From owner-soc-status@freebsd.org Wed May 29 16:01:35 2019 Return-Path: Delivered-To: soc-status@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A52FC15A5F68; Wed, 29 May 2019 16:01:35 +0000 (UTC) (envelope-from shivankgarg98@gmail.com) Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 776AD72C56; Wed, 29 May 2019 16:01:34 +0000 (UTC) (envelope-from shivankgarg98@gmail.com) Received: by mail-ed1-x52b.google.com with SMTP id m4so4548157edd.8; Wed, 29 May 2019 09:01:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=KV1XjMcpQSdjFAtWqYlehBgHXhAVRGjX22KBjbzIdUc=; b=g0pPYRvvcVSV9QhhBrqgK2JI4B7Bh1mzUJc6xVKnncRDQT6Zy4lNYS52BOZ7nEDm8+ MYXOnWuRYXVH1y77xqgjO74d9eJEqc+mO7JvZNfDGhtMxgVrsdVbfF24msQZVzAWgXZJ CIHpeEVORUxPb9JfoK8blu39dnUrPcixWR59YDh6ae7IYBArDTSVw6cX+aAzgmVA9Vop c4j+k3FHrC/RdROZ4o4v6K37OzJ9nBlLV4ICimiRylRR/V5DCPv7VWi7CFHm5Ones6OY hKCOJ6Nddx848+hQeWvZWPIUSyM/XqcovLUh31THocsRNrUm7zXu3wMdaz/26BQ5JPz5 vCvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=KV1XjMcpQSdjFAtWqYlehBgHXhAVRGjX22KBjbzIdUc=; b=YkEYyX07rtaBcfBn+3YCADY91wsr6QYTK+g/H7i2di7Qejm4iF2P7Lnha3MPtQCM7Z QQjIVk08CFMO8ydgvz0ur7I1e4r3+uC6gcbFqIuR+D/q91AfzOUtSY239y8yD6RAUZ2I Y5giOKHuAJWe7jnH1KOZPI3W3w9i3F5o0jnFdbiZmd6O8vS8+H6peb+6Tf+YG4QPbph2 64g8v4/lbr0f+buUBbTOZjDu8QOEXwzSt+SpdxE3wDS3ICdRvQy9QHQteyGit4Wi83eG kS0ZGCqkwJ6abAZ+M+z+x4eN005wBaiZf//rW/3NnSk8zRzjZXH3SgdEzRZFdlTByCH2 ZhUA== X-Gm-Message-State: APjAAAV6qSPeRTg5EusNCH78kf8k6d5+1UKKb8uUIMty7H3Ef302FGNz QSnN9c/jA9Ycn273pIpfr9aPZgFfwt8J4nNEBPv/pMLXCRI= X-Google-Smtp-Source: APXvYqzwPZpQ+E4b9JtOTHNYC7f/1lZ5F+NOVzbv8xmOe3/1H+SOlY4dm5Y6AIJWGQmFv8TyVNCujBEvUKhvXS4OzSg= X-Received: by 2002:a50:add7:: with SMTP id b23mr136708524edd.215.1559145693041; Wed, 29 May 2019 09:01:33 -0700 (PDT) MIME-Version: 1.0 From: Shivank Garg Date: Wed, 29 May 2019 21:31:22 +0530 Message-ID: Subject: [GSoC'19 Introduction] MAC policy on IP addresses in Jail To: soc-status@freebsd.org, freebsd-hackers@freebsd.org Cc: "Bjoern A. Zeeb" X-Rspamd-Queue-Id: 776AD72C56 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=g0pPYRvv; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of shivankgarg98@gmail.com designates 2a00:1450:4864:20::52b as permitted sender) smtp.mailfrom=shivankgarg98@gmail.com X-Spamd-Result: default: False [-6.60 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_DN_SOME(0.00)[]; RCVD_TLS_LAST(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[b.2.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; IP_SCORE(-2.70)[ip: (-8.97), ipnet: 2a00:1450::/32(-2.18), asn: 15169(-2.29), country: US(-0.06)]; NEURAL_HAM_SHORT(-0.89)[-0.891,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: soc-status@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Summer of Code Status Reports and Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 May 2019 16:01:36 -0000 Hi, This project is aimed at developing a loadable MAC module with the "The TrustedBSD MAC Framework" to limit the set of IP addresses a VNET-enabled Jail can choose from. I am a fourth-year undergraduate student in the Department of EE at IIT Kanpur, India. I am an open-source enthusiast and interested in Operating Systems, Computer Networks, and system security. My mentor for the project is Bjoern A. Zeeb (bz@FreeBSD.org) *About the project:* Using VNET in FreeBSD jails, the root of the jail can set IP addresses of their will, however, sysadmins may need to limit these privileges for different purposes. With a MAC framework, the root of the host can restrict root of the jail to set the desired IP address. Currently, there is no MAC policy module for such restriction, implying these rules are written in the kernel itself. The project is focused on writing a MAC module for "The TrustedBSD MAC framework " to enable easy management of privilege(configuring the network stack) restriction of jail. Features this new MAC policy module should include are- Host be able to define the list(multiple lists) of IP(both IPv4 and IPv6) addresses/subnets for the jail to choose from. Host be able to restrict the jail from setting the certain IP addresses(both IPv4 and IPv6) or prefixes(subnets). Nested Jails should also follow the access control policy. *Approach:* Currently, my approach is to write a loadable kernel module which has checks on IP addresses using various syscalls. Using SIOCAIFADDR(for IPv4) and SIOCAIFADDR_IN6(for IPv6) code and ioctl system call, these checks can be implemented to allow/disallow a particular IP address. *Test Plan:* For testing this module, I will write simple test cases for checking the validity of the module. For generating a test report, I will use Kyua Testing framework. Do Check this project on Github: https://github.com/shivankgarg98/freebsd/tree/shivank_MACPolicyIPAddressJail/sys/security/mac_ipacl FreeBSD wiki: https://wiki.freebsd.org/SummerOfCode2019Projects/MACPolicyIPAddressJail Please feel free to share your ideas and feedback on this project. Regards, Shivank Garg