Add IP address ioctl (SIOCAIFADDR) from jail is called with host credentials

From: Shivank Garg <>
Date: Fri, 23 Jun 2023 06:53:20 UTC

I want to check credentials of the thread setting the IP address
with SIOCAIFADDR ioctl.
If the thread is jailed (jailed(td_ucred) == 1), I'm applying some checks
on ip address.

My expectation was that (cred->cr_prison != &prison0) for an ifconfig call
made by the jail.
However, it is showing me some weird behavior. Here are the logs for a
tweaked kernel:

@@ -339,7 +343,7 @@ in_control(struct socket *so, u_long cmd, void *data,
struct ifnet *ifp,
                return (EADDRNOTAVAIL);
        struct ucred *cred = (td != NULL) ? td->td_ucred : NULL;
+       printf("in_control jailed? %d jid %d prison_owns_vnet?

# jexec 1 ifconfig epair0b inet up

Dmesg logs:
*[256] in_control jailed? 0 jid 0 prison_owns_vnet? 1*

Cred value indicates host and jail is 0 but the PR_VNET flag is set.

Is this behavior expected? or something going wrong - what's the next debug

I greatly appreciate your help!