From nobody Wed Jun 28 05:30:59 2023
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QrVYh37ZBz4kTwG
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Wed, 28 Jun 2023 05:31:20 +0000 (UTC)
	(envelope-from shivankgarg98@gmail.com)
Received: from mail-ej1-f49.google.com (mail-ej1-f49.google.com [209.85.218.49])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4QrVYg6jBKz4WPK;
	Wed, 28 Jun 2023 05:31:19 +0000 (UTC)
	(envelope-from shivankgarg98@gmail.com)
Authentication-Results: mx1.freebsd.org;
	none
Received: by mail-ej1-f49.google.com with SMTP id a640c23a62f3a-9741caaf9d4so487398766b.0;
        Tue, 27 Jun 2023 22:31:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1687930278; x=1690522278;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=jYmbJuOVpaRJwvwCidMJESsWzkAD8FJPctixowMj/wc=;
        b=QT8fDfRgCjDsDjTrVvDWIYPXeGG1R6Tz5lhUpk7Kj0qzfha/WUyxEZIHFDfm1IexYN
         q/kmxPX4MGyrcO+S/w6A2n7PG6gLuxqA67+vBxYLCXPM6Jde+Hq92fDTWIHChUWw85Vu
         WYdVlLOuuDHnY4+q/uazl7KAgYtMhV0loP2E8UPSna7mtsvaOiIvybQh5Rmsh3GO6Q8h
         2/8aojCTiA2Joc1Ur6LiGFTrfvKPIAuZcIGS5E02kWsMKNejX9EpoT4/wof97f9Nn+hz
         1uYqQDduTGl4VvD+4thfRS019ylxCva2XmNAF7FwYbs2n0q1MeSdEoj3qSTG4JK0itwp
         /OCQ==
X-Gm-Message-State: AC+VfDwNjK/JmEyQytopQZjoL43FIOurVZ4Mqzoxa1C1gtGhVK0nvcGy
	Uh6kM3hQzjexnG2S29NxAzkUeOyT840RdLHh
X-Google-Smtp-Source: ACHHUZ7TaE5nLOQXzOnDHIH5qXprMmvdQJRDxZWu5WPzkSpJ9VojmladUA0ObrdU6kzSj4OheVQzAQ==
X-Received: by 2002:a17:906:6a1e:b0:992:7197:e4d5 with SMTP id qw30-20020a1709066a1e00b009927197e4d5mr1383389ejc.70.1687930277509;
        Tue, 27 Jun 2023 22:31:17 -0700 (PDT)
Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com. [209.85.221.52])
        by smtp.gmail.com with ESMTPSA id q26-20020a1709060e5a00b00991fa596931sm2135735eji.147.2023.06.27.22.31.16
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 27 Jun 2023 22:31:17 -0700 (PDT)
Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-313e12db357so5794390f8f.0;
        Tue, 27 Jun 2023 22:31:16 -0700 (PDT)
X-Received: by 2002:a5d:484e:0:b0:314:145:2d47 with SMTP id
 n14-20020a5d484e000000b0031401452d47mr3604498wrs.19.1687930276638; Tue, 27
 Jun 2023 22:31:16 -0700 (PDT)
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@freebsd.org
MIME-Version: 1.0
References: <CAOVCmzFQjwTaeQZQSD-ep7s=UdDzzczQ6r9wtjK-w3BAwRsKvA@mail.gmail.com>
 <93d61b80-95cb-4b3e-84dc-1d8b655e66f7@app.fastmail.com> <ab27fc86-e339-420c-8cfa-05c53a3bf4f9@app.fastmail.com>
In-Reply-To: <ab27fc86-e339-420c-8cfa-05c53a3bf4f9@app.fastmail.com>
From: Shivank Garg <shivank@freebsd.org>
Date: Wed, 28 Jun 2023 11:00:59 +0530
X-Gmail-Original-Message-ID: <CAOVCmzFt6NQQzyoHnXeEOagKgn9n_JOex7vs4xOFDZ497qtfKQ@mail.gmail.com>
Message-ID: <CAOVCmzFt6NQQzyoHnXeEOagKgn9n_JOex7vs4xOFDZ497qtfKQ@mail.gmail.com>
Subject: Re: Add IP address ioctl (SIOCAIFADDR) from jail is called with host credentials
To: Alexander Chernikov <melifaro@freebsd.org>
Cc: freebsd-jail@freebsd.org
Content-Type: multipart/alternative; boundary="0000000000008b753105ff29e471"
X-Rspamd-Queue-Id: 4QrVYg6jBKz4WPK
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-ThisMailContainsUnwantedMimeParts: N

--0000000000008b753105ff29e471
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Alexander,

Thanks for replying.
I think it would mean struct prison info is lost, when it reaches ioctl
code, Is there some way we can get jail id?

Another question I have: prison_check_ip4 still relies on checking struct
prison for flags and ip addr.
https://github.com/freebsd/freebsd-src/blob/6927176113ee775983952edb3c201fe=
d6be318d3/sys/netinet/in_jail.c#L319
How do we handle these cases?

 It used to work for VNET jails inet calls sometime back when I wrote
mac_ipacl: https://reviews.freebsd.org/D20967
- MAC policy to limit jail privilege to set its IP address. We were
planning to merge this code in 14.0. Is there something we can
do regarding it?

Thanks,
Shivank

On Wed, 28 Jun 2023 at 04:05, Alexander Chernikov <melifaro@freebsd.org>
wrote:

>
>
> On Fri, 23 Jun 2023, at 10:27 AM, Alexander Chernikov wrote:
>
>
>
> On Fri, 23 Jun 2023, at 7:53 AM, Shivank Garg wrote:
>
> Hi,
>
> I want to check credentials of the thread setting the IP address
> with SIOCAIFADDR ioctl.
> If the thread is jailed (jailed(td_ucred) =3D=3D 1), I'm applying some ch=
ecks
> on ip address.
>
> My expectation was that (cred->cr_prison !=3D &prison0) for an ifconfig
> call made by the jail.
>
> If you=E2=80=99re using -head, it=E2=80=99s a bit more complicated. ifcon=
fig(8) uses
> rtnetlink(4) interfaces to communicate with the kernel. Privilege check i=
s
> done in Netlink:
> https://github.com/freebsd/freebsd-src/blob/764464af49688e74fd6d803df0404=
ca4726dd460/sys/netlink/route/iface.c#L1472 .
> After that, (as of now) netlink calls ioctl code from its own kernel
> thread, which may be the reason of the behavior you=E2=80=99re observing.
>
> Apparently the previous message was not delivered everywhere.
>
> However, it is showing me some weird behavior. Here are the logs for a
> tweaked kernel:
>
> @@ -339,7 +343,7 @@ in_control(struct socket *so, u_long cmd, void *data,
> struct ifnet *ifp,
>                 return (EADDRNOTAVAIL);
>         struct ucred *cred =3D (td !=3D NULL) ? td->td_ucred : NULL;
> -
> +       printf("in_control jailed? %d jid %d prison_owns_vnet?
> %d\n",jailed(cred),cred->cr_prison->pr_id,prison_owns_vnet(cred));
>
> # jexec 1 ifconfig epair0b inet 169.254.123.101/24 up
>
> Dmesg logs:
> *[256] in_control jailed? 0 jid 0 prison_owns_vnet? 1*
>
> Cred value indicates host and jail is 0 but the PR_VNET flag is set.
>
> Is this behavior expected? or something going wrong - what's the next
> debug step?
>
> I greatly appreciate your help!
>
> Thanks,
> Shivank
>
>
> /Alexander
>
>
> /Alexander
>

--0000000000008b753105ff29e471
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi=C2=A0Alexander,<div><br></div><div>Thanks for replying.=
<br></div><div>I think it would mean struct prison info is lost, when it re=
aches ioctl code, Is there some way we can get jail id?<br><div><br></div><=
div>Another question I have: prison_check_ip4 still relies on checking stru=
ct prison for flags and ip addr.=C2=A0</div><div><a href=3D"https://github.=
com/freebsd/freebsd-src/blob/6927176113ee775983952edb3c201fed6be318d3/sys/n=
etinet/in_jail.c#L319">https://github.com/freebsd/freebsd-src/blob/69271761=
13ee775983952edb3c201fed6be318d3/sys/netinet/in_jail.c#L319</a><br></div></=
div><div>How do we handle these cases?</div><div><br></div><div>=C2=A0It us=
ed=C2=A0to work for VNET jails inet calls sometime back when I wrote mac_ip=
acl: <a href=3D"https://reviews.freebsd.org/D20967">https://reviews.freebsd=
.org/D20967</a></div><div>- MAC policy to limit jail privilege to set its I=
P address. We were planning to merge this code in 14.0. Is there something =
we can</div><div>do regarding it?<br><br></div><div>Thanks,</div><div>Shiva=
nk</div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmai=
l_attr">On Wed, 28 Jun 2023 at 04:05, Alexander Chernikov &lt;<a href=3D"ma=
ilto:melifaro@freebsd.org">melifaro@freebsd.org</a>&gt; wrote:<br></div><bl=
ockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-lef=
t:1px solid rgb(204,204,204);padding-left:1ex"><div class=3D"msg63592594621=
17977049"><u></u><div><div><br></div><div><br></div><div>On Fri, 23 Jun 202=
3, at 10:27 AM, Alexander Chernikov wrote:<br></div><blockquote type=3D"cit=
e" id=3D"m_6359259462117977049qt"><div><br></div><div><br></div><div>On Fri=
, 23 Jun 2023, at 7:53 AM, Shivank Garg wrote:<br></div><blockquote type=3D=
"cite" id=3D"m_6359259462117977049qt-qt"><div dir=3D"ltr"><div>Hi,<br></div=
><div><br></div><div>I want to check credentials of the thread setting the =
IP address with=C2=A0SIOCAIFADDR ioctl.<br></div><div>If the thread is jail=
ed (jailed(td_ucred) =3D=3D 1), I&#39;m applying some checks on ip address.=
<br></div><div><br></div><div>My expectation was that (<span id=3D"m_635925=
9462117977049qt-qt-gmail-docs-internal-guid-998c627e-7fff-437f-e766-ef0b490=
e856c"><span style=3D"color:rgb(0,0,0);background-color:transparent;font-va=
riant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates=
:normal;vertical-align:baseline"><span style=3D"font-family:Consolas,sans-s=
erif"><span style=3D"font-size:11pt">cred-&gt;cr_prison !=3D &amp;prison0)<=
/span></span></span></span>=C2=A0for an ifconfig call made by the jail.<br>=
</div></div></blockquote><div>If you=E2=80=99re using -head, it=E2=80=99s a=
 bit more complicated. ifconfig(8) uses rtnetlink(4) interfaces to communic=
ate with the kernel. Privilege check is done in Netlink: =C2=A0<a href=3D"h=
ttps://github.com/freebsd/freebsd-src/blob/764464af49688e74fd6d803df0404ca4=
726dd460/sys/netlink/route/iface.c#L1472" target=3D"_blank">https://github.=
com/freebsd/freebsd-src/blob/764464af49688e74fd6d803df0404ca4726dd460/sys/n=
etlink/route/iface.c#L1472</a>=C2=A0. After that, (as of now) netlink calls=
 ioctl code from its own kernel thread, which may be the reason of the beha=
vior you=E2=80=99re observing.<br></div></blockquote><div>Apparently the pr=
evious message was not delivered everywhere.</div><blockquote type=3D"cite"=
 id=3D"m_6359259462117977049qt"><blockquote type=3D"cite" id=3D"m_635925946=
2117977049qt-qt"><div dir=3D"ltr"><div>However, it is showing me some weird=
 behavior. Here are the logs for a tweaked kernel:<br></div><div><br></div>=
<div><div><span style=3D"font-family:monospace">@@ -339,7 +343,7 @@ in_cont=
rol(struct socket *so, u_long cmd, void *data, struct ifnet *ifp,<br>=C2=A0=
 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 return (EADDRNOTAVAIL);<b=
r>=C2=A0 =C2=A0 =C2=A0 =C2=A0 struct ucred *cred =3D (td !=3D NULL) ? td-&g=
t;td_ucred : NULL;<br>-<br>+ =C2=A0 =C2=A0 =C2=A0 printf(&quot;in_control j=
ailed? %d jid %d prison_owns_vnet? %d\n&quot;,jailed(cred),cred-&gt;cr_pris=
on-&gt;pr_id,prison_owns_vnet(cred));</span></div><div><br></div><div># jex=
ec 1 ifconfig epair0b inet <a href=3D"http://169.254.123.101/24" target=3D"=
_blank">169.254.123.101/24</a> up<br></div></div><div><div><br></div><div>D=
mesg logs:<br></div><div><span style=3D"font-family:monospace"><b>[256] in_=
control jailed? 0 jid 0 prison_owns_vnet? 1</b></span><br></div><div><br></=
div><div>Cred value indicates host and jail is 0=C2=A0but the PR_VNET=C2=A0=
flag is set.<span style=3D"color:rgb(0,0,0)"><span style=3D"font-family:Cou=
rier,&quot;Courier New&quot;,monospace"><span style=3D"font-size:12px"></sp=
an></span></span><br></div></div><div><br></div><div>Is this behavior expec=
ted? or something going wrong - what&#39;s the next debug step?<br></div><d=
iv><br></div><div>I greatly appreciate your help!<br></div><div><br></div><=
div><div>Thanks,<br></div><div>Shivank<br></div></div></div></blockquote><d=
iv><br></div><div id=3D"m_6359259462117977049qt-sig132921232"><div>/Alexand=
er<br></div></div><div><br></div></blockquote><div><br></div><div id=3D"m_6=
359259462117977049sig132921232"><div>/Alexander<br></div></div></div></div>=
</blockquote></div>

--0000000000008b753105ff29e471--