Date: Fri, 23 Jun 2023 12:23:20 +0530 From: Shivank Garg <shivank@freebsd.org> To: freebsd-jail@freebsd.org Subject: Add IP address ioctl (SIOCAIFADDR) from jail is called with host credentials Message-ID: <CAOVCmzFQjwTaeQZQSD-ep7s=UdDzzczQ6r9wtjK-w3BAwRsKvA@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
--000000000000d701e205fec675f6
Content-Type: text/plain; charset="UTF-8"
Hi,
I want to check credentials of the thread setting the IP address
with SIOCAIFADDR ioctl.
If the thread is jailed (jailed(td_ucred) == 1), I'm applying some checks
on ip address.
My expectation was that (cred->cr_prison != &prison0) for an ifconfig call
made by the jail.
However, it is showing me some weird behavior. Here are the logs for a
tweaked kernel:
@@ -339,7 +343,7 @@ in_control(struct socket *so, u_long cmd, void *data,
struct ifnet *ifp,
return (EADDRNOTAVAIL);
struct ucred *cred = (td != NULL) ? td->td_ucred : NULL;
-
+ printf("in_control jailed? %d jid %d prison_owns_vnet?
%d\n",jailed(cred),cred->cr_prison->pr_id,prison_owns_vnet(cred));
# jexec 1 ifconfig epair0b inet 169.254.123.101/24 up
Dmesg logs:
*[256] in_control jailed? 0 jid 0 prison_owns_vnet? 1*
Cred value indicates host and jail is 0 but the PR_VNET flag is set.
Is this behavior expected? or something going wrong - what's the next debug
step?
I greatly appreciate your help!
Thanks,
Shivank
--000000000000d701e205fec675f6
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Hi,<div><br></div><div>I want to check credentials of the =
thread setting the IP address with=C2=A0SIOCAIFADDR ioctl.</div><div>If the=
thread is jailed (jailed(td_ucred) =3D=3D 1), I'm applying some checks=
on ip address.</div><div><br></div><div>My expectation was that (<span id=
=3D"gmail-docs-internal-guid-998c627e-7fff-437f-e766-ef0b490e856c"><span st=
yle=3D"font-size:11pt;font-family:Consolas,sans-serif;color:rgb(0,0,0);back=
ground-color:transparent;font-variant-numeric:normal;font-variant-east-asia=
n:normal;font-variant-alternates:normal;vertical-align:baseline">cred->c=
r_prison !=3D &prison0)</span></span>=C2=A0for an ifconfig call made by=
the jail.</div><div>However, it is showing me some weird behavior. Here ar=
e the logs for a tweaked kernel:</div><div><br></div><div><font face=3D"mon=
ospace">@@ -339,7 +343,7 @@ in_control(struct socket *so, u_long cmd, void =
*data, struct ifnet *ifp,<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 return (EADDRNOTAVAIL);<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 struct uc=
red *cred =3D (td !=3D NULL) ? td->td_ucred : NULL;<br>-<br>+ =C2=A0 =C2=
=A0 =C2=A0 printf("in_control jailed? %d jid %d prison_owns_vnet? %d\n=
",jailed(cred),cred->cr_prison->pr_id,prison_owns_vnet(cred));</=
font><br><br># jexec 1 ifconfig epair0b inet <a href=3D"http://169.254.123.=
101/24" target=3D"_blank">169.254.123.101/24</a> up</div><div><br>Dmesg log=
s:<br><font face=3D"monospace"><b>[256] in_control jailed? 0 jid 0 prison_o=
wns_vnet? 1</b></font><br><br>Cred value indicates host and jail is 0=C2=A0=
but the PR_VNET=C2=A0flag is set.<span style=3D"color:rgb(0,0,0);font-famil=
y:Courier,"Courier New",monospace;font-size:12px"></span></div><d=
iv><br></div><div>Is this behavior expected? or something going wrong - wha=
t's the next debug step?</div><div><br></div><div>I greatly appreciate =
your help!</div><div><br></div><div>Thanks,<br>Shivank</div></div>
--000000000000d701e205fec675f6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOVCmzFQjwTaeQZQSD-ep7s=UdDzzczQ6r9wtjK-w3BAwRsKvA>