This will end up being a port.

In D41679#949984, @manu wrote:

In D41679#949804, @imp wrote:

sys/contrib is good for this, but sys/gnu might be even better since it is GPL'd.

I don't think that we want new GPL'ed code in base ?

In D41679#949804, @imp wrote:

sys/contrib is good for this, but sys/gnu might be even better since it is GPL'd.

In D41679#949804, @imp wrote:

sys/contrib is good for this, but sys/gnu might be even better since it is GPL'd.

sys/contrib is good for this, but sys/gnu might be even better since it is GPL'd.

ld: error: undefined symbol: arp_ifinit

this issue is fixed in latest code in a commit last week https://github.com/freebsd/freebsd-src/commit/5684c8783b64e33f0dab058126b36776adcc8e82

In D20967#934539, @bz wrote:

Can you please point to correct kernel config to be used?

updated the variable declaration and scope considering NO-INET, NO-INET6, NO-IP.

In D20967#934400, @bz wrote:

Someone should do (at least) an amd64 universe build for this to make sure the NO-INET NO-INET6 NO-IP (do we still have that) builds are surviving.

- ident		GENERIC
+ include		LINT-NOINET
+ include		LINT-NOINET6
+ include		LINT-NOIP
+ ident		MYKERNEL

Someone should do (at least) an amd64 universe build for this to make sure the NO-INET NO-INET6 NO-IP (do we still have that) builds are surviving.

LGTM, but as I don't have a src bit I can't commit this. Anybody else willing to do that?

Melifaro's point about avoiding parsing in the kernel is a good one. What do you think could be improved here?

• Implemented recommended changes
• Made style changes
• modifed the rules_check function to traverse the list in reverse order and stop when first applicable rule (matching IP address) is found. Since, rules defined later determine have higer priority, checking last matching rule is enough.

If you're going to change format, why not use tree, as it feels natural for sysctl. One existing example would be dev.pcm.<number> so following that, we could have security.mac.ipacl.<jid>.<rule> and .family and .address (or maybe .range) as leafs. It is not set in stone that it has to be like that, but given it's sysctl, it feels more natural to me, so please give it a thought. Also, as it is about jail, it would also feel more natural to have this tunables under security.jail.<jid>

The @ character is visually quite large and makes it hard to scan and read for a human.

Manual page LGTM now, will rereview once the source code is finalized.

Overall is a really nice addition and I'd love to have it in base. I have one concern on the rule import/export implementation - happy to discuss this further & left a couple of non-critical comments on the code.
Thank you for working on this!

• rebased the code on top of latest src changes
• made changes to man page as suggested in comments

Hi,
thanks for the comments.
I'll test my patch and wil apply the suggested changes in man page.
Thanks

In D20967#923964, @pauamma_gundo.com wrote:

Some nits in the manual page, which can probably be fixed in a follow-up commit (with .Dd bumped) if the code still works.

Some nits in the manual page, which can probably be fixed in a follow-up commit (with .Dd bumped) if the code still works.

In D20967#632260, @dch wrote:

This appears to have been accepted but not merged - it would be great to have it get into 13.0 if there's still time

In D20967#632260, @dch wrote:

This appears to have been accepted but not merged - it would be great to have it get into 13.0 if there's still time

This appears to have been accepted but not merged - it would be great to have it get into 13.0 if there's still time

In D26243#587330, @asomers wrote:

Isn't audit_nfsarg_vnode1 the problem? You already know the path when you call AUDIT_ARG_UPATH1_VP, right?

In D26243#587174, @shivank wrote:

In D26243#587132, @mjg wrote:

Audit support for regular lookup starts with AUDIT_ARG_UPATH1_VP/AUDIT_ARG_UPATH2_VP without any vnodes locked. Later on visited vnodes get added with AUDIT_ARG_VNODE1/AUDIT_ARG_VNODE2 which only performs VOP_GETATTR (i.e. does *NOT* resolve any paths). Your code should follow the same scheme.

As you can see path resolving routines can take vnode locks on their own (modulo the smr case). This means they can't be called with locked vnodes to begin with, as otherwise you risk violating global lock ordering and consequently deadlocking the kernel.

The VOP_ISLOCKED routine is not entirely legal to call if you don't hold the lock. The name is perhaps misleading, but it can only reliably tell you that you have an exclusive lock or that *SOMEONE* has a shared lock (and it may be you). Or to put it differently, if you don't have the vnode locked but someone else has it shared locked, you will get non-0 and that's how you get the panic. Regardless of this problem, adding the call reduces performance and most notably suggests a bug on its own.

So the question is why are you calling here with any vnodes locked.

I wish to audit the canonical path of the file requested by the NFS clients. The requested path from the client is extracted in the NFS server using nfsrv_parsename, but the vnode is locked in some NFS services. I thought of unlocking/relocking of vnode for path audit but Rick advised not to. That's why I had to call this locked vnode.

Thanks for your question which made me rethink the problem from scratch and I got a new idea for auditing path.

Hi @rmacklem and @asomers, if I use nfsvno_namei to get the canonical path for the client, I will not the need the AUDIT_ARG_UPATH1_VP.which will save me from all the trouble of passing locked vnode to vn_fullpath_global. Please provide your opinion on the same.

In D26243#587132, @mjg wrote:

Audit support for regular lookup starts with AUDIT_ARG_UPATH1_VP/AUDIT_ARG_UPATH2_VP without any vnodes locked. Later on visited vnodes get added with AUDIT_ARG_VNODE1/AUDIT_ARG_VNODE2 which only performs VOP_GETATTR (i.e. does *NOT* resolve any paths). Your code should follow the same scheme.

As you can see path resolving routines can take vnode locks on their own (modulo the smr case). This means they can't be called with locked vnodes to begin with, as otherwise you risk violating global lock ordering and consequently deadlocking the kernel.

The VOP_ISLOCKED routine is not entirely legal to call if you don't hold the lock. The name is perhaps misleading, but it can only reliably tell you that you have an exclusive lock or that *SOMEONE* has a shared lock (and it may be you). Or to put it differently, if you don't have the vnode locked but someone else has it shared locked, you will get non-0 and that's how you get the panic. Regardless of this problem, adding the call reduces performance and most notably suggests a bug on its own.

So the question is why are you calling here with any vnodes locked.

Audit support for regular lookup starts with AUDIT_ARG_UPATH1_VP/AUDIT_ARG_UPATH2_VP without any vnodes locked. Later on visited vnodes get added with AUDIT_ARG_VNODE1/AUDIT_ARG_VNODE2 which only performs VOP_GETATTR (i.e. does *NOT* resolve any paths). Your code should follow the same scheme.

I feel vfs_cache.c changes for making vn_fullpath_global work for optionally locked vnode are causing the trouble. Though I'm not sure what's the problem. I request Mateusz Guzik, @mjg to have a look at my vfs_cache.c changes. I would be grateful for your time.

The new code looks better. But grrr, there are two big problems:

1. It doesn't compile due to some recent changes on head. I suggest the following:
   • Remove the <rpc/rpc.h>, <sys/mount.h>, and <fs/nfs/*> includes from audit.h. In addition to fixing the compile failure, it's generally not recommended to include headers from other headers. Sometimes it's necessary, but it also causes header pollution, and slow build times. Instead of including those files, just forward declare struct nfsrv_descript; and struct kaudit_record;.
   • Add `<netinet/in.h>, <rpc/rpc.h>, <fs/nfs/nfsdport.h>, <fs/nfs/nfsproto.h>, and <fs/nfs/nfs.h> to audit_bsm_db.c
   • Add <rpc/rpc.h>, <fs/nfs/nfsport.h>, <fs/nfs/nfsproto.h>, and <fs/nfs/nfs.h> to audit.c

• merge vn_fullpath_any and vn_vptocnp with their locked counterpart to work for optionally locked vnodes.

I created a new review - D26243. Sorry for the trouble.

It was earlier being reviewed on D25869. But due to change of base revision, It was showing changes which were not mine. So, I created a new review here.

In D25869#583083, @shivank wrote:

It looks like your most recent change rebased the base revision. That makes it very hard to see which changes are from you and which aren't. Could you please either un-rebase it or, if that's not possible, open a new review?

Ohh, Sorry! I didn't thought pulling HEAD changes will create this side-effect in revision
I think I would open a new review as going back will have conflicting changes again. Should I abandon this while creating a new one??

It looks like your most recent change rebased the base revision. That makes it very hard to see which changes are from you and which aren't. Could you please either un-rebase it or, if that's not possible, open a new review?

Using two completely separate functions reduces the scope of error. Also prevent any mutation to the current code path for not locked vnodes, while allowing it to work for locked vnodes.

• updated sys/kern/vfs_cache.c to reduce code duplication with vn_fullpath_dir
• some trivial changes

Regarding code duplication in vn_fullpath_dir_locked:
I modified vn_fullpath_dir(and removed vn_fullpath_dir_locked) for optionally locked vnode here in git commit: https://github.com/shivankgarg98/freebsd/commit/418c1c2a6de9989fe7a541f6111ee2c3f2786c7b
It works fine NFSv4=3 case but somehow breaks nfsrvd_open to result in an error.{and hence can't open/create a regular file from client}.
Using two completely separate functions reduces the scope of error. Also prevent any mutation to the current code path for not locked vnodes, while allowing it to work for locked vnodes.

follow-up on suggested changes.

This is a much better locking strategy. However, there's a lot of duplicated code. Could you maybe combine the _locked with the original functions, so there wouldn't be so much duplication?

removing unlocking/relocking implementation for vnode for auditing path, instead, define separate functions in vfs_cache.c for locked vnode as argument.

Thanks for all suggestions. I have incorporated them into my code. There is just a directory vnode unlocking/relocking issue not done yet.

In summary, locking and unlocking vnodes in this code is dangerous
and I am not in a position to make sure what you do is safe.

follow up on changes suggested by asomers@

• correct the IP addresses which were not in the documentation range

There's a couple of public IP(v6) addresses in the test scripts. We'd prefer not to have accidents with people. Can you please change them?

• add ipacl entry in tests Makefile
• fix minor issues in mac_ipacl.4

All the tests seem to work on r350568

• make tests more structured with atf
• update man page mac_ipacl.4

check if ipf module is loaded using "kldstat -q -m ipfilter " because "kldstat -q -m ipl" doesn't work.

fix errors shown by mandoc -Tlint for mac_ipacl.4
fix the license and copyrights

Hi, @0mp thanks for the suggestion :).

You may also want to run mandoc -Tlint apart from igor. :)

• Fix ipf check (using type ipf &> /dev/null)

I think I'm happy with this.
I'll give Tom a bit of time to add any more remarks he might have, but I think we can commit this soon.

• Used ULA for v6 addresses
• Changed license according to preferred license
• For no_dad, I am taking kp's words regarding speed of the tests.

• move man page to its right place

• Add check for bad argument in setup_tests
• Add atf-fail in case of wrong firewall name in firewall_config

I'd want Tom to have a look too, but I think we're pretty close to something ready to commit.

• Replaced spaces with tabs
• Created firewall_init function with firewall name as an argument
• Modified firewall_cleanup function to take name of the firewall as an argument
• Removed obsolete functions like ipf_init.

Also, I get 'install: /usr/tests/sys/netpfil/common/pass_block: No such file or directory' trying to install world.
This patch is missing this:

• Correct the license file for mac_ipacl.c and mac_ipacl.4
• fix Kyua for test shell scripts
• fix errors in mac_ipacl.4 man page

Grat work on the cleanup; I think apart from the license there is very few minor nits left which are acceptable.

In D20967#456233, @shivank wrote:

I have a few doubts:

• I'm not clear about the license, should the TrustedBSD be included? if yes, then how? Also, I have copied the sysctl_rules from mac_portacl, Is it infringing any copyright as of now? I've read BSD license is very open, can I mention the mac_portacl?

I have a few doubts:

• I'm not clear about the license, should the TrustedBSD be included? if yes, then how? Also, I have copied the sysctl_rules from mac_portacl, Is it infringing any copyright as of now? I've read BSD license is very open, can I mention the mac_portacl?
• should #ifdef INET/INET6 be put in mac_policy.h and mac_framework.h?
• after adding INET/INET6 in mac_ipacl, kyua stopped working for test scripts. It gives errors as "ip4_test:main -> broken: Received signal 6 [0.033s] ip6_test:main -> broken: Received signal 6 [0.032s]" As scripts they are testing fine.

fix style issues
fix copyright issue

Hey, thank you for all the updates. There are a few more. Please let me know when you think you are done with all of them and I'll have a full look again.

add #ifdef INET and #ifdef in INET6
fix indentation and style issues
add mac_ipacl entry in kernel conf and modules Makefile

Add copyright and license.
Add a man page for mac_ipacl

indentation and style changes,
moved subnet check code from rules_check to parser,

I think sys/security/mac_ipacl/design_notes.txt and sys/security/mac_ipacl/notes.txt can be removed. Should be turned into a man page really!?

correct the diff file