Date: Fri, 23 Jun 2023 10:27:26 +0100 From: "Alexander Chernikov" <melifaro@FreeBSD.org> To: freebsd-jail@freebsd.org Subject: Re: Add IP address ioctl (SIOCAIFADDR) from jail is called with host credentials Message-ID: <93d61b80-95cb-4b3e-84dc-1d8b655e66f7@app.fastmail.com> In-Reply-To: <CAOVCmzFQjwTaeQZQSD-ep7s=UdDzzczQ6r9wtjK-w3BAwRsKvA@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Fri, 23 Jun 2023, at 7:53 AM, Shivank Garg wrote: > Hi, > > I want to check credentials of the thread setting the IP address with SIOCAIFADDR ioctl. > If the thread is jailed (jailed(td_ucred) == 1), I'm applying some checks on ip address. > > My expectation was that (cred->cr_prison != &prison0) for an ifconfig call made by the jail. If you’re using -head, it’s a bit more complicated. ifconfig(8) uses rtnetlink(4) interfaces to communicate with the kernel. Privilege check is done in Netlink: https://github.com/freebsd/freebsd-src/blob/764464af49688e74fd6d803df0404ca4726dd460/sys/netlink/route/iface.c#L1472 . After that, (as of now) netlink calls ioctl code from its own kernel thread, which may be the reason of the behavior you’re observing. > However, it is showing me some weird behavior. Here are the logs for a tweaked kernel: > > @@ -339,7 +343,7 @@ in_control(struct socket *so, u_long cmd, void *data, struct ifnet *ifp, > return (EADDRNOTAVAIL); > struct ucred *cred = (td != NULL) ? td->td_ucred : NULL; > - > + printf("in_control jailed? %d jid %d prison_owns_vnet? %d\n",jailed(cred),cred->cr_prison->pr_id,prison_owns_vnet(cred)); > > # jexec 1 ifconfig epair0b inet 169.254.123.101/24 up > > Dmesg logs: > *[256] in_control jailed? 0 jid 0 prison_owns_vnet? 1* > > Cred value indicates host and jail is 0 but the PR_VNET flag is set. > > Is this behavior expected? or something going wrong - what's the next debug step? > > I greatly appreciate your help! > > Thanks, > Shivank /Alexander [-- Attachment #2 --] <!DOCTYPE html><html><head><title></title><style type="text/css">p.MsoNormal,p.MsoNoSpacing{margin:0}</style></head><body><div><br></div><div><br></div><div>On Fri, 23 Jun 2023, at 7:53 AM, Shivank Garg wrote:<br></div><blockquote type="cite" id="qt" style=""><div dir="ltr"><div>Hi,<br></div><div><br></div><div>I want to check credentials of the thread setting the IP address with SIOCAIFADDR ioctl.<br></div><div>If the thread is jailed (jailed(td_ucred) == 1), I'm applying some checks on ip address.<br></div><div><br></div><div>My expectation was that (<span id="qt-gmail-docs-internal-guid-998c627e-7fff-437f-e766-ef0b490e856c"><span style="color:rgb(0, 0, 0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline;"><span class="font" style="font-family:Consolas, sans-serif;"><span class="size" style="font-size:11pt;">cred->cr_prison != &prison0)</span></span></span></span> for an ifconfig call made by the jail.<br></div></div></blockquote><div>If you’re using -head, it’s a bit more complicated. ifconfig(8) uses rtnetlink(4) interfaces to communicate with the kernel. Privilege check is done in Netlink: <a href="https://github.com/freebsd/freebsd-src/blob/764464af49688e74fd6d803df0404ca4726dd460/sys/netlink/route/iface.c#L1472">https://github.com/freebsd/freebsd-src/blob/764464af49688e74fd6d803df0404ca4726dd460/sys/netlink/route/iface.c#L1472</a> . After that, (as of now) netlink calls ioctl code from its own kernel thread, which may be the reason of the behavior you’re observing.</div><blockquote type="cite" id="qt" style=""><div dir="ltr"><div>However, it is showing me some weird behavior. Here are the logs for a tweaked kernel:<br></div><div><br></div><div><div><span class="font" style="font-family:monospace;">@@ -339,7 +343,7 @@ in_control(struct socket *so, u_long cmd, void *data, struct ifnet *ifp,<br> return (EADDRNOTAVAIL);<br> struct ucred *cred = (td != NULL) ? td->td_ucred : NULL;<br>-<br>+ printf("in_control jailed? %d jid %d prison_owns_vnet? %d\n",jailed(cred),cred->cr_prison->pr_id,prison_owns_vnet(cred));</span></div><div><br></div><div># jexec 1 ifconfig epair0b inet <a href="http://169.254.123.101/24" target="_blank">169.254.123.101/24</a> up<br></div></div><div><div><br></div><div>Dmesg logs:<br></div><div><span class="font" style="font-family:monospace;"><b>[256] in_control jailed? 0 jid 0 prison_owns_vnet? 1</b></span><br></div><div><br></div><div>Cred value indicates host and jail is 0 but the PR_VNET flag is set.<span style="color:rgb(0, 0, 0);"><span class="font" style="font-family:Courier, "Courier New", monospace;"><span class="size" style="font-size:12px;"></span></span></span><br></div></div><div><br></div><div>Is this behavior expected? or something going wrong - what's the next debug step?<br></div><div><br></div><div>I greatly appreciate your help!<br></div><div><br></div><div><div>Thanks,<br></div><div>Shivank<br></div></div></div></blockquote><div><br></div><div id="sig132921232"><div class="signature">/Alexander<br></div></div><div><br></div></body></html>help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?93d61b80-95cb-4b3e-84dc-1d8b655e66f7>