Date: Tue, 23 Dec 2025 19:37:49 +0000 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Andrea Cocito <andrea@cocito.eu> Cc: freebsd-hackers@freebsd.org Subject: Re: Retrieving the kid/jailname of connected peer for a unix socket Message-ID: <xvoiwjdzrspfitvbqeduczmv3u7tpl3gkbfh7zxzgshkj2rp2i@d26qijq462ji> In-Reply-To: <905FD66D-404C-4BAF-9F32-3C5EB62F5DB5@cocito.eu> References: <905FD66D-404C-4BAF-9F32-3C5EB62F5DB5@cocito.eu>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Tue, Dec 23, 2025 at 08:22:20PM +0100, Andrea Cocito wrote: > On 23 Dec 2025, at 19:05, Shawn Webb <shawn.webb@hardenedbsd.org> wrote: > > So please do keep this thread updated. :-) > > Thanks for you input. > > I do not think that in my case MAC policies will help, but will surely take a look at that as an option; more likely I’ll patch the kernel to have the functionality I need. I should've probably mentioned: I do not think the existing MAC modules would fit the bill. A custom MAC module would likely need to be written (if going down the MAC route). Studying this file specifically might help: https://cgit.freebsd.org/src/tree/sys/security/mac/mac_socket.c I suspect by implementing a subset of MAC framework hooks, you might be able to track socket/fd creation/use and their cross-jail use. > > To explain this is the background: I have developed a “firmware” version of FreeBSD (soon to be open sourced), it boots off “something” and then becomes entirely “RAM living” and stateless except for its own identity stored as a private key in TPM2. > > The thing is managed by a “controller” which asks it to install and run “modules”; so far modules are written by me (I’d say “total trust”) but the plan is to release an SDK so that modules are written by third parties. As every module lives in a contained jail I do not want a broken or malicious module to be able to compromise the system. > > One of the core services “offered” to any module is “you can make http requests on socket /some/path/socket and the controller will handle it”. It can be ask some info, log an event, store some data or even mount a WebDAV file system. Of course my “local controller process” needs to know *which* jail did the request. > > I think I’ll end up making getsockopt(fd, SOL_LOCAL, LOCAL_PEERCRED,…) return some form of prison is stating “this is the jail in which the process was running when it invoked connect()”. Of a process in a module does commect() and then it intentionally hands over the fd to some other process it’s its own responsibility, I don’t really care. > > Cheers, > > A. -- Shawn Webb Cofounder / Security Engineer HardenedBSD Signal Username: shawn_webb.74 Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmlK74EACgkQ/y5nonf4 4fol+w//WamT5wcx+bILmQ/QmcyDyg/l6cvMEutgT4cdujLheds4yZeeAU3cw9zc f1mcrH5GAPH1PC41105z6hsg8AOnyImsKh6FwgZdkV+rv6yzeRFcxZK1BzKRjwzQ 8Krwekjw4dApfanOZ1A15eVyGqCFATy7E25VJS1fVIvF9/l8RdhjnfMJVLS2Q11B N/VTYgJt17lG9yLC3JXvFuBxFAuReOmb0yOOR7b8M15fv5T2CMEZbo4y12mFG+iE 5SeOeu/PEpv+6mp/hxmqXzuuy3wsxiUyRKRRuZjsKTYVkXJ+qmgk4U4zsgBLslY9 LmmB0Ih5Qw55kWhZCLl2nQjC7gvbS0iXe7L9gwcaas+v4DFL3K2OvNJdG9yZpO0I LRbSCaXwUsj2IzxnrMYpQUkpFLq2y3fDEuO1GzKyU+ueNV1PV503shvJS2KFSO99 tLSaYFUALDvkIhZNLhSHEKmOvG5EfDhUldrD+KP+IdNL1k0UJyh3fO+3vf8nwo45 1p1lQR0xYZwsvyf6dXXAzLtHReEErlAGn7RKWyZ4xWVXxP1CCR11gqsJq3TNN3wo k569YMajnTkWbe8Xrv7Q1/rVU1jAMmpy8gthv4TsagUs7z4/gBYUhosR88VTQwdu Sc5AZUqLedqmtQtRlDN4EyDQ20pfNonpEO8zSIIr6P2lfhklDBI= =hVsn -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xvoiwjdzrspfitvbqeduczmv3u7tpl3gkbfh7zxzgshkj2rp2i>