mac_ipacl: new MAC policy module to limit jail/vnet IP configuration
The mac_ipacl policy module enables fine-grained control over IP address configuration within VNET jails from the base system. It allows the root user to define rules governing IP addresses for jails and their interfaces using the sysctl interface. Requested by: multiple Sponsored by: Google, Inc. (GSoC 2019) MFC after: 2 months Reviewed by: bz, dch (both earlier versions) Differential Revision: https://reviews.freebsd.org/D20967
This commit is contained in:
committed by
Bjoern A. Zeeb
parent
a1b6757313
commit
215bab7924
@@ -115,6 +115,10 @@ __FBSDID("$FreeBSD$");
|
||||
#include <netinet6/in6_fib.h>
|
||||
#include <netinet6/in6_pcb.h>
|
||||
|
||||
#ifdef MAC
|
||||
#include <security/mac/mac_framework.h>
|
||||
#endif
|
||||
|
||||
/*
|
||||
* struct in6_ifreq and struct ifreq must be type punnable for common members
|
||||
* of ifr_ifru to allow accessors to be shared.
|
||||
@@ -567,6 +571,12 @@ in6_control_ioctl(u_long cmd, void *data,
|
||||
break;
|
||||
|
||||
case SIOCAIFADDR_IN6:
|
||||
#ifdef MAC
|
||||
/* Check if a MAC policy disallows setting the IPv6 address. */
|
||||
error = mac_inet6_check_add_addr(cred, &sa6->sin6_addr, ifp);
|
||||
if (error != 0)
|
||||
goto out;
|
||||
#endif
|
||||
error = in6_addifaddr(ifp, ifra, ia);
|
||||
ia = NULL;
|
||||
break;
|
||||
|
||||
Reference in New Issue
Block a user