Restrict arp, ndp and theoretically the FIB listing (if not

read with libkvm) to the addresses of a prison, when inside a
jail. [1]
As the patch from the PR was pre-'new-arp', add checks to the
llt_dump handlers as well.

While touching RTM_GET in route_output(), consistently use
curthread credentials rather than the creds from the socket
there. [2]

PR:		kern/68189
Submitted by:	Mark Delany <sxcg2-fuwxj@qmda.emu.st> [1]
Discussed with:	rwatson [2]
Reviewed by:	rwatson
MFC after:	4 weeks

1 files changed, 12 insertions, 2 deletions

diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index 3575c943dd99..76953f47eb9e 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -611,6 +611,12 @@ route_output(struct mbuf *m, struct socket *so)
 		case RTM_GET:
 		report:
 			RT_LOCK_ASSERT(rt);
+			if (jailed(curthread->td_ucred) &&
+			    ((rt->rt_flags & RTF_HOST) == 0 ||
+			    !prison_if(curthread->td_ucred, rt_key(rt)))) {
+				RT_UNLOCK(rt);
+				senderr(ESRCH);
+			}
 			info.rti_info[RTAX_DST] = rt_key(rt);
 			info.rti_info[RTAX_GATEWAY] = rt->rt_gateway;
 			info.rti_info[RTAX_NETMASK] = rt_mask(rt);
@@ -620,10 +626,10 @@ route_output(struct mbuf *m, struct socket *so)
 				if (ifp) {
 					info.rti_info[RTAX_IFP] =
 					    ifp->if_addr->ifa_addr;
-					if (jailed(so->so_cred)) {
+					if (jailed(curthread->td_ucred)) {
 						error = rtm_get_jailed(
 						    &info, ifp, rt, &saun,
-						    so->so_cred);
+						    curthread->td_ucred);
 						if (error != 0) {
 							RT_UNLOCK(rt);
 							senderr(ESRCH);
@@ -1256,6 +1262,10 @@ sysctl_dumpentry(struct radix_node *rn, void *vw)
 
 	if (w->w_op == NET_RT_FLAGS && !(rt->rt_flags & w->w_arg))
 		return 0;
+	if (jailed(w->w_req->td->td_ucred) &&
+	    ((rt->rt_flags & RTF_HOST) == 0 ||
+	    !prison_if(w->w_req->td->td_ucred, rt_key(rt))))
+		return (0);
 	bzero((caddr_t)&info, sizeof(info));
 	info.rti_info[RTAX_DST] = rt_key(rt);
 	info.rti_info[RTAX_GATEWAY] = rt->rt_gateway;