Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 29 May 2019 21:31:22 +0530
From:      Shivank Garg <shivankgarg98@gmail.com>
To:        soc-status@freebsd.org, freebsd-hackers@freebsd.org
Cc:        "Bjoern A. Zeeb" <bz@freebsd.org>
Subject:   [GSoC'19 Introduction] MAC policy on IP addresses in Jail
Message-ID:  <CAOVCmzHnr=rxEzhA_vT1qWoW_YGt_PtFfF8PQmrsU%2BxbZfnong@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
Hi,
This project is aimed at developing a loadable MAC module with the "The
TrustedBSD MAC Framework" to limit the set of IP addresses a VNET-enabled
Jail can choose from.
I am a fourth-year undergraduate student in the Department of EE at IIT
Kanpur, India. I am an open-source enthusiast and interested in Operating
Systems, Computer Networks, and system security.

My mentor for the project is Bjoern A. Zeeb
<https://wiki.freebsd.org/BjoernZeeb>; (bz@FreeBSD.org)

*About the project:*
Using VNET in FreeBSD jails, the root of the jail can set IP addresses of
their will, however, sysadmins may need to limit these privileges for
different purposes. With a MAC framework, the root of the host can restrict
root of the jail to set the desired IP address. Currently, there is no MAC
policy module for such restriction, implying these rules are written in the
kernel itself. The project is focused on writing a MAC module for "The
TrustedBSD MAC framework
<https://www.freebsd.org/doc/en_US.ISO8859-1/books/arch-handbook/mac.html>"
to enable easy management of privilege(configuring the network stack)
restriction of jail.
Features this new MAC policy module should include are-
Host be able to define the list(multiple lists) of IP(both IPv4 and IPv6)
addresses/subnets for the jail to choose from.
Host be able to restrict the jail from setting the certain IP
addresses(both IPv4 and IPv6) or prefixes(subnets).
Nested Jails should also follow the access control policy.
*Approach:*
Currently, my approach is to write a loadable kernel module which has
checks on IP addresses using various syscalls.  Using SIOCAIFADDR(for IPv4)
and SIOCAIFADDR_IN6(for IPv6) code and ioctl system call, these checks can
be implemented to allow/disallow a particular IP address.
*Test Plan:*
For testing this module, I will write simple test cases for checking the
validity of the module. For generating a test report, I will use Kyua
Testing framework.


Do Check this project on
Github:
https://github.com/shivankgarg98/freebsd/tree/shivank_MACPolicyIPAddressJail/sys/security/mac_ipacl
FreeBSD wiki:
https://wiki.freebsd.org/SummerOfCode2019Projects/MACPolicyIPAddressJail

Please feel free to share your ideas and feedback on this project.
Regards,
Shivank Garg



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOVCmzHnr=rxEzhA_vT1qWoW_YGt_PtFfF8PQmrsU%2BxbZfnong>