Date: Fri, 23 Jun 2023 10:27:26 +0100 From: "Alexander Chernikov" <melifaro@FreeBSD.org> To: freebsd-jail@freebsd.org Subject: Re: Add IP address ioctl (SIOCAIFADDR) from jail is called with host credentials Message-ID: <93d61b80-95cb-4b3e-84dc-1d8b655e66f7@app.fastmail.com> In-Reply-To: <CAOVCmzFQjwTaeQZQSD-ep7s=UdDzzczQ6r9wtjK-w3BAwRsKvA@mail.gmail.com> References: <CAOVCmzFQjwTaeQZQSD-ep7s=UdDzzczQ6r9wtjK-w3BAwRsKvA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--6292e6ea3035491fb892738f4f73d914 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable On Fri, 23 Jun 2023, at 7:53 AM, Shivank Garg wrote: > Hi, >=20 > I want to check credentials of the thread setting the IP address with = SIOCAIFADDR ioctl. > If the thread is jailed (jailed(td_ucred) =3D=3D 1), I'm applying some= checks on ip address. >=20 > My expectation was that (cred->cr_prison !=3D &prison0) for an ifconfi= g call made by the jail. If you=E2=80=99re using -head, it=E2=80=99s a bit more complicated. ifco= nfig(8) uses rtnetlink(4) interfaces to communicate with the kernel. Pri= vilege check is done in Netlink: https://github.com/freebsd/freebsd-src= /blob/764464af49688e74fd6d803df0404ca4726dd460/sys/netlink/route/iface.c= #L1472 . After that, (as of now) netlink calls ioctl code from its own k= ernel thread, which may be the reason of the behavior you=E2=80=99re obs= erving. > However, it is showing me some weird behavior. Here are the logs for a= tweaked kernel: >=20 > @@ -339,7 +343,7 @@ in_control(struct socket *so, u_long cmd, void *da= ta, struct ifnet *ifp, > return (EADDRNOTAVAIL); > struct ucred *cred =3D (td !=3D NULL) ? td->td_ucred : NULL; > - > + printf("in_control jailed? %d jid %d prison_owns_vnet? %d\n",j= ailed(cred),cred->cr_prison->pr_id,prison_owns_vnet(cred)); >=20 > # jexec 1 ifconfig epair0b inet 169.254.123.101/24 up >=20 > Dmesg logs: > *[256] in_control jailed? 0 jid 0 prison_owns_vnet? 1* >=20 > Cred value indicates host and jail is 0 but the PR_VNET flag is set. >=20 > Is this behavior expected? or something going wrong - what's the next = debug step? >=20 > I greatly appreciate your help! >=20 > Thanks, > Shivank /Alexander --6292e6ea3035491fb892738f4f73d914 Content-Type: text/html;charset=utf-8 Content-Transfer-Encoding: quoted-printable <!DOCTYPE html><html><head><title></title><style type=3D"text/css">p.Mso= Normal,p.MsoNoSpacing{margin:0}</style></head><body><div><br></div><div>= <br></div><div>On Fri, 23 Jun 2023, at 7:53 AM, Shivank Garg wrote:<br><= /div><blockquote type=3D"cite" id=3D"qt" style=3D""><div dir=3D"ltr"><di= v>Hi,<br></div><div><br></div><div>I want to check credentials of the th= read setting the IP address with SIOCAIFADDR ioctl.<br></div><div>I= f the thread is jailed (jailed(td_ucred) =3D=3D 1), I'm applying some ch= ecks on ip address.<br></div><div><br></div><div>My expectation was that= (<span id=3D"qt-gmail-docs-internal-guid-998c627e-7fff-437f-e766-ef0b49= 0e856c"><span style=3D"color:rgb(0, 0, 0);background-color:transparent;f= ont-variant-numeric:normal;font-variant-east-asian:normal;font-variant-a= lternates:normal;vertical-align:baseline;"><span class=3D"font" style=3D= "font-family:Consolas, sans-serif;"><span class=3D"size" style=3D"font-s= ize:11pt;">cred->cr_prison !=3D &prison0)</span></span></span></s= pan> for an ifconfig call made by the jail.<br></div></div></blockq= uote><div>If you=E2=80=99re using -head, it=E2=80=99s a bit more complic= ated. ifconfig(8) uses rtnetlink(4) interfaces to communicate with the k= ernel. Privilege check is done in Netlink: <a href=3D"https://gith= ub.com/freebsd/freebsd-src/blob/764464af49688e74fd6d803df0404ca4726dd460= /sys/netlink/route/iface.c#L1472">https://github.com/freebsd/freebsd-src= /blob/764464af49688e74fd6d803df0404ca4726dd460/sys/netlink/route/iface.c= #L1472</a> . After that, (as of now) netlink calls ioctl code from = its own kernel thread, which may be the reason of the behavior you=E2=80= =99re observing.</div><blockquote type=3D"cite" id=3D"qt" style=3D""><di= v dir=3D"ltr"><div>However, it is showing me some weird behavior. Here a= re the logs for a tweaked kernel:<br></div><div><br></div><div><div><spa= n class=3D"font" style=3D"font-family:monospace;">@@ -339,7 +343,7 @@ in= _control(struct socket *so, u_long cmd, void *data, struct ifnet *ifp,<b= r> return (EADDRN= OTAVAIL);<br> struct ucred *cred =3D (td !=3D= NULL) ? td->td_ucred : NULL;<br>-<br>+ printf("= in_control jailed? %d jid %d prison_owns_vnet? %d\n",jailed(cred),cred-&= gt;cr_prison->pr_id,prison_owns_vnet(cred));</span></div><div><br></d= iv><div># jexec 1 ifconfig epair0b inet <a href=3D"http://169.254.123.10= 1/24" target=3D"_blank">169.254.123.101/24</a> up<br></div></div><div><d= iv><br></div><div>Dmesg logs:<br></div><div><span class=3D"font" style=3D= "font-family:monospace;"><b>[256] in_control jailed? 0 jid 0 prison_owns= _vnet? 1</b></span><br></div><div><br></div><div>Cred value indicates ho= st and jail is 0 but the PR_VNET flag is set.<span style=3D"co= lor:rgb(0, 0, 0);"><span class=3D"font" style=3D"font-family:Courier, &q= uot;Courier New", monospace;"><span class=3D"size" style=3D"font-si= ze:12px;"></span></span></span><br></div></div><div><br></div><div>Is th= is behavior expected? or something going wrong - what's the next debug s= tep?<br></div><div><br></div><div>I greatly appreciate your help!<br></d= iv><div><br></div><div><div>Thanks,<br></div><div>Shivank<br></div></div= ></div></blockquote><div><br></div><div id=3D"sig132921232"><div class=3D= "signature">/Alexander<br></div></div><div><br></div></body></html> --6292e6ea3035491fb892738f4f73d914--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?93d61b80-95cb-4b3e-84dc-1d8b655e66f7>