Changeset View
Changeset View
Standalone View
Standalone View
sys/security/mac_ipacl/notes.txt
----------------------------------- | ----------------------------------- | ||||
Documentation Notes- | Documentation Notes- | ||||
IP Address access control policy | IP Address access control policy | ||||
1. mac_ipacl allows the root of the host to limit the VNET jail's privileges | 1. mac_ipacl allows the root of the host to limit the VNET jail's privileges | ||||
of setting IPv4 and IPv6 addresses via sysctl(8) interface. | of setting IPv4 and IPv6 addresses via sysctl(8) interface. So, the host | ||||
can define rules for jails and their interfaces about IP addresses. | |||||
2. Its default behaviour is to deny all IP addresses if policy is enforced and allow/deny | 2. Its default behaviour is to deny all IP addresses if policy is enforced and allow/deny | ||||
IP(or subnets) according to rules specified with sysctl | IP(or subnets) according to rules specified with sysctl | ||||
Runtime Configuration-sysctl(8) MIB | Runtime Configuration-sysctl(8) MIB | ||||
security.mac.ipacl.ipv4: enforce the mac_ipacl for ipv4 addresses (default:1) | security.mac.ipacl.ipv4: enforce the mac_ipacl for ipv4 addresses (default:1) | ||||
security.mac.ipacl.ipv6: enforce the mac_ipacl for ipv6 addresses (default:1) | security.mac.ipacl.ipv6: enforce the mac_ipacl for ipv6 addresses (default:1) | ||||
security.mac.ipacl.rules: | security.mac.ipacl.rules: | ||||
jail_id@allow@interface@address_family@IP_addr@prefix_length[,jail_id@...] | jail_id@allow@interface@address_family@IP_addr@prefix_length[,jail_id@...] | ||||
jail_id: Describe the jail id of the jail for which the rule is written | jail_id: Describe the jail id of the jail for which the rule is written | ||||
allow: 1 for allow and 0 for deny. action to perform for the rule | allow: 1 for allow and 0 for deny. action to perform for the rule | ||||
interface: name of the interface the rule is enforced for. Interface is | interface: name of the interface the rule is enforced for. Interface is | ||||
left empty(ie, NULL) then it is a wildcard to enforce rule | left empty(ie, NULL) then it is a wildcard to enforce rule | ||||
for all interfaces. | for all interfaces. | ||||
address_family: Address family of the IP_addr. give input string as AF_INET | address_family: Address family of the IP_addr. give input as AF_INET | ||||
or AF_INET6 only | or AF_INET6 string only | ||||
IP_addr: IP address(or subnet) to be allowed/deny. Action depend on the | IP_addr: IP address(or subnet) to be allowed/deny. Action depend on the | ||||
prefix length | prefix length | ||||
prefix_length: Prefix length of the subnet to be enforced by the policy. | prefix_length: Prefix length of the subnet to be enforced by the policy. | ||||
-1 impleis the policy is enforced for indivisual IP address. | -1 implies the policy is enforced for individual IP address. | ||||
For non-negative value, a range of IP address(present in subnet) | |||||
which calculated as subnet = IP_addr & mask | |||||
3. Example- | 3. Example- | ||||
a.) | a.) | ||||
sysctl security.mac.ipacl.ipv4=1 | sysctl security.mac.ipacl.ipv4=1 | ||||
sysctl security.mac.ipacl.ipv6=0 | sysctl security.mac.ipacl.ipv6=0 | ||||
sysctl security.mac.ipacl.rules=1@1@@AF_INET@169.254.123.123@-1 | sysctl security.mac.ipacl.rules=1@1@@AF_INET@169.254.123.123@-1 | ||||
It allows only 169.254.123.123 IPv4 address for all interfaces(wildcard) of jail 1. | It allows only 169.254.123.123 IPv4 address for all interfaces(wildcard) of jail 1. | ||||
It allows all IPv6 address since policy is not enforced for IPv6. | It allows all IPv6 address since policy is not enforced for IPv6. | ||||
b.) | b.) | ||||
sysctl security.mac.ipacl.ipv4=1 | sysctl security.mac.ipacl.ipv4=1 | ||||
sysctl security.mac.ipacl.ipv6=1 | sysctl security.mac.ipacl.ipv6=1 | ||||
sysctl security.mac.ipacl.rules=1@1@epair0b@AF_INET6@fe80::@32,1@0@epair0b@AF_INET6@fe80::abcd@-1 | sysctl security.mac.ipacl.rules=1@1@epair0b@AF_INET6@fe80::@32,1@0@epair0b@AF_INET6@fe80::abcd@-1 | ||||
It deny all IPv4 address as policy is enforced but no rules are specified about it. | It deny all IPv4 address as policy is enforced but no rules are specified about it. | ||||
It allow all IPv6 address in the subnet- fe80::/32 except fe80::abcd for interface epair0b only | It allow all IPv6 address in the subnet- fe80::/32 except fe80::abcd for interface epair0b only | ||||
c.) | c.) | ||||
sysctl security.mac.ipacl.ipv4=1 | sysctl security.mac.ipacl.ipv4=1 | ||||
sysctl security.mac.ipacl.ipv6=1 | sysctl security.mac.ipacl.ipv6=1 | ||||
sysctl security.mac.ipacl.rules=2@1@@AF_INET6@fc00::@7,2@0@@AF_INET6@fc00::1111:2200@120,2@1@@AF_INET6@fc00::1111:2299@-1,1@1@@AF_INET@198.51.100.0@24 | sysctl security.mac.ipacl.rules=2@1@@AF_INET6@fc00::@7,2@0@@AF_INET6@fc00::1111:2200@120,2@1@@AF_INET6@fc00::1111:2299@-1,1@1@@AF_INET@198.51.100.0@24 | ||||
It allow IPv4 in the subnet 198.51.100.0/24 for jail 2 and all interfaces. | It allow IPv4 in the subnet 198.51.100.0/24 for jail 2 and all interfaces. | ||||
It allow IPv6 address in the subnet fc00::/7 but deny the subnet fc00::1111:2200/120, and allow | It allow IPv6 address in the subnet fc00::/7 but deny the subnet fc00::1111:2200/120, and allow | ||||
individual IP fc00::1111:2299 from the denied subnet for all interfaces in the jail 2 | individual IP fc00::1111:2299 from the denied subnet for all interfaces in the jail 2 | ||||
5. To discuss on using the test scripts | |||||
4. Using the test scripts: | |||||
a.) | |||||
Test scripts are not completely automatic :( So, the user has to create | |||||
edit the scripts to enter the jid of the test jails and interface. | |||||
After editing the scripts run make && make install, which then install | |||||
the scripts in /usr/tests/sys/mac/ipacl. | |||||
you may also need to create that directory if it gives error. | |||||
6. To discuss the limitation of the module and point to be kept in mind while | 6. To discuss the limitation of the module and point to be kept in mind while | ||||
using it. | using it. | ||||
a.) | a.) | ||||
rules are checked in the same sequence they are given. If many rules are | rules are checked in the same sequence they are given. If many rules are | ||||
there for a IP(or a set of IP), result depend on final rule. | there for a IP(or a set of IP), result depend on final rule. | ||||
b.) | b.) | ||||
7. Future Works | |||||
a.) | |||||
rules are given with sysctl interface which gets very complex to give them all in | |||||
command line. It has to be simplified with a better way to input those rules. | |||||
------------------------------------- | ------------------------------------- | ||||
Commands- | Commands- | ||||
1. kld | 1. kld | ||||
* kldstat | * kldstat | ||||
* kldload /usr/obj/usr/home/shivank/freebsd/amd64.amd64/sys/security/mac_ipacl/mac_ipacl.ko | * kldload /usr/obj/usr/home/shivank/freebsd/amd64.amd64/sys/security/mac_ipacl/mac_ipacl.ko | ||||
* kldunload mac_ipacl | * kldunload mac_ipacl | ||||
2. make | 2. make | ||||
* make obj depend all install #create obj in /boot/modules, can be loaded and unloaded by just name | * make obj depend all install #create obj in /boot/modules, can be loaded and unloaded by just name | ||||
* make -j 4 KERNCONF=VIMAGE kernel -DKERNFAST | * make -j 4 KERNCONF=VIMAGE kernel -DKERNFAST |