From nobody Tue Dec 23 19:37:49 2025 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dbQK23Npzz6KF2t for ; Tue, 23 Dec 2025 19:37:58 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-oa1-x2f.google.com (mail-oa1-x2f.google.com [IPv6:2001:4860:4864:20::2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dbQK15Qjrz3thX for ; Tue, 23 Dec 2025 19:37:57 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Authentication-Results: mx1.freebsd.org; none Received: by mail-oa1-x2f.google.com with SMTP id 586e51a60fabf-3ec46e3c65bso4135650fac.0 for ; Tue, 23 Dec 2025 11:37:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; t=1766518671; x=1767123471; darn=freebsd.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=7igqQqzOWEL0nPaSuGMcQ4Xbla6sKq/xtsQPu+Ostkk=; b=aY+Swbqltz2MS97fyuv/zJpLYLp+RptYdfkuQF/ELcNB7ufOKVAXLdMU5+kE1fWuys C8BFVD8vQLZSB8W5RQcHfF7HxtSLAi16eslWp0uOGCMbMzeKXBM3Ich8W72mAEHB2Eu2 lYT0HGo+VM2Lxw8Sc4XWw9aMllB9vybi5Nmp1dJ5dSOqMrp2aCcduQtxVQLOXRrn95js w4CUGPOvOWnmvEq9XBCh45n/k1wSArfMMUhJ+/xeJ8LZKrOSAaGq1E0jKhv0PWvayfAG Fvk1h4L/Y07t4+y0rvoP5ORL8RqYJAa0l+8jylyOKT8KpUKpzr9WyP6EuAyd3Q6LntAZ YzwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766518671; x=1767123471; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7igqQqzOWEL0nPaSuGMcQ4Xbla6sKq/xtsQPu+Ostkk=; b=gm+OQDbAZseQUrzKJtxiN6U4vopEjLVLGuouGKqGNqJDS26GLqz/veHzXKguNZJGX4 D+VogVKSYmtD4GRnVQjzUV8zAZC2zz3m7UrrukMnoYnkCyy1b3d4h86PWjj7YCYYl6Cy nq6owdbM2A9/C54x5tcKWqqSvQRFK2lKAuIJ8DJKtA9OGEmgUAuLaZtXk8taCU1FbmkQ p0ZVtek+FlyFnjmdngy5uCtFGS3kvuyi6VOJb1r0lc0fWUEI35yHlJg7bC2jouCHyRvV /nzX2cX6BWUtmQBQeqrXRMI3S0xkyGz+1FPORV7oqpkA8jkUBf8HFLyosRT3kyfCuoBS jkdw== X-Gm-Message-State: AOJu0Yxj/yfLjtQFrtcDKgkCHCuAhvZuti7UllZY9C9E1llNddKXAF/J ZRphBamnwmv8LsW8SBwp2P9dXoSUhlMw+75k6gQUoDvgpzZYWM1OHPBVk+q+dXWvYwlQ1Z9/j4g 1/jcfsVI= X-Gm-Gg: AY/fxX50+2mdN6HNZElZRrtDCTTLGFYfix4BUTsXniDXpzPwx7wiFph3MgvD7QuSQgV KuyP5h/pK+/l6Mc8EP9GR4vj6ClcVvd0F33EwHU72GCESQhYqaiGXkXH33pn7qisjCvDtzXJSSO 0iG2gcVCnuPO1rw8IfUf4HWSKMDZXHinRj7wnhDhIwt74i48mb/ElJpIGCF9H90Z5u6nYg5fqYG sHRNQLyw+FL3azzEsjaWnbCvjwdgrxOxzWjBPKIWtvEeEl+g9N/+ILzB0+kbrSS1k+N23tDqzL1 pQH+jYqBZ1wwgp8Y2G2xw5Tbfr3wpaONWxZwEEW1alagbgLj9BTKCEWlZUlmb/NaEcNb4WM1aYM OW4J4neZEv+Q64c5y4aZqXRRvYKacLWRPSRhLAs4gOdFF7iyWqbnfNWGY0lJR3PNSn1+b X-Google-Smtp-Source: AGHT+IFwwcolaRGYW345j7iDsBU9W5yaRgoKFF/g35etTfRGy7xKtNchDnnu/6goN7Gxnl/Lz2i8Aw== X-Received: by 2002:a05:6870:2412:b0:3ec:4f31:42a with SMTP id 586e51a60fabf-3fda5612b6cmr6345831fac.7.1766518671285; Tue, 23 Dec 2025 11:37:51 -0800 (PST) Received: from mutt-hbsd ([2001:470:4001:1::95]) by smtp.gmail.com with ESMTPSA id 586e51a60fabf-3fdaa4e0d18sm8524040fac.0.2025.12.23.11.37.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Dec 2025 11:37:50 -0800 (PST) Date: Tue, 23 Dec 2025 19:37:49 +0000 From: Shawn Webb To: Andrea Cocito Cc: freebsd-hackers@freebsd.org Subject: Re: Retrieving the kid/jailname of connected peer for a unix socket Message-ID: X-Operating-System: FreeBSD mutt-hbsd 14.3-STABLE-HBSD FreeBSD 14.3-STABLE-HBSD HARDENEDBSD-14-STABLE amd64 X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: <905FD66D-404C-4BAF-9F32-3C5EB62F5DB5@cocito.eu> List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="udvv4cmctnwnwsqa" Content-Disposition: inline In-Reply-To: <905FD66D-404C-4BAF-9F32-3C5EB62F5DB5@cocito.eu> X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Queue-Id: 4dbQK15Qjrz3thX --udvv4cmctnwnwsqa Content-Type: text/plain; protected-headers=v1; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Subject: Re: Retrieving the kid/jailname of connected peer for a unix socket MIME-Version: 1.0 On Tue, Dec 23, 2025 at 08:22:20PM +0100, Andrea Cocito wrote: > =EF=BB=BFOn 23 Dec 2025, at 19:05, Shawn Webb wrote: > > So please do keep this thread updated. :-) >=20 > Thanks for you input. >=20 > I do not think that in my case MAC policies will help, but will surely ta= ke a look at that as an option; more likely I=E2=80=99ll patch the kernel t= o have the functionality I need. I should've probably mentioned: I do not think the existing MAC modules would fit the bill. A custom MAC module would likely need to be written (if going down the MAC route). Studying this file specifically might help: https://cgit.freebsd.org/src/tree/sys/security/mac/mac_socket.c I suspect by implementing a subset of MAC framework hooks, you might be able to track socket/fd creation/use and their cross-jail use. >=20 > To explain this is the background: I have developed a =E2=80=9Cfirmware= =E2=80=9D version of FreeBSD (soon to be open sourced), it boots off =E2=80= =9Csomething=E2=80=9D and then becomes entirely =E2=80=9CRAM living=E2=80= =9D and stateless except for its own identity stored as a private key in TP= M2. >=20 > The thing is managed by a =E2=80=9Ccontroller=E2=80=9D which asks it to i= nstall and run =E2=80=9Cmodules=E2=80=9D; so far modules are written by me = (I=E2=80=99d say =E2=80=9Ctotal trust=E2=80=9D) but the plan is to release = an SDK so that modules are written by third parties. As every module lives = in a contained jail I do not want a broken or malicious module to be able t= o compromise the system. >=20 > One of the core services =E2=80=9Coffered=E2=80=9D to any module is =E2= =80=9Cyou can make http requests on socket /some/path/socket and the contro= ller will handle it=E2=80=9D. It can be ask some info, log an event, store = some data or even mount a WebDAV file system. Of course my =E2=80=9Clocal c= ontroller process=E2=80=9D needs to know *which* jail did the request. >=20 > I think I=E2=80=99ll end up making getsockopt(fd, SOL_LOCAL, LOCAL_PEERCR= ED,=E2=80=A6) return some form of prison is stating =E2=80=9Cthis is the ja= il in which the process was running when it invoked connect()=E2=80=9D. Of = a process in a module does commect() and then it intentionally hands over t= he fd to some other process it=E2=80=99s its own responsibility, I don=E2= =80=99t really care.=20 >=20 > Cheers, >=20 > A.=20 --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Signal Username: shawn_webb.74 Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --udvv4cmctnwnwsqa Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmlK74EACgkQ/y5nonf4 4fol+w//WamT5wcx+bILmQ/QmcyDyg/l6cvMEutgT4cdujLheds4yZeeAU3cw9zc f1mcrH5GAPH1PC41105z6hsg8AOnyImsKh6FwgZdkV+rv6yzeRFcxZK1BzKRjwzQ 8Krwekjw4dApfanOZ1A15eVyGqCFATy7E25VJS1fVIvF9/l8RdhjnfMJVLS2Q11B N/VTYgJt17lG9yLC3JXvFuBxFAuReOmb0yOOR7b8M15fv5T2CMEZbo4y12mFG+iE 5SeOeu/PEpv+6mp/hxmqXzuuy3wsxiUyRKRRuZjsKTYVkXJ+qmgk4U4zsgBLslY9 LmmB0Ih5Qw55kWhZCLl2nQjC7gvbS0iXe7L9gwcaas+v4DFL3K2OvNJdG9yZpO0I LRbSCaXwUsj2IzxnrMYpQUkpFLq2y3fDEuO1GzKyU+ueNV1PV503shvJS2KFSO99 tLSaYFUALDvkIhZNLhSHEKmOvG5EfDhUldrD+KP+IdNL1k0UJyh3fO+3vf8nwo45 1p1lQR0xYZwsvyf6dXXAzLtHReEErlAGn7RKWyZ4xWVXxP1CCR11gqsJq3TNN3wo k569YMajnTkWbe8Xrv7Q1/rVU1jAMmpy8gthv4TsagUs7z4/gBYUhosR88VTQwdu Sc5AZUqLedqmtQtRlDN4EyDQ20pfNonpEO8zSIIr6P2lfhklDBI= =hVsn -----END PGP SIGNATURE----- --udvv4cmctnwnwsqa--