GSoC'19 project on creating a new MAC policy module to limit the VNET jail privileges of setting its IP address - mac_ipacl
The mac_ipacl policy module enables fine-grained control over IP address access within VNET jails on a host system. It allows the root user to define rules governing IP addresses for jails and their interfaces using the sysctl interface.
Steps to dynamically load module and basic test:
- Apply the patch and boot into the modified kernel.
- Load the mac_ipacl policy module using the following command:
- Verify that the module is loaded by checking the kernel module status:
- Create a virtual interface using the following command:
ifconfig epair create
- Create a VNET jail and attach the newly created interface (let's say epair0b) using the following command:
jail -c name=jvnet host.hostname=jvnet persist vnet vnet.interface=epair0b
- Check the jail ID (jid) using the following command:
- Add the IP address access control rules for jail (let's say jid is 1):
sysctl security.mac.ipacl.ipv4=1 sysctl security.mac.ipacl.rules="1,1,,AF_INET,169.254.123.123/24"
- Set different IP addresses within the jail to test the access control. For example:
Successful attempt: jexec 1 ifconfig epair0b inet 169.254.123.123/24 up Unsuccessful attempt (permission denied): jexec 1 ifconfig epair0b inet 169.254.120.123/24 up