From owner-freebsd-jail@freebsd.org Wed Aug 21 17:14:36 2019 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 60765CE895; Wed, 21 Aug 2019 17:14:36 +0000 (UTC) (envelope-from shivankgarg98@gmail.com) Received: from mail-ed1-f68.google.com (mail-ed1-f68.google.com [209.85.208.68]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46DDmW1NWRz4F28; Wed, 21 Aug 2019 17:14:34 +0000 (UTC) (envelope-from shivankgarg98@gmail.com) Received: by mail-ed1-f68.google.com with SMTP id z51so3756735edz.13; Wed, 21 Aug 2019 10:14:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=5DytjjhbIngv/VSn0G4tbBSoOT5HLY+UGUMDExp7FIY=; b=R04MUQ1UoMflpwhjOFKIwZmyhrH7praFeoRwV3TCjEm7CRL5ICZntGIqqOpWHYOOID hJJMrDpKpvyemIMVhUSU7erOqlfeXJ1PClIQKplkSMEYSfZe+HlNqaPxBA0jWCWg5RCF +2wQ6fxkYV5Ay/swCPRjUxRTUu2cLKGSvOkr2xZDlXEmfvKMkROEaICe1roLwV00tAn5 YxxNe0z0xdP88yeR5A4bKqJlla+M2VMKHSOV7NVsbctJkzYsFYbHDf3II5qXCN2JK0c4 BJJ+pZDy61BjnhD3Nc9VJzzyC0hojaQlQqhyo8JkIitsTdAtYenSB66GzQvYPpdbSHz3 8Yxg== X-Gm-Message-State: APjAAAXbpXm/Rt8yl/j708CdfGmfMPQDmG7MiTcKx3c2pywGY2bQwluc An5Q+CADUqUBE91bjUQ56gHtap2I3GfkrQ== X-Google-Smtp-Source: APXvYqxLjSJ3k6MXPF2SnNhTV/DjXetvm+SlCIXIWmlFyhKw+QqdqvCdb/lFlncU2qpU1kE7G3v0og== X-Received: by 2002:a05:6402:1346:: with SMTP id y6mr37743575edw.27.1566407672286; Wed, 21 Aug 2019 10:14:32 -0700 (PDT) Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com. [209.85.208.52]) by smtp.gmail.com with ESMTPSA id c14sm4259617edb.5.2019.08.21.10.14.31 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 21 Aug 2019 10:14:32 -0700 (PDT) Received: by mail-ed1-f52.google.com with SMTP id f22so3819461edt.4; Wed, 21 Aug 2019 10:14:31 -0700 (PDT) X-Received: by 2002:a17:906:759:: with SMTP id z25mr31498271ejb.72.1566407671545; Wed, 21 Aug 2019 10:14:31 -0700 (PDT) MIME-Version: 1.0 From: Shivank Garg Date: Wed, 21 Aug 2019 22:43:45 +0530 X-Gmail-Original-Message-ID: Message-ID: Subject: MAC Policy on IP addresses in Jails To: freebsd-hackers@freebsd.org, freebsd-jail@freebsd.org, trustedbsd-discuss@freebsd.org, "Bjoern A. Zeeb" , soc-status@freebsd.org X-Rspamd-Queue-Id: 46DDmW1NWRz4F28 X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of shivankgarg98@gmail.com designates 209.85.208.68 as permitted sender) smtp.mailfrom=shivankgarg98@gmail.com X-Spamd-Result: default: False [-5.10 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; DMARC_NA(0.00)[freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCPT_COUNT_FIVE(0.00)[5]; RCVD_COUNT_THREE(0.00)[4]; IP_SCORE(-2.12)[ip: (-4.84), ipnet: 209.85.128.0/17(-3.36), asn: 15169(-2.35), country: US(-0.05)]; NEURAL_HAM_SHORT(-0.99)[-0.985,0]; RCVD_IN_DNSWL_NONE(0.00)[68.208.85.209.list.dnswl.org : 127.0.5.0]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FORGED_SENDER(0.30)[shivank@freebsd.org,shivankgarg98@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[shivank@freebsd.org,shivankgarg98@gmail.com] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Aug 2019 17:14:36 -0000 Hi Everyone, I am a fourth-year undergraduate student in Department of EE at IIT Kanpur, India. I am an open-source enthusiast and interested in Operating Systems, Computer Networks, and system security. As a part of Google Summer of Code'19, I wrote a loadable kernel MAC module with the TrustedBSD MAC framework to limit the set of IP addresses for a VNET-enabled Jail to choose from. I was mentored by Bjoern A. Zeeb (bz@FreeBSD.org). *About the project:* With the introduction of VNET(9) in FreeBSD, Jails are free to set their IP addresses. However, this privilege may need to be limited by the host as per its need for multiple security reasons. This project uses mac(9) for an access control framework to impose restrictions on FreeBSD jails according to rules defined by the root of the host using sysctl(8). It involves the development of a dynamically loadable kernel module (mac_ipacl) based on The TrustedBSD MAC Framework to implement a security policy for configuring the network stack. This project allows the root of the host to define the policy rules to limit a jail to a set of IP (v4 or v6) addresses and/or subnets for a set of interfaces. Features this new MAC policy module are: - Host can define the list(multiple lists) of IP addresses/subnets for the jail to choose from. - Host can restrict the jail from setting the certain IP addresses or prefixes(subnets). - Host can restrict this privilege to a few networks interfaces. *How to use the module:* I have also wrote a man page for the module. Please refer to the mac_ipacl(4) for using the new MAC module and examples on it. *Test Plan:* Test Scripts integrated with kyua and ATF are included with the module. *Review Link:* This module has been reviewed and revision has been accepted and is ready to land. To check the review: https://reviews.freebsd.org/D20967 *Download Patch/Raw diff from here: * https://reviews.freebsd.org/file/data/udbhpp4gvffsqbqkkekc/PHID-FILE-wun5bhf4qlx6677fdd73/D20967.diff *Wiki and other links:* Please refer to wiki page from more detailed description of the project: *Project FreeBSD Wikipage*: https://wiki.freebsd.org/SummerOfCode2019Projects/MACPolicyIPAddressJail GitHub: https://github.com/shivankgarg98/freebsd/tree/shivank_MACPolicyIPAddressJail/sys/security/mac_ipacl I'll be be very thankful if you can give this module a try and share your valuable experience about it. Please be free to share your ideas and feedback on this module. Regards, Shivank Garg