Date: Fri, 30 Jun 2023 00:48:18 +0530 From: Shivank Garg <shivank@freebsd.org> To: Alexander Chernikov <melifaro@freebsd.org> Cc: freebsd-jail@freebsd.org Subject: Re: Add IP address ioctl (SIOCAIFADDR) from jail is called with host credentials Message-ID: <CAOVCmzEQY0tXfN01qVdT38g3NDB4O-Ym35fdf0RzcKRiSc%2BMgQ@mail.gmail.com> In-Reply-To: <C63F59DD-9805-4C37-BC7A-C36DA32FDBE2@FreeBSD.org> References: <CAOVCmzFQjwTaeQZQSD-ep7s=UdDzzczQ6r9wtjK-w3BAwRsKvA@mail.gmail.com> <93d61b80-95cb-4b3e-84dc-1d8b655e66f7@app.fastmail.com> <ab27fc86-e339-420c-8cfa-05c53a3bf4f9@app.fastmail.com> <CAOVCmzFt6NQQzyoHnXeEOagKgn9n_JOex7vs4xOFDZ497qtfKQ@mail.gmail.com> <810c6bd0-261b-4129-bf40-e390be0e8278@app.fastmail.com> <C63F59DD-9805-4C37-BC7A-C36DA32FDBE2@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--0000000000000ec15e05ff4991e8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Thank you Alex. :) I checked with this patch. My changes are working with it. Best Regards, Shivank On Thu, 29 Jun 2023 at 12:35, Alexander Chernikov <melifaro@freebsd.org> wrote: > > > On 28 Jun 2023, at 22:59, Alexander Chernikov <melifaro@freebsd.org> > wrote: > > > > On Wed, 28 Jun 2023, at 6:30 AM, Shivank Garg wrote: > > Hi Alexander, > > Thanks for replying. > I think it would mean struct prison info is lost, when it reaches ioctl > code, Is there some way we can get jail id? > > Yes, you should add the hook to the netlink handler. > > > Another question I have: prison_check_ip4 still relies on checking struct > prison for flags and ip addr. > > https://github.com/freebsd/freebsd-src/blob/6927176113ee775983952edb3c201= fed6be318d3/sys/netinet/in_jail.c#L319 > How do we handle these cases? > > I=E2=80=99ll take a look on the weekend. It may indeed be a problem with = nested > jails. > > I looked at the code and after some experiments decided to go with the > simplest approach: https://reviews.freebsd.org/D40793 > Netlink now passes proper ucred to the ioctl handler, so your code should > be able to work out-of-the-box after this lands. > > > It used to work for VNET jails inet calls sometime back when I wrote > mac_ipacl: https://reviews.freebsd.org/D20967 > - MAC policy to limit jail privilege to set its IP address. We were > planning to merge this code in 14.0. Is there something we can > do regarding it? > > Yep, sure! I=E2=80=99ll try to further decouple ioctl handler and the act= ual > address modification code so the ioctl hook wont=E2=80=99t get called in = the > netlink handler. > > Thanks, > Shivank > > On Wed, 28 Jun 2023 at 04:05, Alexander Chernikov <melifaro@freebsd.org> > wrote: > > > > > On Fri, 23 Jun 2023, at 10:27 AM, Alexander Chernikov wrote: > > > > On Fri, 23 Jun 2023, at 7:53 AM, Shivank Garg wrote: > > Hi, > > I want to check credentials of the thread setting the IP address > with SIOCAIFADDR ioctl. > If the thread is jailed (jailed(td_ucred) =3D=3D 1), I'm applying some ch= ecks > on ip address. > > My expectation was that (cred->cr_prison !=3D &prison0) for an ifconfig > call made by the jail. > > If you=E2=80=99re using -head, it=E2=80=99s a bit more complicated. ifcon= fig(8) uses > rtnetlink(4) interfaces to communicate with the kernel. Privilege check i= s > done in Netlink: > https://github.com/freebsd/freebsd-src/blob/764464af49688e74fd6d803df0404= ca4726dd460/sys/netlink/route/iface.c#L1472 . > After that, (as of now) netlink calls ioctl code from its own kernel > thread, which may be the reason of the behavior you=E2=80=99re observing. > > Apparently the previous message was not delivered everywhere. > > However, it is showing me some weird behavior. Here are the logs for a > tweaked kernel: > > @@ -339,7 +343,7 @@ in_control(struct socket *so, u_long cmd, void *data, > struct ifnet *ifp, > return (EADDRNOTAVAIL); > struct ucred *cred =3D (td !=3D NULL) ? td->td_ucred : NULL; > - > + printf("in_control jailed? %d jid %d prison_owns_vnet? > %d\n",jailed(cred),cred->cr_prison->pr_id,prison_owns_vnet(cred)); > > # jexec 1 ifconfig epair0b inet 169.254.123.101/24 up > > Dmesg logs: > *[256] in_control jailed? 0 jid 0 prison_owns_vnet? 1* > > Cred value indicates host and jail is 0 but the PR_VNET flag is set. > > Is this behavior expected? or something going wrong - what's the next > debug step? > > I greatly appreciate your help! > > Thanks, > Shivank > > > /Alexander > > > /Alexander > > > /Alexander > > > --0000000000000ec15e05ff4991e8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">Thank you Alex. :)<div>I checked with this patch. My chang= es are working with it.</div><div><br></div><div>Best Regards,</div><div>Sh= ivank</div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"g= mail_attr">On Thu, 29 Jun 2023 at 12:35, Alexander Chernikov <<a href=3D= "mailto:melifaro@freebsd.org">melifaro@freebsd.org</a>> wrote:<br></div>= <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-= left:1px solid rgb(204,204,204);padding-left:1ex"><div><br><div><br><blockq= uote type=3D"cite"><div>On 28 Jun 2023, at 22:59, Alexander Chernikov <<= a href=3D"mailto:melifaro@freebsd.org" target=3D"_blank">melifaro@freebsd.o= rg</a>> wrote:</div><br><div><div style=3D"font-family:Helvetica;font-si= ze:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-s= pacing:normal;text-align:start;text-indent:0px;text-transform:none;white-sp= ace:normal;word-spacing:0px;text-decoration:none"><br><br></div><div style= =3D"font-family:Helvetica;font-size:12px;font-style:normal;font-variant-cap= s:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent= :0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoratio= n:none">On Wed, 28 Jun 2023, at 6:30 AM, Shivank Garg wrote:<br></div><bloc= kquote type=3D"cite" id=3D"m_-4705191997520601723qt" style=3D"font-family:H= elvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-wei= ght:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transfo= rm:none;white-space:normal;word-spacing:0px;text-decoration:none"><div dir= =3D"ltr"><div>Hi=C2=A0Alexander,<br></div><div><br></div><div>Thanks for re= plying.<br></div><div><div>I think it would mean struct prison info is lost= , when it reaches ioctl code, Is there some way we can get jail id?<br></di= v></div></div></blockquote><div style=3D"font-family:Helvetica;font-size:12= px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacin= g:normal;text-align:start;text-indent:0px;text-transform:none;white-space:n= ormal;word-spacing:0px;text-decoration:none">Yes, you should add the hook t= o the netlink handler.</div><blockquote type=3D"cite" id=3D"m_-470519199752= 0601723qt" style=3D"font-family:Helvetica;font-size:12px;font-style:normal;= font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:s= tart;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0p= x;text-decoration:none"><div dir=3D"ltr"><div><div><br></div><div>Another q= uestion I have: prison_check_ip4 still relies on checking struct prison for= flags and ip addr.=C2=A0<br></div><div><a href=3D"https://github.com/freeb= sd/freebsd-src/blob/6927176113ee775983952edb3c201fed6be318d3/sys/netinet/in= _jail.c#L319" target=3D"_blank">https://github.com/freebsd/freebsd-src/blob= /6927176113ee775983952edb3c201fed6be318d3/sys/netinet/in_jail.c#L319</a><br= ></div></div><div>How do we handle these cases?<br></div></div></blockquote= ><div style=3D"font-family:Helvetica;font-size:12px;font-style:normal;font-= variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;= text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;tex= t-decoration:none">I=E2=80=99ll take a look on the weekend. It may indeed b= e a problem with nested jails.</div></div></blockquote>I looked at the code= and after some experiments decided to go with the simplest approach:=C2=A0= <a href=3D"https://reviews.freebsd.org/D40793" target=3D"_blank">https://re= views.freebsd.org/D40793</a></div><div>Netlink now passes proper ucred to t= he ioctl handler, so your code should be able to work out-of-the-box after = this lands.</div><div><br><blockquote type=3D"cite"><div><blockquote type= =3D"cite" id=3D"m_-4705191997520601723qt" style=3D"font-family:Helvetica;fo= nt-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;let= ter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;whi= te-space:normal;word-spacing:0px;text-decoration:none"><div dir=3D"ltr"><di= v><br></div><div>=C2=A0It used=C2=A0to work for VNET jails inet calls somet= ime back when I wrote mac_ipacl:<span>=C2=A0</span><a href=3D"https://revie= ws.freebsd.org/D20967" target=3D"_blank">https://reviews.freebsd.org/D20967= </a><br></div><div>- MAC policy to limit jail privilege to set its IP addre= ss. We were planning to merge this code in 14.0. Is there something we can<= br></div><div><div>do regarding it?<br></div></div></div></blockquote><div = style=3D"font-family:Helvetica;font-size:12px;font-style:normal;font-varian= t-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-i= ndent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-deco= ration:none">Yep, sure! I=E2=80=99ll try to further decouple ioctl handler = and the actual address modification code so the ioctl hook wont=E2=80=99t g= et called in the netlink handler.</div><blockquote type=3D"cite" id=3D"m_-4= 705191997520601723qt" style=3D"font-family:Helvetica;font-size:12px;font-st= yle:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;t= ext-align:start;text-indent:0px;text-transform:none;white-space:normal;word= -spacing:0px;text-decoration:none"><div dir=3D"ltr"><div>Thanks,<br></div><= div>Shivank<br></div></div><div><br></div><div><div dir=3D"ltr">On Wed, 28 = Jun 2023 at 04:05, Alexander Chernikov <<a href=3D"mailto:melifaro@freeb= sd.org" target=3D"_blank">melifaro@freebsd.org</a>> wrote:<br></div><blo= ckquote style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204= ,204);padding-left:1ex"><div><div><u></u><br></div><div><div><br></div><div= ><br></div><div>On Fri, 23 Jun 2023, at 10:27 AM, Alexander Chernikov wrote= :<br></div><blockquote type=3D"cite" id=3D"m_-4705191997520601723qt-m_63592= 59462117977049qt"><div><br></div><div><br></div><div>On Fri, 23 Jun 2023, a= t 7:53 AM, Shivank Garg wrote:<br></div><blockquote type=3D"cite" id=3D"m_-= 4705191997520601723qt-m_6359259462117977049qt-qt"><div dir=3D"ltr"><div>Hi,= <br></div><div><br></div><div>I want to check credentials of the thread set= ting the IP address with=C2=A0SIOCAIFADDR ioctl.<br></div><div>If the threa= d is jailed (jailed(td_ucred) =3D=3D 1), I'm applying some checks on ip= address.<br></div><div><br></div><div>My expectation was that (<span id=3D= "m_-4705191997520601723qt-m_6359259462117977049qt-qt-gmail-docs-internal-gu= id-998c627e-7fff-437f-e766-ef0b490e856c"><span style=3D"background-color:tr= ansparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-v= ariant-alternates:normal;vertical-align:baseline"><span style=3D"font-famil= y:Consolas,sans-serif"><span style=3D"font-size:11pt">cred->cr_prison != =3D &prison0)</span></span></span></span>=C2=A0for an ifconfig call mad= e by the jail.<br></div></div></blockquote><div>If you=E2=80=99re using -he= ad, it=E2=80=99s a bit more complicated. ifconfig(8) uses rtnetlink(4) inte= rfaces to communicate with the kernel. Privilege check is done in Netlink: = =C2=A0<a href=3D"https://github.com/freebsd/freebsd-src/blob/764464af49688e= 74fd6d803df0404ca4726dd460/sys/netlink/route/iface.c#L1472" target=3D"_blan= k">https://github.com/freebsd/freebsd-src/blob/764464af49688e74fd6d803df040= 4ca4726dd460/sys/netlink/route/iface.c#L1472</a>=C2=A0. After that, (as of = now) netlink calls ioctl code from its own kernel thread, which may be the = reason of the behavior you=E2=80=99re observing.<br></div></blockquote><div= >Apparently the previous message was not delivered everywhere.<br></div><bl= ockquote type=3D"cite" id=3D"m_-4705191997520601723qt-m_6359259462117977049= qt"><blockquote type=3D"cite" id=3D"m_-4705191997520601723qt-m_635925946211= 7977049qt-qt"><div dir=3D"ltr"><div>However, it is showing me some weird be= havior. Here are the logs for a tweaked kernel:<br></div><div><br></div><di= v><div><span style=3D"font-family:monospace">@@ -339,7 +343,7 @@ in_control= (struct socket *so, u_long cmd, void *data, struct ifnet *ifp,<br>=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 return (EADDRNOTAVAIL);<br= >=C2=A0 =C2=A0 =C2=A0 =C2=A0 struct ucred *cred =3D (td !=3D NULL) ? td->= ;td_ucred : NULL;<br>-<br>+ =C2=A0 =C2=A0 =C2=A0 printf("in_control ja= iled? %d jid %d prison_owns_vnet? %d\n",jailed(cred),cred->cr_priso= n->pr_id,prison_owns_vnet(cred));</span></div><div><br></div><div># jexe= c 1 ifconfig epair0b inet<span>=C2=A0</span><a href=3D"http://169.254.123.1= 01/24" target=3D"_blank">169.254.123.101/24</a><span>=C2=A0</span>up<br></d= iv></div><div><div><br></div><div>Dmesg logs:<br></div><div><span style=3D"= font-family:monospace"><b>[256] in_control jailed? 0 jid 0 prison_owns_vnet= ? 1</b></span><br></div><div><br></div><div>Cred value indicates host and j= ail is 0=C2=A0but the PR_VNET=C2=A0flag is set.<span><span style=3D"font-fa= mily:Courier,"Courier New",monospace"><span style=3D"font-size:12= px"></span></span></span><br></div></div><div><br></div><div>Is this behavi= or expected? or something going wrong - what's the next debug step?<br>= </div><div><br></div><div>I greatly appreciate your help!<br></div><div><br= ></div><div><div>Thanks,<br></div><div>Shivank<br></div></div></div></block= quote><div><br></div><div id=3D"m_-4705191997520601723qt-m_6359259462117977= 049qt-sig132921232"><div>/Alexander<br></div></div><div><br></div></blockqu= ote><div><br></div><div id=3D"m_-4705191997520601723qt-m_635925946211797704= 9sig132921232"><div>/Alexander<br></div></div></div></div></blockquote></di= v></blockquote><div style=3D"font-family:Helvetica;font-size:12px;font-styl= e:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;tex= t-align:start;text-indent:0px;text-transform:none;white-space:normal;word-s= pacing:0px;text-decoration:none"><br></div><div id=3D"m_-470519199752060172= 3sig132921232" style=3D"font-family:Helvetica;font-size:12px;font-style:nor= mal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-ali= gn:start;text-indent:0px;text-transform:none;white-space:normal;word-spacin= g:0px;text-decoration:none"><div>/Alexander</div></div></div></blockquote><= /div><br></div></blockquote></div> --0000000000000ec15e05ff4991e8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOVCmzEQY0tXfN01qVdT38g3NDB4O-Ym35fdf0RzcKRiSc%2BMgQ>