xref: /freebsd/sys/netinet6/in6_jail.c (revision 2e4311906d8c8dc7a7c726345268253bca6d4acc) 
1 /*-
2  * Copyright (c) 1999 Poul-Henning Kamp.
3  * Copyright (c) 2008 Bjoern A. Zeeb.
4  * Copyright (c) 2009 James Gritton.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26  * SUCH DAMAGE.
27  */
28 
29 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
31 
32 #include "opt_ddb.h"
33 #include "opt_inet.h"
34 #include "opt_inet6.h"
35 
36 #include <sys/param.h>
37 #include <sys/types.h>
38 #include <sys/kernel.h>
39 #include <sys/systm.h>
40 #include <sys/errno.h>
41 #include <sys/sysproto.h>
42 #include <sys/malloc.h>
43 #include <sys/osd.h>
44 #include <sys/priv.h>
45 #include <sys/proc.h>
46 #include <sys/taskqueue.h>
47 #include <sys/fcntl.h>
48 #include <sys/jail.h>
49 #include <sys/lock.h>
50 #include <sys/mutex.h>
51 #include <sys/racct.h>
52 #include <sys/refcount.h>
53 #include <sys/sx.h>
54 #include <sys/sysent.h>
55 #include <sys/namei.h>
56 #include <sys/mount.h>
57 #include <sys/queue.h>
58 #include <sys/socket.h>
59 #include <sys/syscallsubr.h>
60 #include <sys/sysctl.h>
61 #include <sys/vnode.h>
62 
63 #include <net/if.h>
64 #include <net/vnet.h>
65 
66 #include <netinet/in.h>
67 
68 static void
69 prison_bcopy_primary_ip6(const struct prison *pr, struct in6_addr *ia6)
70 {
71 
72 	bcopy(prison_ip_get0(pr, PR_INET6), ia6, sizeof(struct in6_addr));
73 }
74 
75 int
76 prison_qcmp_v6(const void *ip1, const void *ip2)
77 {
78 	const struct in6_addr *ia6a, *ia6b;
79 	int i, rc;
80 
81 	ia6a = (const struct in6_addr *)ip1;
82 	ia6b = (const struct in6_addr *)ip2;
83 
84 	rc = 0;
85 	for (i = 0; rc == 0 && i < sizeof(struct in6_addr); i++) {
86 		if (ia6a->s6_addr[i] > ia6b->s6_addr[i])
87 			rc = 1;
88 		else if (ia6a->s6_addr[i] < ia6b->s6_addr[i])
89 			rc = -1;
90 	}
91 	return (rc);
92 }
93 
94 bool
95 prison_valid_v6(const void *ip)
96 {
97 	const struct in6_addr *ia = ip;
98 
99 	return (!IN6_IS_ADDR_UNSPECIFIED(ia));
100 }
101 
102 /*
103  * Pass back primary IPv6 address for this jail.
104  *
105  * If not restricted return success but do not alter the address.  Caller has
106  * to make sure to initialize it correctly (e.g. IN6ADDR_ANY_INIT).
107  *
108  * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv6.
109  */
110 int
111 prison_get_ip6(struct ucred *cred, struct in6_addr *ia6)
112 {
113 	struct prison *pr;
114 
115 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
116 	KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
117 
118 	pr = cred->cr_prison;
119 	if (!(pr->pr_flags & PR_IP6))
120 		return (0);
121 	mtx_lock(&pr->pr_mtx);
122 	if (!(pr->pr_flags & PR_IP6)) {
123 		mtx_unlock(&pr->pr_mtx);
124 		return (0);
125 	}
126 	if (pr->pr_addrs[PR_INET6] == NULL) {
127 		mtx_unlock(&pr->pr_mtx);
128 		return (EAFNOSUPPORT);
129 	}
130 
131 	prison_bcopy_primary_ip6(pr, ia6);
132 	mtx_unlock(&pr->pr_mtx);
133 	return (0);
134 }
135 
136 /*
137  * Return 1 if we should do proper source address selection or are not jailed.
138  * We will return 0 if we should bypass source address selection in favour
139  * of the primary jail IPv6 address. Only in this case *ia will be updated and
140  * returned in NBO.
141  * Return EAFNOSUPPORT, in case this jail does not allow IPv6.
142  */
143 int
144 prison_saddrsel_ip6(struct ucred *cred, struct in6_addr *ia6)
145 {
146 	struct prison *pr;
147 	struct in6_addr lia6;
148 	int error;
149 
150 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
151 	KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
152 
153 	if (!jailed(cred))
154 		return (1);
155 
156 	pr = cred->cr_prison;
157 	if (pr->pr_flags & PR_IP6_SADDRSEL)
158 		return (1);
159 
160 	lia6 = in6addr_any;
161 	error = prison_get_ip6(cred, &lia6);
162 	if (error)
163 		return (error);
164 	if (IN6_IS_ADDR_UNSPECIFIED(&lia6))
165 		return (1);
166 
167 	bcopy(&lia6, ia6, sizeof(struct in6_addr));
168 	return (0);
169 }
170 
171 /*
172  * Return true if pr1 and pr2 have the same IPv6 address restrictions.
173  */
174 int
175 prison_equal_ip6(struct prison *pr1, struct prison *pr2)
176 {
177 
178 	if (pr1 == pr2)
179 		return (1);
180 
181 	while (pr1 != &prison0 &&
182 #ifdef VIMAGE
183 	       !(pr1->pr_flags & PR_VNET) &&
184 #endif
185 	       !(pr1->pr_flags & PR_IP6_USER))
186 		pr1 = pr1->pr_parent;
187 	while (pr2 != &prison0 &&
188 #ifdef VIMAGE
189 	       !(pr2->pr_flags & PR_VNET) &&
190 #endif
191 	       !(pr2->pr_flags & PR_IP6_USER))
192 		pr2 = pr2->pr_parent;
193 	return (pr1 == pr2);
194 }
195 
196 /*
197  * Make sure our (source) address is set to something meaningful to this jail.
198  *
199  * v6only should be set based on (inp->inp_flags & IN6P_IPV6_V6ONLY != 0)
200  * when needed while binding.
201  *
202  * Returns 0 if jail doesn't restrict IPv6 or if address belongs to jail,
203  * EADDRNOTAVAIL if the address doesn't belong, or EAFNOSUPPORT if the jail
204  * doesn't allow IPv6.
205  */
206 int
207 prison_local_ip6(struct ucred *cred, struct in6_addr *ia6, int v6only)
208 {
209 	struct prison *pr;
210 	int error;
211 
212 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
213 	KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
214 
215 	pr = cred->cr_prison;
216 	if (!(pr->pr_flags & PR_IP6))
217 		return (0);
218 	mtx_lock(&pr->pr_mtx);
219 	if (!(pr->pr_flags & PR_IP6)) {
220 		mtx_unlock(&pr->pr_mtx);
221 		return (0);
222 	}
223 	if (pr->pr_addrs[PR_INET6] == NULL) {
224 		mtx_unlock(&pr->pr_mtx);
225 		return (EAFNOSUPPORT);
226 	}
227 
228 	if (IN6_IS_ADDR_UNSPECIFIED(ia6)) {
229 		/*
230 		 * In case there is only 1 IPv6 address, and v6only is true,
231 		 * then bind directly.
232 		 */
233 		if (v6only != 0 && prison_ip_cnt(pr, PR_INET6) == 1)
234 			prison_bcopy_primary_ip6(pr, ia6);
235 		mtx_unlock(&pr->pr_mtx);
236 		return (0);
237 	}
238 
239 	error = prison_check_ip6_locked(pr, ia6);
240 	if (error == EADDRNOTAVAIL && IN6_IS_ADDR_LOOPBACK(ia6)) {
241 		prison_bcopy_primary_ip6(pr, ia6);
242 		error = 0;
243 	}
244 
245 	mtx_unlock(&pr->pr_mtx);
246 	return (error);
247 }
248 
249 /*
250  * Rewrite destination address in case we will connect to loopback address.
251  *
252  * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv6.
253  */
254 int
255 prison_remote_ip6(struct ucred *cred, struct in6_addr *ia6)
256 {
257 	struct prison *pr;
258 
259 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
260 	KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
261 
262 	pr = cred->cr_prison;
263 	if (!(pr->pr_flags & PR_IP6))
264 		return (0);
265 	mtx_lock(&pr->pr_mtx);
266 	if (!(pr->pr_flags & PR_IP6)) {
267 		mtx_unlock(&pr->pr_mtx);
268 		return (0);
269 	}
270 	if (pr->pr_addrs[PR_INET6] == NULL) {
271 		mtx_unlock(&pr->pr_mtx);
272 		return (EAFNOSUPPORT);
273 	}
274 
275 	if (IN6_IS_ADDR_LOOPBACK(ia6) &&
276             prison_check_ip6_locked(pr, ia6) == EADDRNOTAVAIL) {
277 		prison_bcopy_primary_ip6(pr, ia6);
278 		mtx_unlock(&pr->pr_mtx);
279 		return (0);
280 	}
281 
282 	/*
283 	 * Return success because nothing had to be changed.
284 	 */
285 	mtx_unlock(&pr->pr_mtx);
286 	return (0);
287 }
288 
289 /*
290  * Check if given address belongs to the jail referenced by cred/prison.
291  *
292  * Returns 0 if address belongs to jail,
293  * EADDRNOTAVAIL if the address doesn't belong to the jail.
294  */
295 int
296 prison_check_ip6_locked(const struct prison *pr, const struct in6_addr *ia6)
297 {
298 
299 	if (!(pr->pr_flags & PR_IP6))
300 		return (0);
301 
302 	return (prison_ip_check(pr, PR_INET6, ia6));
303 }
304 
305 int
306 prison_check_ip6(const struct ucred *cred, const struct in6_addr *ia6)
307 {
308 	struct prison *pr;
309 	int error;
310 
311 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
312 	KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
313 
314 	pr = cred->cr_prison;
315 	if (!(pr->pr_flags & PR_IP6))
316 		return (0);
317 	mtx_lock(&pr->pr_mtx);
318 	if (!(pr->pr_flags & PR_IP6)) {
319 		mtx_unlock(&pr->pr_mtx);
320 		return (0);
321 	}
322 	if (pr->pr_addrs[PR_INET6] == NULL) {
323 		mtx_unlock(&pr->pr_mtx);
324 		return (EAFNOSUPPORT);
325 	}
326 
327 	error = prison_check_ip6_locked(pr, ia6);
328 	mtx_unlock(&pr->pr_mtx);
329 	return (error);
330 }
331