Re: Retrieving the kid/jailname of connected peer for a unix socket

In reply to: Andrea Cocito : "Re: Retrieving the kid/jailname of connected peer for a unix socket"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Shawn Webb <shawn.webb_at_hardenedbsd.org>
Date: Tue, 23 Dec 2025 19:37:49 UTC

On Tue, Dec 23, 2025 at 08:22:20PM +0100, Andrea Cocito wrote:
> On 23 Dec 2025, at 19:05, Shawn Webb <shawn.webb@hardenedbsd.org> wrote:
> > So please do keep this thread updated. :-)
> 
> Thanks for you input.
> 
> I do not think that in my case MAC policies will help, but will surely take a look at that as an option; more likely I’ll patch the kernel to have the functionality I need.

I should've probably mentioned: I do not think the existing MAC
modules would fit the bill. A custom MAC module would likely need to
be written (if going down the MAC route).

Studying this file specifically might help:
https://cgit.freebsd.org/src/tree/sys/security/mac/mac_socket.c

I suspect by implementing a subset of MAC framework hooks, you might
be able to track socket/fd creation/use and their cross-jail use.

> 
> To explain this is the background: I have developed a “firmware” version of FreeBSD (soon to be open sourced), it boots off “something” and then becomes entirely “RAM living” and stateless except for its own identity stored as a private key in TPM2.
> 
> The thing is managed by a “controller” which asks it to install and run “modules”; so far modules are written by me (I’d say “total trust”) but the plan is to release an SDK so that modules are written by third parties. As every module lives in a contained jail I do not want a broken or malicious module to be able to compromise the system.
> 
> One of the core services “offered” to any module is “you can make http requests on socket /some/path/socket and the controller will handle it”. It can be ask some info, log an event, store some data or even mount a WebDAV file system. Of course my “local controller process” needs to know *which* jail did the request.
> 
> I think I’ll end up making getsockopt(fd, SOL_LOCAL, LOCAL_PEERCRED,…) return some form of prison is stating “this is the jail in which the process was running when it invoked connect()”. Of a process in a module does commect() and then it intentionally hands over the fd to some other process it’s its own responsibility, I don’t really care. 
> 
> Cheers,
> 
> A. 

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

Signal Username:  shawn_webb.74
Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc