From 7b09fb684b21bc3e3bcac21683c745d93d56788f Mon Sep 17 00:00:00 2001
From: Matthew Dillon <dillon@dragonflybsd.org>
Date: Sat, 17 May 2008 18:20:33 +0000
Subject: [PATCH 1/1] Add a sysctl jail.allow_raw_sockets (default to diabled)
 which allows jails to use raw sockets.

Submitted-by: "Kevin L. Kane" <kevin.kane@gmail.com>
---
 sys/kern/kern_jail.c |  7 ++++++-
 sys/netinet/raw_ip.c | 11 +++++++++--
 sys/sys/jail.h       |  3 ++-
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 3addf6d90f..749820f1af 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -36,7 +36,7 @@
 
 /*
  * $FreeBSD: src/sys/kern/kern_jail.c,v 1.6.2.3 2001/08/17 01:00:26 rwatson Exp $
- * $DragonFly: src/sys/kern/kern_jail.c,v 1.18 2007/02/16 23:41:02 victor Exp $
+ * $DragonFly: src/sys/kern/kern_jail.c,v 1.19 2008/05/17 18:20:33 dillon Exp $
  */
 
 #include "opt_inet6.h"
@@ -87,6 +87,11 @@ SYSCTL_INT(_jail, OID_AUTO, chflags_allowed, CTLFLAG_RW,
     &jail_chflags_allowed, 0,
     "Process in jail can set chflags(1)");
 
+int    jail_allow_raw_sockets = 0;
+SYSCTL_INT(_jail, OID_AUTO, allow_raw_sockets, CTLFLAG_RW,
+    &jail_allow_raw_sockets, 0,
+    "Process in jail can create raw sockets");
+
 int	lastprid = 0;
 int	prisoncount = 0;
 
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index a47bd136a8..5d7d880c71 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -32,7 +32,7 @@
  *
  *	@(#)raw_ip.c	8.7 (Berkeley) 5/15/95
  * $FreeBSD: src/sys/netinet/raw_ip.c,v 1.64.2.16 2003/08/24 08:24:38 hsu Exp $
- * $DragonFly: src/sys/netinet/raw_ip.c,v 1.27 2007/11/18 13:00:28 sephe Exp $
+ * $DragonFly: src/sys/netinet/raw_ip.c,v 1.28 2008/05/17 18:20:32 dillon Exp $
  */
 
 #include "opt_inet6.h"
@@ -41,6 +41,7 @@
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/kernel.h>
+#include <sys/jail.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/proc.h>
@@ -506,11 +507,17 @@ rip_attach(struct socket *so, int proto, struct pru_attach_info *ai)
 {
 	struct inpcb *inp;
 	int error;
+	int flag;
+
+	flag = NULL_CRED_OKAY;
+
+	if( jailed(ai->p_ucred) && jail_allow_raw_sockets )
+		flag = flag | PRISON_ROOT;
 
 	inp = so->so_pcb;
 	if (inp)
 		panic("rip_attach");
-	if ((error = suser_cred(ai->p_ucred, NULL_CRED_OKAY)) != 0)
+	if ((error = suser_cred(ai->p_ucred, flag)) != 0)
 		return error;
 
 	error = soreserve(so, rip_sendspace, rip_recvspace, ai->sb_rlimit);
diff --git a/sys/sys/jail.h b/sys/sys/jail.h
index 6c3c240459..5935900375 100644
--- a/sys/sys/jail.h
+++ b/sys/sys/jail.h
@@ -7,7 +7,7 @@
  * ----------------------------------------------------------------------------
  *
  * $FreeBSD: src/sys/sys/jail.h,v 1.8.2.2 2000/11/01 17:58:06 rwatson Exp $
- * $DragonFly: src/sys/sys/jail.h,v 1.11 2007/02/01 10:33:26 corecode Exp $
+ * $DragonFly: src/sys/sys/jail.h,v 1.12 2008/05/17 18:20:31 dillon Exp $
  *
  */
 
@@ -107,6 +107,7 @@ extern int	jail_set_hostname_allowed;
 extern int	jail_socket_unixiproute_only;
 extern int	jail_sysvipc_allowed;
 extern int	jail_chflags_allowed;
+extern int	jail_allow_raw_sockets;
 
 void	prison_hold(struct prison *);
 void	prison_free(struct prison *);
-- 
2.41.0