Date: Wed, 21 Aug 2019 22:43:45 +0530 From: Shivank Garg <shivank@freebsd.org> To: freebsd-hackers@freebsd.org, freebsd-jail@freebsd.org, trustedbsd-discuss@freebsd.org, "Bjoern A. Zeeb" <bz@freebsd.org>, soc-status@freebsd.org Subject: MAC Policy on IP addresses in Jails Message-ID: <CAOVCmzHL_VLcpHfNBcOpWiLOv1G-T2AzSidvyx9G0qUQdPoGZw@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi Everyone, I am a fourth-year undergraduate student in Department of EE at IIT Kanpur, India. I am an open-source enthusiast and interested in Operating Systems, Computer Networks, and system security. As a part of Google Summer of Code'19, I wrote a loadable kernel MAC module with the TrustedBSD MAC framework to limit the set of IP addresses for a VNET-enabled Jail to choose from. I was mentored by Bjoern A. Zeeb (bz@FreeBSD.org). *About the project:* With the introduction of VNET(9) in FreeBSD, Jails are free to set their IP addresses. However, this privilege may need to be limited by the host as per its need for multiple security reasons. This project uses mac(9) for an access control framework to impose restrictions on FreeBSD jails according to rules defined by the root of the host using sysctl(8). It involves the development of a dynamically loadable kernel module (mac_ipacl) based on The TrustedBSD MAC Framework to implement a security policy for configuring the network stack. This project allows the root of the host to define the policy rules to limit a jail to a set of IP (v4 or v6) addresses and/or subnets for a set of interfaces. Features this new MAC policy module are: - Host can define the list(multiple lists) of IP addresses/subnets for the jail to choose from. - Host can restrict the jail from setting the certain IP addresses or prefixes(subnets). - Host can restrict this privilege to a few networks interfaces. *How to use the module:* I have also wrote a man page for the module. Please refer to the mac_ipacl(4) for using the new MAC module and examples on it. *Test Plan:* Test Scripts integrated with kyua and ATF are included with the module. *Review Link:* This module has been reviewed and revision has been accepted and is ready to land. To check the review: https://reviews.freebsd.org/D20967 *Download Patch/Raw diff from here: * https://reviews.freebsd.org/file/data/udbhpp4gvffsqbqkkekc/PHID-FILE-wun5bhf4qlx6677fdd73/D20967.diff *Wiki and other links:* Please refer to wiki page from more detailed description of the project: *Project FreeBSD Wikipage*: https://wiki.freebsd.org/SummerOfCode2019Projects/MACPolicyIPAddressJail GitHub: https://github.com/shivankgarg98/freebsd/tree/shivank_MACPolicyIPAddressJail/sys/security/mac_ipacl I'll be be very thankful if you can give this module a try and share your valuable experience about it. Please be free to share your ideas and feedback on this module. Regards, Shivank Garg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOVCmzHL_VLcpHfNBcOpWiLOv1G-T2AzSidvyx9G0qUQdPoGZw>