o Modify jail to limit creation of sockets to UNIX domain sockets,

TCP/IP (v4) sockets, and routing sockets.  Previously, interaction
  with IPv6 was not well-defined, and might be inappropriate for some
  environments.  Similarly, sysctl MIB entries providing interface
  information also give out only addresses from those protocol domains.

  For the time being, this functionality is enabled by default, and
  toggleable using the sysctl variable jail.socket_unixiproute_only.
  In the future, protocol domains will be able to determine whether or
  not they are ``jail aware''.

o Further limitations on process use of getpriority() and setpriority()
  by jailed processes.  Addresses problem described in kern/17878.

Reviewed by:	phk, jmg

sys/kern/kern_jail.c

@@ -34,6 +34,11 @@ SYSCTL_INT(_jail, OID_AUTO, set_hostname_allowed, CTLFLAG_RW,
     &jail_set_hostname_allowed, 0,
     "Processes in jail can set their hostnames");
 
+int	jail_socket_unixiproute_only = 1;
+SYSCTL_INT(_jail, OID_AUTO, socket_unixiproute_only, CTLFLAG_RW,
+    &jail_socket_unixiproute_only, 0,
+    "Processes in jail are limited to creating UNIX/IPv4/route sockets only");
+
 int
 jail(p, uap)
         struct proc *p;
@@ -126,7 +131,9 @@ prison_if(struct proc *p, struct sockaddr *sa)
 	struct sockaddr_in *sai = (struct sockaddr_in*) sa;
 	int ok;
 
-	if (sai->sin_family != AF_INET)
+	if ((sai->sin_family != AF_INET) && jail_socket_unixiproute_only)
+		ok = 1;
+	else if (sai->sin_family != AF_INET)
 		ok = 0;
 	else if (p->p_prison->pr_ip != ntohl(sai->sin_addr.s_addr))
 		ok = 1;

sys/kern/kern_resource.c

@@ -88,6 +88,8 @@ getpriority(curp, uap)
 			p = pfind(uap->who);
 		if (p == 0)
 			break;
+		if (!PRISON_CHECK(curp, p))
+			break;
 		low = p->p_nice;
 		break;
 
@@ -99,7 +101,7 @@ getpriority(curp, uap)
 		else if ((pg = pgfind(uap->who)) == NULL)
 			break;
 		LIST_FOREACH(p, &pg->pg_members, p_pglist) {
-			if (p->p_nice < low)
+			if ((PRISON_CHECK(curp, p) && p->p_nice < low))
 				low = p->p_nice;
 		}
 		break;
@@ -109,7 +111,8 @@ getpriority(curp, uap)
 		if (uap->who == 0)
 			uap->who = curp->p_ucred->cr_uid;
 		LIST_FOREACH(p, &allproc, p_list)
-			if (p->p_ucred->cr_uid == uap->who &&
+			if (PRISON_CHECK(curp, p) &&
+			    p->p_ucred->cr_uid == uap->who &&
 			    p->p_nice < low)
 				low = p->p_nice;
 		break;
@@ -148,6 +151,8 @@ setpriority(curp, uap)
 			p = pfind(uap->who);
 		if (p == 0)
 			break;
+		if (!PRISON_CHECK(curp, p))
+			break;
 		error = donice(curp, p, uap->prio);
 		found++;
 		break;
@@ -160,8 +165,10 @@ setpriority(curp, uap)
 		else if ((pg = pgfind(uap->who)) == NULL)
 			break;
 		LIST_FOREACH(p, &pg->pg_members, p_pglist) {
-			error = donice(curp, p, uap->prio);
-			found++;
+			if (PRISON_CHECK(curp, p)) {
+				error = donice(curp, p, uap->prio);
+				found++;
+			}
 		}
 		break;
 	}
@@ -170,7 +177,8 @@ setpriority(curp, uap)
 		if (uap->who == 0)
 			uap->who = curp->p_ucred->cr_uid;
 		LIST_FOREACH(p, &allproc, p_list)
-			if (p->p_ucred->cr_uid == uap->who) {
+			if (p->p_ucred->cr_uid == uap->who &&
+			    PRISON_CHECK(curp, p)) {
 				error = donice(curp, p, uap->prio);
 				found++;
 			}

sys/kern/uipc_socket.c

@@ -53,6 +53,7 @@
 #include <sys/signalvar.h>
 #include <sys/sysctl.h>
 #include <sys/uio.h>
+#include <sys/jail.h>
 #include <vm/vm_zone.h>
 
 #include <machine/limits.h>
@@ -133,6 +134,14 @@ socreate(dom, aso, type, proto, p)
 		prp = pffindproto(dom, proto, type);
 	else
 		prp = pffindtype(dom, type);
+
+	if (p->p_prison && jail_socket_unixiproute_only &&
+	    prp->pr_domain->dom_family != PF_LOCAL &&
+	    prp->pr_domain->dom_family != PF_INET &&
+	    prp->pr_domain->dom_family != PF_ROUTE) {
+		return (EPROTONOSUPPORT);
+	}
+
 	if (prp == 0 || prp->pr_usrreqs->pru_attach == 0)
 		return (EPROTONOSUPPORT);
 	if (prp->pr_type != type)

sys/sys/jail.h

@@ -47,6 +47,7 @@ struct prison {
  * Sysctl-set variables that determine global jail policy
  */
 extern int	jail_set_hostname_allowed;
+extern int	jail_socket_unixiproute_only;
 
 #endif /* !_KERNEL */
 #endif /* !_SYS_JAIL_H_ */