Add IP address ioctl (SIOCAIFADDR) from jail is called with host credentials

Reply: Alexander Chernikov: "Re: Add IP address ioctl (SIOCAIFADDR) from jail is called with host credentials"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Shivank Garg <shivank_at_freebsd.org>
Date: Fri, 23 Jun 2023 06:53:20 UTC

Hi,

I want to check credentials of the thread setting the IP address
with SIOCAIFADDR ioctl.
If the thread is jailed (jailed(td_ucred) == 1), I'm applying some checks
on ip address.

My expectation was that (cred->cr_prison != &prison0) for an ifconfig call
made by the jail.
However, it is showing me some weird behavior. Here are the logs for a
tweaked kernel:

@@ -339,7 +343,7 @@ in_control(struct socket *so, u_long cmd, void *data,
struct ifnet *ifp,
                return (EADDRNOTAVAIL);
        struct ucred *cred = (td != NULL) ? td->td_ucred : NULL;
-
+       printf("in_control jailed? %d jid %d prison_owns_vnet?
%d\n",jailed(cred),cred->cr_prison->pr_id,prison_owns_vnet(cred));

# jexec 1 ifconfig epair0b inet 169.254.123.101/24 up

Dmesg logs:
*[256] in_control jailed? 0 jid 0 prison_owns_vnet? 1*

Cred value indicates host and jail is 0 but the PR_VNET flag is set.

Is this behavior expected? or something going wrong - what's the next debug
step?

I greatly appreciate your help!

Thanks,
Shivank