MAC Policy on IP addresses in Jails

Shivank Garg shivank at
Wed Aug 21 17:14:36 UTC 2019

Hi Everyone,

I am a fourth-year undergraduate student in Department of EE at IIT Kanpur,
India.  I am an open-source enthusiast and interested in Operating Systems,
Computer Networks, and system security. As a part of Google Summer of
Code'19, I wrote a loadable kernel MAC module with the TrustedBSD MAC
framework to limit the set of IP addresses for a VNET-enabled Jail to
choose from. I was mentored by Bjoern A. Zeeb (bz at

*About the project:*
With the introduction of VNET(9) in FreeBSD, Jails are free to set their IP
addresses. However, this privilege may need to be limited by the host as
per its need for multiple security reasons.
This project uses mac(9) for an access control framework to impose
restrictions on FreeBSD jails according to rules defined by the root of the
host using sysctl(8). It involves the development of a dynamically loadable
kernel module (mac_ipacl) based on The TrustedBSD MAC Framework to
implement a security policy for configuring the network stack.
This project allows the root of the host to define the policy rules to
limit a jail to a set of IP (v4 or v6) addresses and/or subnets for a set
of interfaces.

Features this new MAC policy module are:

   - Host can define the list(multiple lists) of IP addresses/subnets for
   the jail to choose from.
   - Host can restrict the jail from setting the certain IP addresses or
   - Host can restrict this privilege to a few networks interfaces.

*How to use the module:*
I have also wrote a man page for the module. Please refer to the
mac_ipacl(4) for using the new MAC module and examples on it.

*Test Plan:*
Test Scripts integrated with kyua and ATF are included with the module.

*Review Link:*
This module has been reviewed and revision has been accepted and is ready
to land. To check the review:
*Download Patch/Raw diff from here: *

*Wiki and other links:*
Please refer to wiki page from more detailed description of the
project: *Project
FreeBSD Wikipage*:

I'll be be very thankful if you can give this module a try and share your
valuable experience about it.
Please be free to share your ideas and feedback on this module.

Shivank Garg

More information about the soc-status mailing list