Date: Wed, 29 May 2019 21:31:22 +0530 From: Shivank Garg <shivankgarg98@gmail.com> To: soc-status@freebsd.org, freebsd-hackers@freebsd.org Cc: "Bjoern A. Zeeb" <bz@freebsd.org> Subject: [GSoC'19 Introduction] MAC policy on IP addresses in Jail Message-ID: <CAOVCmzHnr=rxEzhA_vT1qWoW_YGt_PtFfF8PQmrsU%2BxbZfnong@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, This project is aimed at developing a loadable MAC module with the "The TrustedBSD MAC Framework" to limit the set of IP addresses a VNET-enabled Jail can choose from. I am a fourth-year undergraduate student in the Department of EE at IIT Kanpur, India. I am an open-source enthusiast and interested in Operating Systems, Computer Networks, and system security. My mentor for the project is Bjoern A. Zeeb <https://wiki.freebsd.org/BjoernZeeb>; (bz@FreeBSD.org) *About the project:* Using VNET in FreeBSD jails, the root of the jail can set IP addresses of their will, however, sysadmins may need to limit these privileges for different purposes. With a MAC framework, the root of the host can restrict root of the jail to set the desired IP address. Currently, there is no MAC policy module for such restriction, implying these rules are written in the kernel itself. The project is focused on writing a MAC module for "The TrustedBSD MAC framework <https://www.freebsd.org/doc/en_US.ISO8859-1/books/arch-handbook/mac.html>" to enable easy management of privilege(configuring the network stack) restriction of jail. Features this new MAC policy module should include are- Host be able to define the list(multiple lists) of IP(both IPv4 and IPv6) addresses/subnets for the jail to choose from. Host be able to restrict the jail from setting the certain IP addresses(both IPv4 and IPv6) or prefixes(subnets). Nested Jails should also follow the access control policy. *Approach:* Currently, my approach is to write a loadable kernel module which has checks on IP addresses using various syscalls. Using SIOCAIFADDR(for IPv4) and SIOCAIFADDR_IN6(for IPv6) code and ioctl system call, these checks can be implemented to allow/disallow a particular IP address. *Test Plan:* For testing this module, I will write simple test cases for checking the validity of the module. For generating a test report, I will use Kyua Testing framework. Do Check this project on Github: https://github.com/shivankgarg98/freebsd/tree/shivank_MACPolicyIPAddressJail/sys/security/mac_ipacl FreeBSD wiki: https://wiki.freebsd.org/SummerOfCode2019Projects/MACPolicyIPAddressJail Please feel free to share your ideas and feedback on this project. Regards, Shivank Garg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOVCmzHnr=rxEzhA_vT1qWoW_YGt_PtFfF8PQmrsU%2BxbZfnong>