MAC Policy on IP Address in Jail

IP address access control policy - Google Summer of Code 2019 project page

Differential revisions Submitted





mac_ipacl module, tests and man page

Revision is Accepted and Ready to land (./)

Idea of the project:

Using VNET in FreeBSD jails, the root of the jail can set IP addresses of their will, however, sysadmins may need to limit these privileges for different purposes. With a MAC framework, the root of the host can restrict root of the jail to set the desired IP address. Currently, there is no MAC policy module for such restriction, implying these rules are written in the kernel itself. The project is focused on writing a MAC module for The TrustedBSD MAC framework to enable easy management of privilege(configuring the network stack) restriction of jail.

Features: mac_ipacl

The features of the mac_ipacl policy module are-

Project description & Implementation

The mac_ipacl module is a loadable kernel module. It implements mac checks in netinet/in.c and netinet6/in6.c to check the IP addresses requested by jail. The idea to implement these checks at these places comes from the fact that SIOCAIFADDR(for IPv4) and SIOCAIFADDR_IN6(for IPv6) ioctl handlers are defined for adding the IP addresses to an interface. This is used by ifconfig(in userspace) for setting the IP address. MAC framework act as multiplexer between the netinet and the module. The requested IP and the credentials are checked with the rules in mac_ipacl and output is returned accordingly to netinet. The module can be tuned with various sysctl and similarly, policy rules are also be defined with sysctl.

Using the mac_ipacl policy module

For a detailed description on using the mac_ipacl module and the examples, please refer the mac_ipacl(4) man page. One can also refer to test-framework(in /usr/tests/sys/mac/ipacl) for wide variety of examples on policy defined for ipv4 and ipv6 addresses.

Work Done

Please check this branch for the code

Comparison of the files changed from FreeBSD Master(for net changes that I have made)

The final deliverables from this project include -

Also, for writing the mac_ipacl module, new checks and functions are also introduced at various places in kernel.

Regular weekly status reports were posted to the list.

Download the full patch -

Test Suite

The tests for mac_ipacl are written using atf-framwork: Tests(in src code) for ipacl can be found in /usr/src/tests/sys/mac/ipacl Now, we can generate a test report using kyua report. It parses the result file and generates a plain-text report. We can also print a detailed report using --verbose flag.

Compile and install tests using:

$ make && make install

Then, Test the module using following command:

$ kyua test -k /usr/tests/sys/mac/ipacl/Kyuafile

$ kyua report --verbose

Future Work

Ideas I came up with while working on the Google Summer of Code project, which could be done in the future:

SummerOfCode2019Projects/MACPolicyIPAddressJail (last edited 2019-09-04 12:23:32 by ShivankGarg)