From nobody Thu Jun 29 19:18:18 2023 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QsSsq3DRZz4kdZl for ; Thu, 29 Jun 2023 19:18:39 +0000 (UTC) (envelope-from shivankgarg98@gmail.com) Received: from mail-lj1-f180.google.com (mail-lj1-f180.google.com [209.85.208.180]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QsSsq1YW8z3CVt; Thu, 29 Jun 2023 19:18:39 +0000 (UTC) (envelope-from shivankgarg98@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-lj1-f180.google.com with SMTP id 38308e7fff4ca-2b6985de215so17433721fa.2; Thu, 29 Jun 2023 12:18:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688066316; x=1690658316; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=QkqCgtO1vaFR6s7IzLddxjGV40q21yEoNf04HK/EHYg=; b=V2a5BofpBYKTcdPbDQKKxBN/CdqNUfShddOOlkMj9SNkQUePMuZ7vk+Zq2XN1DjznW 6+rc8MSwVq13mP3e4iY2LhpMPuTvxTt/TbbWyNJJfHZjOCApSsG7nsobqbKG561Pkvuk MQgdqEyvSnHxfU0Kf/MwvN2uvMkN4REQDCUlPTgtH8tdkLUpEj2vd3sbanOGW2yBIbUj 5dJMUrvJSRlsB12lB4EWGIw80i8g1vkclQhKMPbo+8o+WleKUG0iF43oYMHSTlc3Pdl7 KeK+RMJOFMorcmh9EnDYu7u9S4Pyr/n2bsPx/+gk7YAga0HtiqZvNHox2oH48vvE6uUs 6f3g== X-Gm-Message-State: ABy/qLanjvQxUQ7y84Gu2fvJD7LtoosQ+Q0Un2WoDaSuW6MT9GW/WNeG zkzIRF9bh8JiW3S/qVel/0BDQJ7sl3aZbg== X-Google-Smtp-Source: APBJJlFojufNTvgg6qyhq2lFNB5hPDZyFw7cz7bmYeX5y+0e6o4vwvlQIeTzJbAYd5CtYpeWNVyVtw== X-Received: by 2002:a2e:9cda:0:b0:2b6:cdfb:f1d7 with SMTP id g26-20020a2e9cda000000b002b6cdfbf1d7mr498906ljj.0.1688066316200; Thu, 29 Jun 2023 12:18:36 -0700 (PDT) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com. [209.85.128.42]) by smtp.gmail.com with ESMTPSA id g8-20020a170906868800b00992d8aa60b0sm99582ejx.63.2023.06.29.12.18.35 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 29 Jun 2023 12:18:35 -0700 (PDT) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-3fbc5d5742bso362485e9.2; Thu, 29 Jun 2023 12:18:35 -0700 (PDT) X-Received: by 2002:a7b:cc82:0:b0:3fb:b008:2002 with SMTP id p2-20020a7bcc82000000b003fbb0082002mr281521wma.0.1688066314910; Thu, 29 Jun 2023 12:18:34 -0700 (PDT) List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 References: <93d61b80-95cb-4b3e-84dc-1d8b655e66f7@app.fastmail.com> <810c6bd0-261b-4129-bf40-e390be0e8278@app.fastmail.com> In-Reply-To: From: Shivank Garg Date: Fri, 30 Jun 2023 00:48:18 +0530 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Add IP address ioctl (SIOCAIFADDR) from jail is called with host credentials To: Alexander Chernikov Cc: freebsd-jail@freebsd.org Content-Type: multipart/alternative; boundary="0000000000000ec15e05ff4991e8" X-Rspamd-Queue-Id: 4QsSsq1YW8z3CVt X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N --0000000000000ec15e05ff4991e8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Thank you Alex. :) I checked with this patch. My changes are working with it. Best Regards, Shivank On Thu, 29 Jun 2023 at 12:35, Alexander Chernikov wrote: > > > On 28 Jun 2023, at 22:59, Alexander Chernikov > wrote: > > > > On Wed, 28 Jun 2023, at 6:30 AM, Shivank Garg wrote: > > Hi Alexander, > > Thanks for replying. > I think it would mean struct prison info is lost, when it reaches ioctl > code, Is there some way we can get jail id? > > Yes, you should add the hook to the netlink handler. > > > Another question I have: prison_check_ip4 still relies on checking struct > prison for flags and ip addr. > > https://github.com/freebsd/freebsd-src/blob/6927176113ee775983952edb3c201= fed6be318d3/sys/netinet/in_jail.c#L319 > How do we handle these cases? > > I=E2=80=99ll take a look on the weekend. It may indeed be a problem with = nested > jails. > > I looked at the code and after some experiments decided to go with the > simplest approach: https://reviews.freebsd.org/D40793 > Netlink now passes proper ucred to the ioctl handler, so your code should > be able to work out-of-the-box after this lands. > > > It used to work for VNET jails inet calls sometime back when I wrote > mac_ipacl: https://reviews.freebsd.org/D20967 > - MAC policy to limit jail privilege to set its IP address. We were > planning to merge this code in 14.0. Is there something we can > do regarding it? > > Yep, sure! I=E2=80=99ll try to further decouple ioctl handler and the act= ual > address modification code so the ioctl hook wont=E2=80=99t get called in = the > netlink handler. > > Thanks, > Shivank > > On Wed, 28 Jun 2023 at 04:05, Alexander Chernikov > wrote: > > > > > On Fri, 23 Jun 2023, at 10:27 AM, Alexander Chernikov wrote: > > > > On Fri, 23 Jun 2023, at 7:53 AM, Shivank Garg wrote: > > Hi, > > I want to check credentials of the thread setting the IP address > with SIOCAIFADDR ioctl. > If the thread is jailed (jailed(td_ucred) =3D=3D 1), I'm applying some ch= ecks > on ip address. > > My expectation was that (cred->cr_prison !=3D &prison0) for an ifconfig > call made by the jail. > > If you=E2=80=99re using -head, it=E2=80=99s a bit more complicated. ifcon= fig(8) uses > rtnetlink(4) interfaces to communicate with the kernel. Privilege check i= s > done in Netlink: > https://github.com/freebsd/freebsd-src/blob/764464af49688e74fd6d803df0404= ca4726dd460/sys/netlink/route/iface.c#L1472 . > After that, (as of now) netlink calls ioctl code from its own kernel > thread, which may be the reason of the behavior you=E2=80=99re observing. > > Apparently the previous message was not delivered everywhere. > > However, it is showing me some weird behavior. Here are the logs for a > tweaked kernel: > > @@ -339,7 +343,7 @@ in_control(struct socket *so, u_long cmd, void *data, > struct ifnet *ifp, > return (EADDRNOTAVAIL); > struct ucred *cred =3D (td !=3D NULL) ? td->td_ucred : NULL; > - > + printf("in_control jailed? %d jid %d prison_owns_vnet? > %d\n",jailed(cred),cred->cr_prison->pr_id,prison_owns_vnet(cred)); > > # jexec 1 ifconfig epair0b inet 169.254.123.101/24 up > > Dmesg logs: > *[256] in_control jailed? 0 jid 0 prison_owns_vnet? 1* > > Cred value indicates host and jail is 0 but the PR_VNET flag is set. > > Is this behavior expected? or something going wrong - what's the next > debug step? > > I greatly appreciate your help! > > Thanks, > Shivank > > > /Alexander > > > /Alexander > > > /Alexander > > > --0000000000000ec15e05ff4991e8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thank you Alex. :)
I checked with this patch. My chang= es are working with it.

Best Regards,
Sh= ivank

On Thu, 29 Jun 2023 at 12:35, Alexander Chernikov <melifaro@freebsd.org> wrote:
=


On 28 Jun 2023, at 22:59, Alexander Chernikov <<= a href=3D"mailto:melifaro@freebsd.org" target=3D"_blank">melifaro@freebsd.o= rg> wrote:



On Wed, 28 Jun 2023, at 6:30 AM, Shivank Garg wrote:
Hi=C2=A0Alexander,

Thanks for re= plying.
I think it would mean struct prison info is lost= , when it reaches ioctl code, Is there some way we can get jail id?
Yes, you should add the hook t= o the netlink handler.

Another q= uestion I have: prison_check_ip4 still relies on checking struct prison for= flags and ip addr.=C2=A0
How do we handle these cases?
I=E2=80=99ll take a look on the weekend. It may indeed b= e a problem with nested jails.
I looked at the code= and after some experiments decided to go with the simplest approach:=C2=A0= https://re= views.freebsd.org/D40793
Netlink now passes proper ucred to t= he ioctl handler, so your code should be able to work out-of-the-box after = this lands.


=C2=A0It used=C2=A0to work for VNET jails inet calls somet= ime back when I wrote mac_ipacl:=C2=A0https://reviews.freebsd.org/D20967=
- MAC policy to limit jail privilege to set its IP addre= ss. We were planning to merge this code in 14.0. Is there something we can<= br>
do regarding it?
Yep, sure! I=E2=80=99ll try to further decouple ioctl handler = and the actual address modification code so the ioctl hook wont=E2=80=99t g= et called in the netlink handler.
Thanks,
<= div>Shivank

On Wed, 28 = Jun 2023 at 04:05, Alexander Chernikov <melifaro@freebsd.org> wrote:



On Fri, 23 Jun 2023, at 10:27 AM, Alexander Chernikov wrote= :


On Fri, 23 Jun 2023, a= t 7:53 AM, Shivank Garg wrote:
Hi,=

I want to check credentials of the thread set= ting the IP address with=C2=A0SIOCAIFADDR ioctl.
If the threa= d is jailed (jailed(td_ucred) =3D=3D 1), I'm applying some checks on ip= address.

My expectation was that (cred->cr_prison != =3D &prison0)=C2=A0for an ifconfig call mad= e by the jail.
If you=E2=80=99re using -he= ad, it=E2=80=99s a bit more complicated. ifconfig(8) uses rtnetlink(4) inte= rfaces to communicate with the kernel. Privilege check is done in Netlink: = =C2=A0https://github.com/freebsd/freebsd-src/blob/764464af49688e74fd6d803df040= 4ca4726dd460/sys/netlink/route/iface.c#L1472=C2=A0. After that, (as of = now) netlink calls ioctl code from its own kernel thread, which may be the = reason of the behavior you=E2=80=99re observing.
Apparently the previous message was not delivered everywhere.
However, it is showing me some weird be= havior. Here are the logs for a tweaked kernel:

@@ -339,7 +343,7 @@ in_control= (struct socket *so, u_long cmd, void *data, struct ifnet *ifp,
=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 return (EADDRNOTAVAIL);=C2=A0 =C2=A0 =C2=A0 =C2=A0 struct ucred *cred =3D (td !=3D NULL) ? td->= ;td_ucred : NULL;
-
+ =C2=A0 =C2=A0 =C2=A0 printf("in_control ja= iled? %d jid %d prison_owns_vnet? %d\n",jailed(cred),cred->cr_priso= n->pr_id,prison_owns_vnet(cred));

# jexe= c 1 ifconfig epair0b inet=C2=A0169.254.123.101/24=C2=A0up

Dmesg logs:
[256] in_control jailed? 0 jid 0 prison_owns_vnet= ? 1

Cred value indicates host and j= ail is 0=C2=A0but the PR_VNET=C2=A0flag is set.

Is this behavi= or expected? or something going wrong - what's the next debug step?
=

I greatly appreciate your help!
Thanks,
Shivank

/Alexander


/Alexander

/Alexander
<= /div>
--0000000000000ec15e05ff4991e8-- From nobody Fri Jul 14 16:34:13 2023 X-Original-To: jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4R2cW96fzsz4nNkX for ; Fri, 14 Jul 2023 16:34:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4R2cW93Wwyz3sVm for ; Fri, 14 Jul 2023 16:34:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1689352453; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Qq/Sae5OxnG0SbtUUJb6n60ce2X8fhHSOwlINyii0cM=; b=J68IXvm8SjEh8V/4CoMHCKQoiYKo7MTGXUoLjVn2iZNRerU4wgAyzQyzWz55rEURjLqQl8 rAkJihNAgLSuUHyWZcxtb+HbJy2POI4wf0P6i7vqXOmW+FwCdnQWYiB3KR7DuET/BDFfQh ShRDuJdqXGfZTK4WW4o0XkGOKaa4txIDHKvlugITh1TKZGZISzE8v7UMof+ulW6He8WGkx 1grEvxpJE8FfulRUr2KEJgropI8Hi1n+dnSMN2mKDDgxj1z/u9O9ZGVKC4Cuwtinx8OOfR CclGkhybX3fFB2GBZHIb+0jPIOtOmGjb4PVwW7VueQzcnqkBSMEuQCgy1Y9OUA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1689352453; a=rsa-sha256; cv=none; b=x+rU0coNp6YGvj1frr80PSLpEC4Y164peMsE354/gftGRKFkF4TABowRE13Hb9OAhh+0tM z6hDLO22VBYUE4wW8iX/50nNo//lpXFq4WNZG+TcwDSaXykF8yp5iy+ikeyG9d1qWEl7zZ GTiBKGEKh6HEZPNaYs8IbD7qo2wFJaZkHJRroO+PPlzwX5xEboK94nrpzMDlsWv0NaD24o rV0tQ9ZqDNxPXfxzNSl+DrR9c+wXhCuq9fqF2C0WGBJR2Sq1Kk6kfPQM0xxdCNWrgCpgJn 7A/IbPZAub+qqDKJjhnStpuTSedg92ISPWSvjsNsDidnYYmNsIbS3daC0dUVeg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4R2cW92cmszQRM for ; Fri, 14 Jul 2023 16:34:13 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 36EGYD5b069368 for ; Fri, 14 Jul 2023 16:34:13 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 36EGYDv7069367 for jail@FreeBSD.org; Fri, 14 Jul 2023 16:34:13 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: jail@FreeBSD.org Subject: [Bug 271308] [FIB] File exists while adding IPv4 Date: Fri, 14 Jul 2023 16:34:13 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: grahamperrin@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: melifaro@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_severity cc bug_status Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D271308 Graham Perrin changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Affects Only Me |Affects Some People CC| |jail@FreeBSD.org Status|New |Open --- Comment #3 from Graham Perrin --- ^Triage:=20 - make the former assignee a cc recipient - status, severity. --=20 You are receiving this mail because: You are on the CC list for the bug.=