netlink: allow netlink sockets in non-vnet jails.
This change allow to open Netlink sockets in the non-vnet jails, even for
unpriviledged processes.
The security model largely follows the existing one. To be more specific:
- by default, every NETLINK_ROUTE command is NOT allowed in non-VNET jail UNLESS RTNL_F_ALLOW_NONVNET_JAIL flag is specified in the command handler.
- All notifications are disabled for non-vnet jails (requests to subscribe for the notifications are ignored). This will change to be more fine-grained model once the first netlink provider requiring this gets committed.
- Listing interfaces (RTM_GETLINK) is allowed w/o limits (including interfaces w/o any addresses attached to the jail). The value of this is questionable, but it follows the existing approach.
- Listing ARP/NDP neighbours is forbidden. This is a change from the current approach - currently we list static ARP/ND entries belonging to the addresses attached to the jail.
- Listing interface addresses is allowed, but the addresses are filtered to match only ones attached to the jail.
- Listing routes is allowed, but the routes are filtered to provide only host routes matching the addresses attached to the jail.
- By default, every NETLINK_GENERIC command is allowed in non-VNET jail (as sub-families may be unrelated to network at all). It is the goal of the family author to implement the restriction if necessary.
Differential Revision: https://reviews.freebsd.org/D39206
MFC after: 1 month