Changeset View
Changeset View
Standalone View
Standalone View
sys/security/mac_ipacl/notes.txt
| ----------------------------------- | ----------------------------------- | ||||
| Documentation Notes- | Documentation Notes- | ||||
| IP Address access control policy | IP Address access control policy | ||||
| 1. mac_ipacl allows the root of the host to limit the VNET jail's privileges | 1. mac_ipacl allows the root of the host to limit the VNET jail's privileges | ||||
| of setting IPv4 and IPv6 addresses via sysctl(8) interface. | of setting IPv4 and IPv6 addresses via sysctl(8) interface. So, the host | ||||
| can define rules for jails and their interfaces about IP addresses. | |||||
| 2. Its default behaviour is to deny all IP addresses if policy is enforced and allow/deny | 2. Its default behaviour is to deny all IP addresses if policy is enforced and allow/deny | ||||
| IP(or subnets) according to rules specified with sysctl | IP(or subnets) according to rules specified with sysctl | ||||
| Runtime Configuration-sysctl(8) MIB | Runtime Configuration-sysctl(8) MIB | ||||
| security.mac.ipacl.ipv4: enforce the mac_ipacl for ipv4 addresses (default:1) | security.mac.ipacl.ipv4: enforce the mac_ipacl for ipv4 addresses (default:1) | ||||
| security.mac.ipacl.ipv6: enforce the mac_ipacl for ipv6 addresses (default:1) | security.mac.ipacl.ipv6: enforce the mac_ipacl for ipv6 addresses (default:1) | ||||
| security.mac.ipacl.rules: | security.mac.ipacl.rules: | ||||
| jail_id@allow@interface@address_family@IP_addr@prefix_length[,jail_id@...] | jail_id@allow@interface@address_family@IP_addr@prefix_length[,jail_id@...] | ||||
| jail_id: Describe the jail id of the jail for which the rule is written | jail_id: Describe the jail id of the jail for which the rule is written | ||||
| allow: 1 for allow and 0 for deny. action to perform for the rule | allow: 1 for allow and 0 for deny. action to perform for the rule | ||||
| interface: name of the interface the rule is enforced for. Interface is | interface: name of the interface the rule is enforced for. Interface is | ||||
| left empty(ie, NULL) then it is a wildcard to enforce rule | left empty(ie, NULL) then it is a wildcard to enforce rule | ||||
| for all interfaces. | for all interfaces. | ||||
| address_family: Address family of the IP_addr. give input string as AF_INET | address_family: Address family of the IP_addr. give input as AF_INET | ||||
| or AF_INET6 only | or AF_INET6 string only | ||||
| IP_addr: IP address(or subnet) to be allowed/deny. Action depend on the | IP_addr: IP address(or subnet) to be allowed/deny. Action depend on the | ||||
| prefix length | prefix length | ||||
| prefix_length: Prefix length of the subnet to be enforced by the policy. | prefix_length: Prefix length of the subnet to be enforced by the policy. | ||||
| -1 impleis the policy is enforced for indivisual IP address. | -1 implies the policy is enforced for individual IP address. | ||||
| For non-negative value, a range of IP address(present in subnet) | |||||
| which calculated as subnet = IP_addr & mask | |||||
| 3. Example- | 3. Example- | ||||
| a.) | a.) | ||||
| sysctl security.mac.ipacl.ipv4=1 | sysctl security.mac.ipacl.ipv4=1 | ||||
| sysctl security.mac.ipacl.ipv6=0 | sysctl security.mac.ipacl.ipv6=0 | ||||
| sysctl security.mac.ipacl.rules=1@1@@AF_INET@169.254.123.123@-1 | sysctl security.mac.ipacl.rules=1@1@@AF_INET@169.254.123.123@-1 | ||||
| It allows only 169.254.123.123 IPv4 address for all interfaces(wildcard) of jail 1. | It allows only 169.254.123.123 IPv4 address for all interfaces(wildcard) of jail 1. | ||||
| It allows all IPv6 address since policy is not enforced for IPv6. | It allows all IPv6 address since policy is not enforced for IPv6. | ||||
| b.) | b.) | ||||
| sysctl security.mac.ipacl.ipv4=1 | sysctl security.mac.ipacl.ipv4=1 | ||||
| sysctl security.mac.ipacl.ipv6=1 | sysctl security.mac.ipacl.ipv6=1 | ||||
| sysctl security.mac.ipacl.rules=1@1@epair0b@AF_INET6@fe80::@32,1@0@epair0b@AF_INET6@fe80::abcd@-1 | sysctl security.mac.ipacl.rules=1@1@epair0b@AF_INET6@fe80::@32,1@0@epair0b@AF_INET6@fe80::abcd@-1 | ||||
| It deny all IPv4 address as policy is enforced but no rules are specified about it. | It deny all IPv4 address as policy is enforced but no rules are specified about it. | ||||
| It allow all IPv6 address in the subnet- fe80::/32 except fe80::abcd for interface epair0b only | It allow all IPv6 address in the subnet- fe80::/32 except fe80::abcd for interface epair0b only | ||||
| c.) | c.) | ||||
| sysctl security.mac.ipacl.ipv4=1 | sysctl security.mac.ipacl.ipv4=1 | ||||
| sysctl security.mac.ipacl.ipv6=1 | sysctl security.mac.ipacl.ipv6=1 | ||||
| sysctl security.mac.ipacl.rules=2@1@@AF_INET6@fc00::@7,2@0@@AF_INET6@fc00::1111:2200@120,2@1@@AF_INET6@fc00::1111:2299@-1,1@1@@AF_INET@198.51.100.0@24 | sysctl security.mac.ipacl.rules=2@1@@AF_INET6@fc00::@7,2@0@@AF_INET6@fc00::1111:2200@120,2@1@@AF_INET6@fc00::1111:2299@-1,1@1@@AF_INET@198.51.100.0@24 | ||||
| It allow IPv4 in the subnet 198.51.100.0/24 for jail 2 and all interfaces. | It allow IPv4 in the subnet 198.51.100.0/24 for jail 2 and all interfaces. | ||||
| It allow IPv6 address in the subnet fc00::/7 but deny the subnet fc00::1111:2200/120, and allow | It allow IPv6 address in the subnet fc00::/7 but deny the subnet fc00::1111:2200/120, and allow | ||||
| individual IP fc00::1111:2299 from the denied subnet for all interfaces in the jail 2 | individual IP fc00::1111:2299 from the denied subnet for all interfaces in the jail 2 | ||||
| 5. To discuss on using the test scripts | |||||
| 4. Using the test scripts: | |||||
| a.) | |||||
| Test scripts are not completely automatic :( So, the user has to create | |||||
| edit the scripts to enter the jid of the test jails and interface. | |||||
| After editing the scripts run make && make install, which then install | |||||
| the scripts in /usr/tests/sys/mac/ipacl. | |||||
| you may also need to create that directory if it gives error. | |||||
| 6. To discuss the limitation of the module and point to be kept in mind while | 6. To discuss the limitation of the module and point to be kept in mind while | ||||
| using it. | using it. | ||||
| a.) | a.) | ||||
| rules are checked in the same sequence they are given. If many rules are | rules are checked in the same sequence they are given. If many rules are | ||||
| there for a IP(or a set of IP), result depend on final rule. | there for a IP(or a set of IP), result depend on final rule. | ||||
| b.) | b.) | ||||
| 7. Future Works | |||||
| a.) | |||||
| rules are given with sysctl interface which gets very complex to give them all in | |||||
| command line. It has to be simplified with a better way to input those rules. | |||||
| ------------------------------------- | ------------------------------------- | ||||
| Commands- | Commands- | ||||
| 1. kld | 1. kld | ||||
| * kldstat | * kldstat | ||||
| * kldload /usr/obj/usr/home/shivank/freebsd/amd64.amd64/sys/security/mac_ipacl/mac_ipacl.ko | * kldload /usr/obj/usr/home/shivank/freebsd/amd64.amd64/sys/security/mac_ipacl/mac_ipacl.ko | ||||
| * kldunload mac_ipacl | * kldunload mac_ipacl | ||||
| 2. make | 2. make | ||||
| * make obj depend all install #create obj in /boot/modules, can be loaded and unloaded by just name | * make obj depend all install #create obj in /boot/modules, can be loaded and unloaded by just name | ||||
| * make -j 4 KERNCONF=VIMAGE kernel -DKERNFAST | * make -j 4 KERNCONF=VIMAGE kernel -DKERNFAST | ||||