl(ifp, cmd, data) } if (src->sa_len > size) return EINVAL; + error = prison_if(curthread->td_ucred, src); + if (error != 0) + return (error); + error = prison_if(curthread->td_ucred, dst); + if (error != 0) + return (error); bcopy((caddr_t)src, (caddr_t)dst, src->sa_len); #ifdef INET6 if (dst->sa_family == AF_INET6) { |