kern/84215: jail: wildcard ip (INADDR_ANY) should not bind inside a
jail [patch]
Frank Behrens
frank at pinky.sax.de
Thu Jul 28 09:40:16 GMT 2005
>Number: 84215
>Category: kern
>Synopsis: jail: wildcard ip (INADDR_ANY) should not bind inside a jail [patch]
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu Jul 28 09:40:14 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Frank Behrens
>Release: FreeBSD 6.0-BETA1 i386, also applicable for FreeBSD 5.x
>Organization:
>Environment:
>Description:
If a process listens on a socket and this socket is not bound to a
specific address it listens on all interface addresses present in the system.
This includes also addresses assigned to a jail(8). This behaviour
complicates the jail setup, because in most environments the processes
in the jail should be separated from the main system and wildcard binding
is no longer possible - nearly all server configurations (sendmail, webserver,
named, smbd, ..) must be changed.
This change request proposes a change in kernels connection handling. If
there is a jail, the assigned ip address should not considered as valid
address for INADDR_ANY. With this change an easy jail setup is possible
without further modifications of base configuration!
>How-To-Repeat:
Start a process in main system and let it bind to INADDR_ANY. The created
server socket is accessible from any jail, which is not desired.
>Fix:
The patch implements the desired behaviour. It has been developed and tested
on FreeBSD-5.3/5.4. The attached patch is for RELENG_6, where it has been
tested for some weeks.
It introduces a new sysctl, with it it is possible to switch of
the wildcard binding to jail addresses.
Impact:
1. The default setting does not change the system behaviour, that means there
is no change for FreeBSD users visible.
2. The default setting inserts a processing of one additional conditional
statement only. So I see no danger of performance problems.
3. There is no change in client connections. The throughput
of established connections is not changed.
4. If the wildcard binding is switched off, an additional test for new
incoming connections is performed. The maximum rate of accepted connections
could be decreased theoretically, but for maximum performance you should
not bind to a wildcard address anyway.
--- kernjail6_050721.patch begins here ---
--- ./sys/kern/kern_jail.c.orig Thu Jul 21 15:39:14 2005
+++ ./sys/kern/kern_jail.c Thu Jul 21 15:49:31 2005
@@ -552,6 +552,35 @@
return (found);
}
+/*
+ * Checks if the IP address belongs to a jail.
+ * IN: ip address in network order
+ * Returns TRUE if there is such a jail, otherwise FALSE.
+ */
+int
+prison_isprison_ip(u_int32_t ip) {
+
+ struct prison *pr;
+ int found;
+ u_int32_t iph;
+
+ /* an atomic compare only, or do we need a lock? */
+ if (prisoncount == 0)
+ return (FALSE);
+
+ iph = ntohl(ip); /* in prison we have host order */
+ found = FALSE;
+ mtx_lock(&allprison_mtx);
+ LIST_FOREACH(pr, &allprison, pr_list) {
+ if (pr->pr_ip == iph) {
+ found = TRUE;
+ break;
+ }
+ }
+ mtx_unlock(&allprison_mtx);
+ return (found);
+}
+
static int
sysctl_jail_list(SYSCTL_HANDLER_ARGS)
{
--- ./sys/netinet/in_pcb.c.orig Wed Jun 1 13:43:39 2005
+++ ./sys/netinet/in_pcb.c Thu Jul 21 15:39:14 2005
@@ -107,6 +107,8 @@
int ipport_tcpallocs;
int ipport_tcplastcount;
+int ip_bindwildcardtojails = 1;
+
#define RANGECHK(var, min, max) \
if ((var) < (min)) { (var) = (min); } \
else if ((var) > (max)) { (var) = (max); }
@@ -156,6 +158,9 @@
SYSCTL_INT(_net_inet_ip_portrange, OID_AUTO, randomtime, CTLFLAG_RW,
&ipport_randomtime, 0, "Minimum time to keep sequental port "
"allocation before switching to a random one");
+SYSCTL_INT(_net_inet_ip, OID_AUTO, bindwildcardtojails,
+ CTLFLAG_RW|CTLFLAG_SECURE1, &ip_bindwildcardtojails,
+ 1, "bind wildcard address to jails");
/*
* in_pcb.c: manage the Protocol Control Blocks.
@@ -1065,6 +1070,10 @@
if (inp->inp_laddr.s_addr == laddr.s_addr)
return (inp);
else if (inp->inp_laddr.s_addr == INADDR_ANY) {
+ /* wildcard address does not match a prison address */
+ if (!ip_bindwildcardtojails &&
+ prison_isprison_ip(laddr.s_addr))
+ continue;
#if defined(INET6)
if (INP_CHECK_SOCKAF(inp->inp_socket,
AF_INET6))
--- ./sys/sys/jail.h.orig Thu Jun 9 20:49:19 2005
+++ ./sys/sys/jail.h Thu Jul 21 15:39:14 2005
@@ -111,6 +111,7 @@
int prison_if(struct ucred *cred, struct sockaddr *sa);
int prison_ip(struct ucred *cred, int flag, u_int32_t *ip);
void prison_remote_ip(struct ucred *cred, int flags, u_int32_t *ip);
+int prison_isprison_ip(u_int32_t ip);
#endif /* _KERNEL */
#endif /* !_SYS_JAIL_H_ */
--- ./usr.sbin/jail/jail.8.orig Tue Jun 14 14:26:35 2005
+++ ./usr.sbin/jail/jail.8 Thu Jul 21 15:39:14 2005
@@ -516,6 +516,10 @@
privileged, and may manipulate system file flags subject to the usual
constraints on
.Va kern.securelevel .
+.It Va net.inet.ip.bindwildcardtojails
+If set to 0 then daemons listening on all IPs
+.Pq Dv INADDR_ANY
+will not bind on any address assigned to a jail.
.El
.Pp
There are currently two MIB related variables that have per-jail settings.
@@ -573,13 +577,7 @@
.Xr ps 1
as opposed to
.Xr procfs 5 .
-Similarly, it might be a good idea to add an
-address alias flag such that daemons listening on all IPs
-.Pq Dv INADDR_ANY
-will not bind on that address, which would facilitate building a safe
-host environment such that host daemons do not impose on services offered
-from within jails.
-Currently, the simplest answer is to minimize services
-offered on the host, possibly limiting it to services offered from
-.Xr inetd 8
-which is easily configurable.
+Jail does not handle
+.Pq Dv IPv6
+addresses.
+
--- kernjail6_050721.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list