From nobody Fri Jun 23 06:53:20 2023 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QnSd14gt8z4gRdq for ; Fri, 23 Jun 2023 06:53:41 +0000 (UTC) (envelope-from shivankgarg98@gmail.com) Received: from mail-ej1-f43.google.com (mail-ej1-f43.google.com [209.85.218.43]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QnSd05nhZz47lH for ; Fri, 23 Jun 2023 06:53:40 +0000 (UTC) (envelope-from shivankgarg98@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of shivankgarg98@gmail.com designates 209.85.218.43 as permitted sender) smtp.mailfrom=shivankgarg98@gmail.com; dmarc=none Received: by mail-ej1-f43.google.com with SMTP id a640c23a62f3a-987a977f62aso23357466b.1 for ; Thu, 22 Jun 2023 23:53:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687503219; x=1690095219; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=WlUXLX2bxQAf9C8vrWikKRcuj2urD4Gd46pbZ+UG1FE=; b=hwpGNFQq8Mwkrum++Ld2qofLIxqmNiAbyU1mCE4I8AgMJj4bMrAaT25/dDMrib9/RS jfASHmI7192Tyl9vclFsCbti/joDZFDQ95YxMxo+iUZilWzfIeF9+cuGvWeBdPcRuKaq qDKnfcaM6+E7u+mqObbEtiLK9G8BxrYEBa4BB8Djnk6U4cxbqPvtZwAtZOYTNEwTx3IR KtibKP7yGE7U6QphhCF0627RI7E5LsyQjN5bPlTDYL+NWdUx0YkotRf6e2uG76vo4exV 9/Galx+duHcgB2crvRKn5iHWy13e7EzX3HnjQ8OT3kCGCAf5OhYcE5gAz8bsKgV+rZAI Rhqg== X-Gm-Message-State: AC+VfDwzQH1hUOYsRKa9gVBiBaU0Zj/iBxg4ckXGFfDlQwjKdgO75s13 ZwP0jMA6ObRaZNEF2qGUL+2HodGoSTa7Zw== X-Google-Smtp-Source: ACHHUZ5hs601Q4pnc1SBXWm0qxKTFajkVZQ6Pb0aZIF212R6h3a61/rEHkQj1belgKghwUQLVCiSFA== X-Received: by 2002:a17:907:2683:b0:957:1df0:9cbf with SMTP id bn3-20020a170907268300b009571df09cbfmr15611621ejc.19.1687503218372; Thu, 22 Jun 2023 23:53:38 -0700 (PDT) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com. [209.85.128.51]) by smtp.gmail.com with ESMTPSA id f13-20020a1709067f8d00b0098d2f91c850sm1804929ejr.89.2023.06.22.23.53.37 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 22 Jun 2023 23:53:38 -0700 (PDT) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-3f9b627c1b8so4360085e9.1 for ; Thu, 22 Jun 2023 23:53:37 -0700 (PDT) X-Received: by 2002:a05:600c:2197:b0:3f9:c859:24c4 with SMTP id e23-20020a05600c219700b003f9c85924c4mr5147743wme.22.1687503217556; Thu, 22 Jun 2023 23:53:37 -0700 (PDT) List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 From: Shivank Garg Date: Fri, 23 Jun 2023 12:23:20 +0530 X-Gmail-Original-Message-ID: Message-ID: Subject: Add IP address ioctl (SIOCAIFADDR) from jail is called with host credentials To: freebsd-jail@freebsd.org Content-Type: multipart/alternative; boundary="000000000000d701e205fec675f6" X-Spamd-Result: default: False [1.69 / 15.00]; URI_COUNT_ODD(1.00)[1]; HTTP_TO_IP(1.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_HAM_MEDIUM(-0.31)[-0.313]; FORGED_SENDER(0.30)[shivank@freebsd.org,shivankgarg98@gmail.com]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-jail@freebsd.org]; DMARC_NA(0.00)[freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[209.85.218.43:from,209.85.128.51:received]; FROM_HAS_DN(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_NEQ_ENVFROM(0.00)[shivank@freebsd.org,shivankgarg98@gmail.com]; MLMMJ_DEST(0.00)[freebsd-jail@freebsd.org]; RCVD_TLS_LAST(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; TO_DN_NONE(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; TO_DOM_EQ_FROM_DOM(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.218.43:from] X-Rspamd-Queue-Id: 4QnSd05nhZz47lH X-Spamd-Bar: + X-ThisMailContainsUnwantedMimeParts: N --000000000000d701e205fec675f6 Content-Type: text/plain; charset="UTF-8" Hi, I want to check credentials of the thread setting the IP address with SIOCAIFADDR ioctl. If the thread is jailed (jailed(td_ucred) == 1), I'm applying some checks on ip address. My expectation was that (cred->cr_prison != &prison0) for an ifconfig call made by the jail. However, it is showing me some weird behavior. Here are the logs for a tweaked kernel: @@ -339,7 +343,7 @@ in_control(struct socket *so, u_long cmd, void *data, struct ifnet *ifp, return (EADDRNOTAVAIL); struct ucred *cred = (td != NULL) ? td->td_ucred : NULL; - + printf("in_control jailed? %d jid %d prison_owns_vnet? %d\n",jailed(cred),cred->cr_prison->pr_id,prison_owns_vnet(cred)); # jexec 1 ifconfig epair0b inet 169.254.123.101/24 up Dmesg logs: *[256] in_control jailed? 0 jid 0 prison_owns_vnet? 1* Cred value indicates host and jail is 0 but the PR_VNET flag is set. Is this behavior expected? or something going wrong - what's the next debug step? I greatly appreciate your help! Thanks, Shivank --000000000000d701e205fec675f6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

I want to check credentials of the = thread setting the IP address with=C2=A0SIOCAIFADDR ioctl.
If the= thread is jailed (jailed(td_ucred) =3D=3D 1), I'm applying some checks= on ip address.

My expectation was that (cred->c= r_prison !=3D &prison0)=C2=A0for an ifconfig call made by= the jail.
However, it is showing me some weird behavior. Here ar= e the logs for a tweaked kernel:

@@ -339,7 +343,7 @@ in_control(struct socket *so, u_long cmd, void = *data, struct ifnet *ifp,
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 return (EADDRNOTAVAIL);
=C2=A0 =C2=A0 =C2=A0 =C2=A0 struct uc= red *cred =3D (td !=3D NULL) ? td->td_ucred : NULL;
-
+ =C2=A0 =C2= =A0 =C2=A0 printf("in_control jailed? %d jid %d prison_owns_vnet? %d\n= ",jailed(cred),cred->cr_prison->pr_id,prison_owns_vnet(cred));

# jexec 1 ifconfig epair0b inet 169.254.123.101/24 up

Dmesg log= s:
[256] in_control jailed? 0 jid 0 prison_o= wns_vnet? 1

Cred value indicates host and jail is 0=C2=A0= but the PR_VNET=C2=A0flag is set.

Is this behavior expected? or something going wrong - wha= t's the next debug step?

I greatly appreciate = your help!

Thanks,
Shivank
--000000000000d701e205fec675f6--