fibs: restrict jail_attach(2) if process fibnum >= numfibs in the jail.

Reported by: olivier Tested by: olivier Reviewed by: kp, glebius Differential Revision: https://reviews.freebsd.org/D38505 MFC after: 1 week
2023-02-11 15:43:23 +00:00 · 2023-02-11 15:43:23 +00:00 · 69e7d9b7e6
commit 69e7d9b7e6
parent 629d9219d9
1 changed files with 34 additions and 0 deletions
--- a/sys/net/route/route_tables.c
+++ b/sys/net/route/route_tables.c
@ -42,6 +42,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/systm.h>
 #include <sys/malloc.h>
 #include <sys/jail.h>
+#include <sys/osd.h>
 #include <sys/proc.h>
 #include <sys/sysctl.h>
 #include <sys/syslog.h>
@ -162,6 +163,39 @@ sys_setfib(struct thread *td, struct setfib_args *uap)
 	return (error);
 }

+static int
+rtables_check_proc_fib(void *obj, void *data)
+{
+	struct prison *pr = obj;
+	struct thread *td = data;
+	int error = 0;
+
+	if (TD_TO_VNET(td) != pr->pr_vnet) {
+		/* number of fibs may be lower in a new vnet */
+		CURVNET_SET(pr->pr_vnet);
+		if (td->td_proc->p_fibnum >= V_rt_numfibs)
+			error = EINVAL;
+		CURVNET_RESTORE();
+	}
+	return (error);
+}
+
+static void
+rtables_prison_destructor(void *data)
+{
+}
+
+static void
+rtables_init(void)
+{
+	osd_method_t methods[PR_MAXMETHOD] = {
+	    [PR_METHOD_ATTACH] =	rtables_check_proc_fib,
+	};
+	osd_jail_register(rtables_prison_destructor, methods);
+}
+SYSINIT(rtables_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_THIRD, rtables_init, NULL);
+
+
 /*
 * If required, copy interface routes from existing tables to the
 * newly-created routing table.