Date: Tue, 27 Jun 2023 23:35:18 +0100 From: "Alexander Chernikov" <melifaro@FreeBSD.org> To: freebsd-jail@freebsd.org, "Shivank Garg" <shivank@freebsd.org> Subject: Re: Add IP address ioctl (SIOCAIFADDR) from jail is called with host credentials Message-ID: <ab27fc86-e339-420c-8cfa-05c53a3bf4f9@app.fastmail.com> In-Reply-To: <93d61b80-95cb-4b3e-84dc-1d8b655e66f7@app.fastmail.com> References: <CAOVCmzFQjwTaeQZQSD-ep7s=UdDzzczQ6r9wtjK-w3BAwRsKvA@mail.gmail.com> <93d61b80-95cb-4b3e-84dc-1d8b655e66f7@app.fastmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--490e8e2b6961475fa61a8958aff32b3c Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable On Fri, 23 Jun 2023, at 10:27 AM, Alexander Chernikov wrote: >=20 >=20 > On Fri, 23 Jun 2023, at 7:53 AM, Shivank Garg wrote: >> Hi, >>=20 >> I want to check credentials of the thread setting the IP address with= SIOCAIFADDR ioctl. >> If the thread is jailed (jailed(td_ucred) =3D=3D 1), I'm applying som= e checks on ip address. >>=20 >> My expectation was that (cred->cr_prison !=3D &prison0) for an ifconf= ig call made by the jail. > If you=E2=80=99re using -head, it=E2=80=99s a bit more complicated. if= config(8) uses rtnetlink(4) interfaces to communicate with the kernel. P= rivilege check is done in Netlink: https://github.com/freebsd/freebsd-s= rc/blob/764464af49688e74fd6d803df0404ca4726dd460/sys/netlink/route/iface= .c#L1472 . After that, (as of now) netlink calls ioctl code from its own= kernel thread, which may be the reason of the behavior you=E2=80=99re o= bserving. Apparently the previous message was not delivered everywhere. >> However, it is showing me some weird behavior. Here are the logs for = a tweaked kernel: >>=20 >> @@ -339,7 +343,7 @@ in_control(struct socket *so, u_long cmd, void *d= ata, struct ifnet *ifp, >> return (EADDRNOTAVAIL); >> struct ucred *cred =3D (td !=3D NULL) ? td->td_ucred : NULL; >> - >> + printf("in_control jailed? %d jid %d prison_owns_vnet? %d\n",= jailed(cred),cred->cr_prison->pr_id,prison_owns_vnet(cred)); >>=20 >> # jexec 1 ifconfig epair0b inet 169.254.123.101/24 up >>=20 >> Dmesg logs: >> *[256] in_control jailed? 0 jid 0 prison_owns_vnet? 1* >>=20 >> Cred value indicates host and jail is 0 but the PR_VNET flag is set. >>=20 >> Is this behavior expected? or something going wrong - what's the next= debug step? >>=20 >> I greatly appreciate your help! >>=20 >> Thanks, >> Shivank >=20 > /Alexander >=20 /Alexander --490e8e2b6961475fa61a8958aff32b3c Content-Type: text/html;charset=utf-8 Content-Transfer-Encoding: quoted-printable <!DOCTYPE html><html><head><title></title><style type=3D"text/css"> p.MsoNormal,p.MsoNoSpacing{margin:0}</style></head><body><div><br></div>= <div><br></div><div>On Fri, 23 Jun 2023, at 10:27 AM, Alexander Cherniko= v wrote:<br></div><blockquote type=3D"cite" id=3D"qt" style=3D""><div><b= r></div><div><br></div><div>On Fri, 23 Jun 2023, at 7:53 AM, Shivank Gar= g wrote:<br></div><blockquote type=3D"cite" id=3D"qt-qt" style=3D""><div= dir=3D"ltr"><div>Hi,<br></div><div><br></div><div>I want to check crede= ntials of the thread setting the IP address with SIOCAIFADDR ioctl.= <br></div><div>If the thread is jailed (jailed(td_ucred) =3D=3D 1), I'm = applying some checks on ip address.<br></div><div><br></div><div>My expe= ctation was that (<span id=3D"qt-qt-gmail-docs-internal-guid-998c627e-7f= ff-437f-e766-ef0b490e856c"><span style=3D"color:rgb(0, 0, 0);background-= color:transparent;font-variant-numeric:normal;font-variant-east-asian:no= rmal;font-variant-alternates:normal;vertical-align:baseline;"><span clas= s=3D"font" style=3D"font-family:Consolas, sans-serif;"><span class=3D"si= ze" style=3D"font-size:11pt;">cred->cr_prison !=3D &prison0)</spa= n></span></span></span> for an ifconfig call made by the jail.<br><= /div></div></blockquote><div>If you=E2=80=99re using -head, it=E2=80=99s= a bit more complicated. ifconfig(8) uses rtnetlink(4) interfaces to com= municate with the kernel. Privilege check is done in Netlink: <a h= ref=3D"https://github.com/freebsd/freebsd-src/blob/764464af49688e74fd6d8= 03df0404ca4726dd460/sys/netlink/route/iface.c#L1472">https://github.com/= freebsd/freebsd-src/blob/764464af49688e74fd6d803df0404ca4726dd460/sys/ne= tlink/route/iface.c#L1472</a> . After that, (as of now) netlink cal= ls ioctl code from its own kernel thread, which may be the reason of the= behavior you=E2=80=99re observing.<br></div></blockquote><div>Apparentl= y the previous message was not delivered everywhere.</div><blockquote ty= pe=3D"cite" id=3D"qt" style=3D""><blockquote type=3D"cite" id=3D"qt-qt" = style=3D""><div dir=3D"ltr"><div>However, it is showing me some weird be= havior. Here are the logs for a tweaked kernel:<br></div><div><br></div>= <div><div><span class=3D"font" style=3D"font-family:monospace;">@@ -339,= 7 +343,7 @@ in_control(struct socket *so, u_long cmd, void *data, struct= ifnet *ifp,<br> = return (EADDRNOTAVAIL);<br> struct ucred *cre= d =3D (td !=3D NULL) ? td->td_ucred : NULL;<br>-<br>+ &= nbsp; printf("in_control jailed? %d jid %d prison_owns_vnet? %d\n",jaile= d(cred),cred->cr_prison->pr_id,prison_owns_vnet(cred));</span></di= v><div><br></div><div># jexec 1 ifconfig epair0b inet <a href=3D"http://= 169.254.123.101/24" target=3D"_blank">169.254.123.101/24</a> up<br></div= ></div><div><div><br></div><div>Dmesg logs:<br></div><div><span class=3D= "font" style=3D"font-family:monospace;"><b>[256] in_control jailed? 0 ji= d 0 prison_owns_vnet? 1</b></span><br></div><div><br></div><div>Cred val= ue indicates host and jail is 0 but the PR_VNET flag is set.<s= pan style=3D"color:rgb(0, 0, 0);"><span class=3D"font" style=3D"font-fam= ily:Courier, "Courier New", monospace;"><span class=3D"size" s= tyle=3D"font-size:12px;"></span></span></span><br></div></div><div><br><= /div><div>Is this behavior expected? or something going wrong - what's t= he next debug step?<br></div><div><br></div><div>I greatly appreciate yo= ur help!<br></div><div><br></div><div><div>Thanks,<br></div><div>Shivank= <br></div></div></div></blockquote><div><br></div><div id=3D"qt-sig13292= 1232"><div class=3D"qt-signature">/Alexander<br></div></div><div><br></d= iv></blockquote><div><br></div><div id=3D"sig132921232"><div class=3D"si= gnature">/Alexander<br></div></div></body></html> --490e8e2b6961475fa61a8958aff32b3c--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ab27fc86-e339-420c-8cfa-05c53a3bf4f9>