>=20 > I do not think that in my case MAC policies will help, but will surely ta= ke a look at that as an option; more likely I=E2=80=99ll patch the kernel t= o have the functionality I need. I should've probably mentioned: I do not think the existing MAC modules would fit the bill. A custom MAC module would likely need to be written (if going down the MAC route). Studying this file specifically might help: https://cgit.freebsd.org/src/tree/sys/security/mac/mac_socket.c I suspect by implementing a subset of MAC framework hooks, you might be able to track socket/fd creation/use and their cross-jail use. >=20 > To explain this is the background: I have developed a =E2=80=9Cfirmware= =E2=80=9D version of FreeBSD (soon to be open sourced), it boots off =E2=80= =9Csomething=E2=80=9D and then becomes entirely =E2=80=9CRAM living=E2=80= =9D and stateless except for its own identity stored as a private key in TP= M2. >=20 > The thing is managed by a =E2=80=9Ccontroller=E2=80=9D which asks it to i= nstall and run =E2=80=9Cmodules=E2=80=9D; so far modules are written by me = (I=E2=80=99d say =E2=80=9Ctotal trust=E2=80=9D) but the plan is to release = an SDK so that modules are written by third parties. As every module lives = in a contained jail I do not want a broken or malicious module to be able t= o compromise the system. >=20 > One of the core services =E2=80=9Coffered=E2=80=9D to any module is =E2= =80=9Cyou can make http requests on socket /some/path/socket and the contro= ller will handle it=E2=80=9D. It can be ask some info, log an event, store = some data or even mount a WebDAV file system. Of course my =E2=80=9Clocal c= ontroller process=E2=80=9D needs to know *which* jail did the request. >=20 > I think I=E2=80=99ll end up making getsockopt(fd, SOL_LOCAL, LOCAL_PEERCR= ED,=E2=80=A6) return some form of prison is stating =E2=80=9Cthis is the ja= il in which the process was running when it invoked connect()=E2=80=9D. Of = a process in a module does commect() and then it intentionally hands over t= he fd to some other process it=E2=80=99s its own responsibility, I don=E2= =80=99t really care.=20 >=20 > Cheers, >=20 > A.=20 --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Signal Username: shawn_webb.74 Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --udvv4cmctnwnwsqa Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmlK74EACgkQ/y5nonf4 4fol+w//WamT5wcx+bILmQ/QmcyDyg/l6cvMEutgT4cdujLheds4yZeeAU3cw9zc f1mcrH5GAPH1PC41105z6hsg8AOnyImsKh6FwgZdkV+rv6yzeRFcxZK1BzKRjwzQ 8Krwekjw4dApfanOZ1A15eVyGqCFATy7E25VJS1fVIvF9/l8RdhjnfMJVLS2Q11B N/VTYgJt17lG9yLC3JXvFuBxFAuReOmb0yOOR7b8M15fv5T2CMEZbo4y12mFG+iE 5SeOeu/PEpv+6mp/hxmqXzuuy3wsxiUyRKRRuZjsKTYVkXJ+qmgk4U4zsgBLslY9 LmmB0Ih5Qw55kWhZCLl2nQjC7gvbS0iXe7L9gwcaas+v4DFL3K2OvNJdG9yZpO0I LRbSCaXwUsj2IzxnrMYpQUkpFLq2y3fDEuO1GzKyU+ueNV1PV503shvJS2KFSO99 tLSaYFUALDvkIhZNLhSHEKmOvG5EfDhUldrD+KP+IdNL1k0UJyh3fO+3vf8nwo45 1p1lQR0xYZwsvyf6dXXAzLtHReEErlAGn7RKWyZ4xWVXxP1CCR11gqsJq3TNN3wo k569YMajnTkWbe8Xrv7Q1/rVU1jAMmpy8gthv4TsagUs7z4/gBYUhosR88VTQwdu Sc5AZUqLedqmtQtRlDN4EyDQ20pfNonpEO8zSIIr6P2lfhklDBI= =hVsn -----END PGP SIGNATURE----- --udvv4cmctnwnwsqa--