Change Details

GSoC'19 project on creating a new MAC policy module to limit the VNET jail privileges of setting its IP address - mac_ipacl The mac_ipacl policy module enables fine-grained control over IP address access within VNET jails on a host system. It allows the root user to define rules governing IP addresses for jails and their interfaces using the sysctl interface. Steps to dynamically load module and basic test: 1. Apply the patch and boot into the modified kernel. 2. Load the `mac_ipacl` policy module using the following command: ``` kldload mac_ipacl ``` 3. Verify that the module is loaded by checking the kernel module status: ``` kldstat ``` 4. Create a virtual interface using the following command: ``` ifconfig epair create ``` 5. Create a VNET jail and attach the newly created interface (let's say epair0b) using the following command: ``` jail -c name=jvnet host.hostname=jvnet persist vnet vnet.interface=epair0b ``` 6. Check the jail ID (jid) using the following command: ``` jls ``` 7. Add the IP address access control rules for jail (let's say jid is 1): ``` sysctl security.mac.ipacl.ipv4=1 sysctl security.mac.ipacl.rules="1@1@@AF_INET@169.254.123.123@24" ``` 8. Set different IP addresses within the jail to test the access control. For example: ``` Successful attempt: jexec 1 ifconfig epair0b inet 169.254.123.123/24 up Unsuccessful attempt (permission denied): jexec 1 ifconfig epair0b inet 169.254.120.123/24 up ```

GSoC'19 project on creating a new MAC policy module to limit the VNET jail privileges of setting its IP address - mac_ipacl The mac_ipacl policy module enables fine-grained control over IP address access within VNET jails on a host system. It allows the root user to define rules governing IP addresses for jails and their interfaces using the sysctl interface. Steps to dynamically load module and basic test: 1. Apply the patch and boot into the modified kernel. 2. Load the `mac_ipacl` policy module using the following command: ``` kldload mac_ipacl ``` 3. Verify that the module is loaded by checking the kernel module status: ``` kldstat ``` 4. Create a virtual interface using the following command: ``` ifconfig epair create ``` 5. Create a VNET jail and attach the newly created interface (let's say epair0b) using the following command: ``` jail -c name=jvnet host.hostname=jvnet persist vnet vnet.interface=epair0b ``` 6. Check the jail ID (jid) using the following command: ``` jls ``` 7. Add the IP address access control rules for jail (let's say jid is 1): ``` sysctl security.mac.ipacl.ipv4=1 sysctl security.mac.ipacl.rules="1,1,,AF_INET,169.254.123.123/24" ``` 8. Set different IP addresses within the jail to test the access control. For example: ``` Successful attempt: jexec 1 ifconfig epair0b inet 169.254.123.123/24 up Unsuccessful attempt (permission denied): jexec 1 ifconfig epair0b inet 169.254.120.123/24 up ```

GSoC'19 project on creating a new MAC policy module to limit the VNET jail privileges of setting its IP address - mac_ipacl The mac_ipacl policy module enables fine-grained control over IP address access within VNET jails on a host system. It allows the root user to define rules governing IP addresses for jails and their interfaces using the sysctl interface. Steps to dynamically load module and basic test: 1. Apply the patch and boot into the modified kernel. 2. Load the `mac_ipacl` policy module using the following command: ``` kldload mac_ipacl ``` 3. Verify that the module is loaded by checking the kernel module status: ``` kldstat ``` 4. Create a virtual interface using the following command: ``` ifconfig epair create ``` 5. Create a VNET jail and attach the newly created interface (let's say epair0b) using the following command: ``` jail -c name=jvnet host.hostname=jvnet persist vnet vnet.interface=epair0b ``` 6. Check the jail ID (jid) using the following command: ``` jls ``` 7. Add the IP address access control rules for jail (let's say jid is 1): ``` sysctl security.mac.ipacl.ipv4=1 sysctl security.mac.ipacl.rules="1@1@@,1,,AF_INET@169,169.254.123.123@24"123/24" ``` 8. Set different IP addresses within the jail to test the access control. For example: ``` Successful attempt: jexec 1 ifconfig epair0b inet 169.254.123.123/24 up Unsuccessful attempt (permission denied): jexec 1 ifconfig epair0b inet 169.254.120.123/24 up ```