xref: /freebsd/sys/netinet/in_jail.c (revision 5e801ac66d24704442eba426ed13c3effb8a34e7)
1 /*-
2  * Copyright (c) 1999 Poul-Henning Kamp.
3  * Copyright (c) 2008 Bjoern A. Zeeb.
4  * Copyright (c) 2009 James Gritton.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26  * SUCH DAMAGE.
27  */
28 
29 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
31 
32 #include "opt_ddb.h"
33 #include "opt_inet.h"
34 #include "opt_inet6.h"
35 
36 #include <sys/param.h>
37 #include <sys/types.h>
38 #include <sys/kernel.h>
39 #include <sys/systm.h>
40 #include <sys/errno.h>
41 #include <sys/sysproto.h>
42 #include <sys/malloc.h>
43 #include <sys/osd.h>
44 #include <sys/priv.h>
45 #include <sys/proc.h>
46 #include <sys/taskqueue.h>
47 #include <sys/fcntl.h>
48 #include <sys/jail.h>
49 #include <sys/lock.h>
50 #include <sys/mutex.h>
51 #include <sys/racct.h>
52 #include <sys/refcount.h>
53 #include <sys/sx.h>
54 #include <sys/sysent.h>
55 #include <sys/namei.h>
56 #include <sys/mount.h>
57 #include <sys/queue.h>
58 #include <sys/socket.h>
59 #include <sys/syscallsubr.h>
60 #include <sys/sysctl.h>
61 #include <sys/vnode.h>
62 
63 #include <net/if.h>
64 #include <net/vnet.h>
65 
66 #include <netinet/in.h>
67 
68 static in_addr_t
69 prison_primary_ip4(const struct prison *pr)
70 {
71 
72 	return (((const struct in_addr *)prison_ip_get0(pr, PR_INET))->s_addr);
73 }
74 
75 int
76 prison_qcmp_v4(const void *ip1, const void *ip2)
77 {
78 	in_addr_t iaa, iab;
79 
80 	/*
81 	 * We need to compare in HBO here to get the list sorted as expected
82 	 * by the result of the code.  Sorting NBO addresses gives you
83 	 * interesting results.  If you do not understand, do not try.
84 	 */
85 	iaa = ntohl(((const struct in_addr *)ip1)->s_addr);
86 	iab = ntohl(((const struct in_addr *)ip2)->s_addr);
87 
88 	/*
89 	 * Do not simply return the difference of the two numbers, the int is
90 	 * not wide enough.
91 	 */
92 	if (iaa > iab)
93 		return (1);
94 	else if (iaa < iab)
95 		return (-1);
96 	else
97 		return (0);
98 }
99 
100 bool
101 prison_valid_v4(const void *ip)
102 {
103 	in_addr_t ia = ((const struct in_addr *)ip)->s_addr;
104 
105 	/*
106 	 * We do not have to care about byte order for these
107 	 * checks so we will do them in NBO.
108 	 */
109 	return (ia != INADDR_ANY && ia != INADDR_BROADCAST);
110 }
111 
112 /*
113  * Pass back primary IPv4 address of this jail.
114  *
115  * If not restricted return success but do not alter the address.  Caller has
116  * to make sure to initialize it correctly (e.g. INADDR_ANY).
117  *
118  * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv4.
119  * Address returned in NBO.
120  */
121 int
122 prison_get_ip4(struct ucred *cred, struct in_addr *ia)
123 {
124 	struct prison *pr;
125 
126 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
127 	KASSERT(ia != NULL, ("%s: ia is NULL", __func__));
128 
129 	pr = cred->cr_prison;
130 	if (!(pr->pr_flags & PR_IP4))
131 		return (0);
132 	mtx_lock(&pr->pr_mtx);
133 	if (!(pr->pr_flags & PR_IP4)) {
134 		mtx_unlock(&pr->pr_mtx);
135 		return (0);
136 	}
137 	if (pr->pr_addrs[PR_INET] == NULL) {
138 		mtx_unlock(&pr->pr_mtx);
139 		return (EAFNOSUPPORT);
140 	}
141 
142 	ia->s_addr = prison_primary_ip4(pr);
143 	mtx_unlock(&pr->pr_mtx);
144 	return (0);
145 }
146 
147 /*
148  * Return 1 if we should do proper source address selection or are not jailed.
149  * We will return 0 if we should bypass source address selection in favour
150  * of the primary jail IPv4 address. Only in this case *ia will be updated and
151  * returned in NBO.
152  * Return EAFNOSUPPORT, in case this jail does not allow IPv4.
153  */
154 int
155 prison_saddrsel_ip4(struct ucred *cred, struct in_addr *ia)
156 {
157 	struct prison *pr;
158 	struct in_addr lia;
159 	int error;
160 
161 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
162 	KASSERT(ia != NULL, ("%s: ia is NULL", __func__));
163 
164 	if (!jailed(cred))
165 		return (1);
166 
167 	pr = cred->cr_prison;
168 	if (pr->pr_flags & PR_IP4_SADDRSEL)
169 		return (1);
170 
171 	lia.s_addr = INADDR_ANY;
172 	error = prison_get_ip4(cred, &lia);
173 	if (error)
174 		return (error);
175 	if (lia.s_addr == INADDR_ANY)
176 		return (1);
177 
178 	ia->s_addr = lia.s_addr;
179 	return (0);
180 }
181 
182 /*
183  * Return true if pr1 and pr2 have the same IPv4 address restrictions.
184  */
185 int
186 prison_equal_ip4(struct prison *pr1, struct prison *pr2)
187 {
188 
189 	if (pr1 == pr2)
190 		return (1);
191 
192 	/*
193 	 * No need to lock since the PR_IP4_USER flag can't be altered for
194 	 * existing prisons.
195 	 */
196 	while (pr1 != &prison0 &&
197 #ifdef VIMAGE
198 	       !(pr1->pr_flags & PR_VNET) &&
199 #endif
200 	       !(pr1->pr_flags & PR_IP4_USER))
201 		pr1 = pr1->pr_parent;
202 	while (pr2 != &prison0 &&
203 #ifdef VIMAGE
204 	       !(pr2->pr_flags & PR_VNET) &&
205 #endif
206 	       !(pr2->pr_flags & PR_IP4_USER))
207 		pr2 = pr2->pr_parent;
208 	return (pr1 == pr2);
209 }
210 
211 /*
212  * Make sure our (source) address is set to something meaningful to this
213  * jail.
214  *
215  * Returns 0 if jail doesn't restrict IPv4 or if address belongs to jail,
216  * EADDRNOTAVAIL if the address doesn't belong, or EAFNOSUPPORT if the jail
217  * doesn't allow IPv4.  Address passed in in NBO and returned in NBO.
218  */
219 int
220 prison_local_ip4(struct ucred *cred, struct in_addr *ia)
221 {
222 	struct prison *pr;
223 	struct in_addr ia0;
224 	int error;
225 
226 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
227 	KASSERT(ia != NULL, ("%s: ia is NULL", __func__));
228 
229 	pr = cred->cr_prison;
230 	if (!(pr->pr_flags & PR_IP4))
231 		return (0);
232 	mtx_lock(&pr->pr_mtx);
233 	if (!(pr->pr_flags & PR_IP4)) {
234 		mtx_unlock(&pr->pr_mtx);
235 		return (0);
236 	}
237 	if (pr->pr_addrs[PR_INET] == NULL) {
238 		mtx_unlock(&pr->pr_mtx);
239 		return (EAFNOSUPPORT);
240 	}
241 
242 	ia0.s_addr = ntohl(ia->s_addr);
243 
244 	if (ia0.s_addr == INADDR_ANY) {
245 		/*
246 		 * In case there is only 1 IPv4 address, bind directly.
247 		 */
248 		if (prison_ip_cnt(pr, PR_INET) == 1)
249 			ia->s_addr = prison_primary_ip4(pr);
250 		mtx_unlock(&pr->pr_mtx);
251 		return (0);
252 	}
253 
254 	error = prison_check_ip4_locked(pr, ia);
255 	if (error == EADDRNOTAVAIL && ia0.s_addr == INADDR_LOOPBACK) {
256 		ia->s_addr = prison_primary_ip4(pr);
257 		error = 0;
258 	}
259 
260 	mtx_unlock(&pr->pr_mtx);
261 	return (error);
262 }
263 
264 /*
265  * Rewrite destination address in case we will connect to loopback address.
266  *
267  * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv4.
268  * Address passed in in NBO and returned in NBO.
269  */
270 int
271 prison_remote_ip4(struct ucred *cred, struct in_addr *ia)
272 {
273 	struct prison *pr;
274 
275 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
276 	KASSERT(ia != NULL, ("%s: ia is NULL", __func__));
277 
278 	pr = cred->cr_prison;
279 	if (!(pr->pr_flags & PR_IP4))
280 		return (0);
281 	mtx_lock(&pr->pr_mtx);
282 	if (!(pr->pr_flags & PR_IP4)) {
283 		mtx_unlock(&pr->pr_mtx);
284 		return (0);
285 	}
286 	if (pr->pr_addrs[PR_INET] == NULL) {
287 		mtx_unlock(&pr->pr_mtx);
288 		return (EAFNOSUPPORT);
289 	}
290 
291 	if (ntohl(ia->s_addr) == INADDR_LOOPBACK &&
292 	    prison_check_ip4_locked(pr, ia) == EADDRNOTAVAIL) {
293 		ia->s_addr = prison_primary_ip4(pr);
294 		mtx_unlock(&pr->pr_mtx);
295 		return (0);
296 	}
297 
298 	/*
299 	 * Return success because nothing had to be changed.
300 	 */
301 	mtx_unlock(&pr->pr_mtx);
302 	return (0);
303 }
304 
305 /*
306  * Check if given address belongs to the jail referenced by cred/prison.
307  *
308  * Returns 0 if address belongs to jail,
309  * EADDRNOTAVAIL if the address doesn't belong to the jail.
310  */
311 int
312 prison_check_ip4_locked(const struct prison *pr, const struct in_addr *ia)
313 {
314 
315 	if (!(pr->pr_flags & PR_IP4))
316 		return (0);
317 
318 	return (prison_ip_check(pr, PR_INET, ia));
319 }
320 
321 int
322 prison_check_ip4(const struct ucred *cred, const struct in_addr *ia)
323 {
324 	struct prison *pr;
325 	int error;
326 
327 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
328 	KASSERT(ia != NULL, ("%s: ia is NULL", __func__));
329 
330 	pr = cred->cr_prison;
331 	if (!(pr->pr_flags & PR_IP4))
332 		return (0);
333 	mtx_lock(&pr->pr_mtx);
334 	if (!(pr->pr_flags & PR_IP4)) {
335 		mtx_unlock(&pr->pr_mtx);
336 		return (0);
337 	}
338 	if (pr->pr_addrs[PR_INET] == NULL) {
339 		mtx_unlock(&pr->pr_mtx);
340 		return (EAFNOSUPPORT);
341 	}
342 
343 	error = prison_check_ip4_locked(pr, ia);
344 	mtx_unlock(&pr->pr_mtx);
345 	return (error);
346 }
347