xref: /freebsd/sys/netinet/in_jail.c (revision 22cf89c938886d14f5796fc49f9f020c23ea8eaf)
1 /*-
2  * Copyright (c) 1999 Poul-Henning Kamp.
3  * Copyright (c) 2008 Bjoern A. Zeeb.
4  * Copyright (c) 2009 James Gritton.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26  * SUCH DAMAGE.
27  */
28 
29 #include <sys/cdefs.h>
30 #include "opt_ddb.h"
31 #include "opt_inet.h"
32 #include "opt_inet6.h"
33 
34 #include <sys/param.h>
35 #include <sys/types.h>
36 #include <sys/kernel.h>
37 #include <sys/systm.h>
38 #include <sys/errno.h>
39 #include <sys/sysproto.h>
40 #include <sys/malloc.h>
41 #include <sys/osd.h>
42 #include <sys/priv.h>
43 #include <sys/proc.h>
44 #include <sys/taskqueue.h>
45 #include <sys/fcntl.h>
46 #include <sys/jail.h>
47 #include <sys/lock.h>
48 #include <sys/mutex.h>
49 #include <sys/racct.h>
50 #include <sys/refcount.h>
51 #include <sys/sx.h>
52 #include <sys/namei.h>
53 #include <sys/mount.h>
54 #include <sys/queue.h>
55 #include <sys/socket.h>
56 #include <sys/syscallsubr.h>
57 #include <sys/sysctl.h>
58 #include <sys/vnode.h>
59 
60 #include <net/if.h>
61 #include <net/vnet.h>
62 
63 #include <netinet/in.h>
64 
65 static in_addr_t
66 prison_primary_ip4(const struct prison *pr)
67 {
68 
69 	return (((const struct in_addr *)prison_ip_get0(pr, PR_INET))->s_addr);
70 }
71 
72 int
73 prison_qcmp_v4(const void *ip1, const void *ip2)
74 {
75 	in_addr_t iaa, iab;
76 
77 	/*
78 	 * We need to compare in HBO here to get the list sorted as expected
79 	 * by the result of the code.  Sorting NBO addresses gives you
80 	 * interesting results.  If you do not understand, do not try.
81 	 */
82 	iaa = ntohl(((const struct in_addr *)ip1)->s_addr);
83 	iab = ntohl(((const struct in_addr *)ip2)->s_addr);
84 
85 	/*
86 	 * Do not simply return the difference of the two numbers, the int is
87 	 * not wide enough.
88 	 */
89 	if (iaa > iab)
90 		return (1);
91 	else if (iaa < iab)
92 		return (-1);
93 	else
94 		return (0);
95 }
96 
97 bool
98 prison_valid_v4(const void *ip)
99 {
100 	in_addr_t ia = ((const struct in_addr *)ip)->s_addr;
101 
102 	/*
103 	 * We do not have to care about byte order for these
104 	 * checks so we will do them in NBO.
105 	 */
106 	return (ia != INADDR_ANY && ia != INADDR_BROADCAST);
107 }
108 
109 /*
110  * Pass back primary IPv4 address of this jail.
111  *
112  * If not restricted return success but do not alter the address.  Caller has
113  * to make sure to initialize it correctly (e.g. INADDR_ANY).
114  *
115  * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv4.
116  * Address returned in NBO.
117  */
118 int
119 prison_get_ip4(struct ucred *cred, struct in_addr *ia)
120 {
121 	struct prison *pr;
122 
123 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
124 	KASSERT(ia != NULL, ("%s: ia is NULL", __func__));
125 
126 	pr = cred->cr_prison;
127 	if (!(pr->pr_flags & PR_IP4))
128 		return (0);
129 	mtx_lock(&pr->pr_mtx);
130 	if (!(pr->pr_flags & PR_IP4)) {
131 		mtx_unlock(&pr->pr_mtx);
132 		return (0);
133 	}
134 	if (pr->pr_addrs[PR_INET] == NULL) {
135 		mtx_unlock(&pr->pr_mtx);
136 		return (EAFNOSUPPORT);
137 	}
138 
139 	ia->s_addr = prison_primary_ip4(pr);
140 	mtx_unlock(&pr->pr_mtx);
141 	return (0);
142 }
143 
144 /*
145  * Return true if we should do proper source address selection or are not jailed.
146  * We will return false if we should bypass source address selection in favour
147  * of the primary jail IPv4 address. Only in this case *ia will be updated and
148  * returned in NBO.
149  * Return true, even in case this jail does not allow IPv4.
150  */
151 bool
152 prison_saddrsel_ip4(struct ucred *cred, struct in_addr *ia)
153 {
154 	struct prison *pr;
155 	struct in_addr lia;
156 
157 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
158 	KASSERT(ia != NULL, ("%s: ia is NULL", __func__));
159 
160 	if (!jailed(cred))
161 		return (true);
162 
163 	pr = cred->cr_prison;
164 	if (pr->pr_flags & PR_IP4_SADDRSEL)
165 		return (true);
166 
167 	lia.s_addr = INADDR_ANY;
168 	if (prison_get_ip4(cred, &lia) != 0)
169 		return (true);
170 	if (lia.s_addr == INADDR_ANY)
171 		return (true);
172 
173 	ia->s_addr = lia.s_addr;
174 	return (false);
175 }
176 
177 /*
178  * Return true if pr1 and pr2 have the same IPv4 address restrictions.
179  */
180 bool
181 prison_equal_ip4(struct prison *pr1, struct prison *pr2)
182 {
183 
184 	if (pr1 == pr2)
185 		return (true);
186 
187 	/*
188 	 * No need to lock since the PR_IP4_USER flag can't be altered for
189 	 * existing prisons.
190 	 */
191 	while (pr1 != &prison0 &&
192 #ifdef VIMAGE
193 	       !(pr1->pr_flags & PR_VNET) &&
194 #endif
195 	       !(pr1->pr_flags & PR_IP4_USER))
196 		pr1 = pr1->pr_parent;
197 	while (pr2 != &prison0 &&
198 #ifdef VIMAGE
199 	       !(pr2->pr_flags & PR_VNET) &&
200 #endif
201 	       !(pr2->pr_flags & PR_IP4_USER))
202 		pr2 = pr2->pr_parent;
203 	return (pr1 == pr2);
204 }
205 
206 /*
207  * Make sure our (source) address is set to something meaningful to this
208  * jail.
209  *
210  * Returns 0 if jail doesn't restrict IPv4 or if address belongs to jail,
211  * EADDRNOTAVAIL if the address doesn't belong, or EAFNOSUPPORT if the jail
212  * doesn't allow IPv4.  Address passed in in NBO and returned in NBO.
213  */
214 int
215 prison_local_ip4(struct ucred *cred, struct in_addr *ia)
216 {
217 	struct prison *pr;
218 	struct in_addr ia0;
219 	int error;
220 
221 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
222 	KASSERT(ia != NULL, ("%s: ia is NULL", __func__));
223 
224 	pr = cred->cr_prison;
225 	if (!(pr->pr_flags & PR_IP4))
226 		return (0);
227 	mtx_lock(&pr->pr_mtx);
228 	if (!(pr->pr_flags & PR_IP4)) {
229 		mtx_unlock(&pr->pr_mtx);
230 		return (0);
231 	}
232 	if (pr->pr_addrs[PR_INET] == NULL) {
233 		mtx_unlock(&pr->pr_mtx);
234 		return (EAFNOSUPPORT);
235 	}
236 
237 	ia0.s_addr = ntohl(ia->s_addr);
238 
239 	if (ia0.s_addr == INADDR_ANY) {
240 		/*
241 		 * In case there is only 1 IPv4 address, bind directly.
242 		 */
243 		if (prison_ip_cnt(pr, PR_INET) == 1)
244 			ia->s_addr = prison_primary_ip4(pr);
245 		mtx_unlock(&pr->pr_mtx);
246 		return (0);
247 	}
248 
249 	error = prison_check_ip4_locked(pr, ia);
250 	if (error == EADDRNOTAVAIL && ia0.s_addr == INADDR_LOOPBACK) {
251 		ia->s_addr = prison_primary_ip4(pr);
252 		error = 0;
253 	}
254 
255 	mtx_unlock(&pr->pr_mtx);
256 	return (error);
257 }
258 
259 /*
260  * Rewrite destination address in case we will connect to loopback address.
261  *
262  * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv4.
263  * Address passed in in NBO and returned in NBO.
264  */
265 int
266 prison_remote_ip4(struct ucred *cred, struct in_addr *ia)
267 {
268 	struct prison *pr;
269 
270 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
271 	KASSERT(ia != NULL, ("%s: ia is NULL", __func__));
272 
273 	pr = cred->cr_prison;
274 	if (!(pr->pr_flags & PR_IP4))
275 		return (0);
276 	mtx_lock(&pr->pr_mtx);
277 	if (!(pr->pr_flags & PR_IP4)) {
278 		mtx_unlock(&pr->pr_mtx);
279 		return (0);
280 	}
281 	if (pr->pr_addrs[PR_INET] == NULL) {
282 		mtx_unlock(&pr->pr_mtx);
283 		return (EAFNOSUPPORT);
284 	}
285 
286 	if (ntohl(ia->s_addr) == INADDR_LOOPBACK &&
287 	    prison_check_ip4_locked(pr, ia) == EADDRNOTAVAIL) {
288 		ia->s_addr = prison_primary_ip4(pr);
289 		mtx_unlock(&pr->pr_mtx);
290 		return (0);
291 	}
292 
293 	/*
294 	 * Return success because nothing had to be changed.
295 	 */
296 	mtx_unlock(&pr->pr_mtx);
297 	return (0);
298 }
299 
300 /*
301  * Check if given address belongs to the jail referenced by cred/prison.
302  *
303  * Returns 0 if address belongs to jail,
304  * EADDRNOTAVAIL if the address doesn't belong to the jail.
305  */
306 int
307 prison_check_ip4_locked(const struct prison *pr, const struct in_addr *ia)
308 {
309 
310 	if (!(pr->pr_flags & PR_IP4))
311 		return (0);
312 
313 	return (prison_ip_check(pr, PR_INET, ia));
314 }
315 
316 int
317 prison_check_ip4(const struct ucred *cred, const struct in_addr *ia)
318 {
319 	struct prison *pr;
320 	int error;
321 
322 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
323 	KASSERT(ia != NULL, ("%s: ia is NULL", __func__));
324 
325 	pr = cred->cr_prison;
326 	if (!(pr->pr_flags & PR_IP4))
327 		return (0);
328 	mtx_lock(&pr->pr_mtx);
329 	if (!(pr->pr_flags & PR_IP4)) {
330 		mtx_unlock(&pr->pr_mtx);
331 		return (0);
332 	}
333 	if (pr->pr_addrs[PR_INET] == NULL) {
334 		mtx_unlock(&pr->pr_mtx);
335 		return (EAFNOSUPPORT);
336 	}
337 
338 	error = prison_check_ip4_locked(pr, ia);
339 	mtx_unlock(&pr->pr_mtx);
340 	return (error);
341 }
342