mac_ipacl: new MAC policy module to limit jail/vnet IP configuration

The mac_ipacl policy module enables fine-grained control over IP address
configuration within VNET jails from the base system.
It allows the root user to define rules governing IP addresses for
jails and their interfaces using the sysctl interface.

Requested by:	multiple
Sponsored by:	Google, Inc. (GSoC 2019)
MFC after:	2 months
Reviewed by:	bz, dch (both earlier versions)
Differential Revision: https://reviews.freebsd.org/D20967
This commit is contained in:
Shivank Garg
2023-07-25 20:27:06 +00:00
committed by Bjoern A. Zeeb
parent a1b6757313
commit 215bab7924
20 changed files with 1015 additions and 1 deletions
+10
View File
@@ -115,6 +115,10 @@ __FBSDID("$FreeBSD$");
#include <netinet6/in6_fib.h>
#include <netinet6/in6_pcb.h>
#ifdef MAC
#include <security/mac/mac_framework.h>
#endif
/*
* struct in6_ifreq and struct ifreq must be type punnable for common members
* of ifr_ifru to allow accessors to be shared.
@@ -567,6 +571,12 @@ in6_control_ioctl(u_long cmd, void *data,
break;
case SIOCAIFADDR_IN6:
#ifdef MAC
/* Check if a MAC policy disallows setting the IPv6 address. */
error = mac_inet6_check_add_addr(cred, &sa6->sin6_addr, ifp);
if (error != 0)
goto out;
#endif
error = in6_addifaddr(ifp, ifra, ia);
ia = NULL;
break;