xref: /freebsd/sys/netinet6/in6_jail.c (revision 38a52bd3b5cac3da6f7f6eef3dd050e6aa08ebb3)
1 /*-
2  * Copyright (c) 1999 Poul-Henning Kamp.
3  * Copyright (c) 2008 Bjoern A. Zeeb.
4  * Copyright (c) 2009 James Gritton.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26  * SUCH DAMAGE.
27  */
28 
29 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
31 
32 #include "opt_ddb.h"
33 #include "opt_inet.h"
34 #include "opt_inet6.h"
35 
36 #include <sys/param.h>
37 #include <sys/types.h>
38 #include <sys/kernel.h>
39 #include <sys/systm.h>
40 #include <sys/errno.h>
41 #include <sys/sysproto.h>
42 #include <sys/malloc.h>
43 #include <sys/osd.h>
44 #include <sys/priv.h>
45 #include <sys/proc.h>
46 #include <sys/taskqueue.h>
47 #include <sys/fcntl.h>
48 #include <sys/jail.h>
49 #include <sys/lock.h>
50 #include <sys/mutex.h>
51 #include <sys/racct.h>
52 #include <sys/refcount.h>
53 #include <sys/sx.h>
54 #include <sys/namei.h>
55 #include <sys/mount.h>
56 #include <sys/queue.h>
57 #include <sys/socket.h>
58 #include <sys/syscallsubr.h>
59 #include <sys/sysctl.h>
60 #include <sys/vnode.h>
61 
62 #include <net/if.h>
63 #include <net/vnet.h>
64 
65 #include <netinet/in.h>
66 
67 static void
68 prison_bcopy_primary_ip6(const struct prison *pr, struct in6_addr *ia6)
69 {
70 
71 	bcopy(prison_ip_get0(pr, PR_INET6), ia6, sizeof(struct in6_addr));
72 }
73 
74 int
75 prison_qcmp_v6(const void *ip1, const void *ip2)
76 {
77 	const struct in6_addr *ia6a, *ia6b;
78 	int i, rc;
79 
80 	ia6a = (const struct in6_addr *)ip1;
81 	ia6b = (const struct in6_addr *)ip2;
82 
83 	rc = 0;
84 	for (i = 0; rc == 0 && i < sizeof(struct in6_addr); i++) {
85 		if (ia6a->s6_addr[i] > ia6b->s6_addr[i])
86 			rc = 1;
87 		else if (ia6a->s6_addr[i] < ia6b->s6_addr[i])
88 			rc = -1;
89 	}
90 	return (rc);
91 }
92 
93 bool
94 prison_valid_v6(const void *ip)
95 {
96 	const struct in6_addr *ia = ip;
97 
98 	return (!IN6_IS_ADDR_UNSPECIFIED(ia));
99 }
100 
101 /*
102  * Pass back primary IPv6 address for this jail.
103  *
104  * If not restricted return success but do not alter the address.  Caller has
105  * to make sure to initialize it correctly (e.g. IN6ADDR_ANY_INIT).
106  *
107  * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv6.
108  */
109 int
110 prison_get_ip6(struct ucred *cred, struct in6_addr *ia6)
111 {
112 	struct prison *pr;
113 
114 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
115 	KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
116 
117 	pr = cred->cr_prison;
118 	if (!(pr->pr_flags & PR_IP6))
119 		return (0);
120 	mtx_lock(&pr->pr_mtx);
121 	if (!(pr->pr_flags & PR_IP6)) {
122 		mtx_unlock(&pr->pr_mtx);
123 		return (0);
124 	}
125 	if (pr->pr_addrs[PR_INET6] == NULL) {
126 		mtx_unlock(&pr->pr_mtx);
127 		return (EAFNOSUPPORT);
128 	}
129 
130 	prison_bcopy_primary_ip6(pr, ia6);
131 	mtx_unlock(&pr->pr_mtx);
132 	return (0);
133 }
134 
135 /*
136  * Return 1 if we should do proper source address selection or are not jailed.
137  * We will return 0 if we should bypass source address selection in favour
138  * of the primary jail IPv6 address. Only in this case *ia will be updated and
139  * returned in NBO.
140  * Return EAFNOSUPPORT, in case this jail does not allow IPv6.
141  */
142 int
143 prison_saddrsel_ip6(struct ucred *cred, struct in6_addr *ia6)
144 {
145 	struct prison *pr;
146 	struct in6_addr lia6;
147 	int error;
148 
149 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
150 	KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
151 
152 	if (!jailed(cred))
153 		return (1);
154 
155 	pr = cred->cr_prison;
156 	if (pr->pr_flags & PR_IP6_SADDRSEL)
157 		return (1);
158 
159 	lia6 = in6addr_any;
160 	error = prison_get_ip6(cred, &lia6);
161 	if (error)
162 		return (error);
163 	if (IN6_IS_ADDR_UNSPECIFIED(&lia6))
164 		return (1);
165 
166 	bcopy(&lia6, ia6, sizeof(struct in6_addr));
167 	return (0);
168 }
169 
170 /*
171  * Return true if pr1 and pr2 have the same IPv6 address restrictions.
172  */
173 int
174 prison_equal_ip6(struct prison *pr1, struct prison *pr2)
175 {
176 
177 	if (pr1 == pr2)
178 		return (1);
179 
180 	while (pr1 != &prison0 &&
181 #ifdef VIMAGE
182 	       !(pr1->pr_flags & PR_VNET) &&
183 #endif
184 	       !(pr1->pr_flags & PR_IP6_USER))
185 		pr1 = pr1->pr_parent;
186 	while (pr2 != &prison0 &&
187 #ifdef VIMAGE
188 	       !(pr2->pr_flags & PR_VNET) &&
189 #endif
190 	       !(pr2->pr_flags & PR_IP6_USER))
191 		pr2 = pr2->pr_parent;
192 	return (pr1 == pr2);
193 }
194 
195 /*
196  * Make sure our (source) address is set to something meaningful to this jail.
197  *
198  * v6only should be set based on (inp->inp_flags & IN6P_IPV6_V6ONLY != 0)
199  * when needed while binding.
200  *
201  * Returns 0 if jail doesn't restrict IPv6 or if address belongs to jail,
202  * EADDRNOTAVAIL if the address doesn't belong, or EAFNOSUPPORT if the jail
203  * doesn't allow IPv6.
204  */
205 int
206 prison_local_ip6(struct ucred *cred, struct in6_addr *ia6, int v6only)
207 {
208 	struct prison *pr;
209 	int error;
210 
211 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
212 	KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
213 
214 	pr = cred->cr_prison;
215 	if (!(pr->pr_flags & PR_IP6))
216 		return (0);
217 	mtx_lock(&pr->pr_mtx);
218 	if (!(pr->pr_flags & PR_IP6)) {
219 		mtx_unlock(&pr->pr_mtx);
220 		return (0);
221 	}
222 	if (pr->pr_addrs[PR_INET6] == NULL) {
223 		mtx_unlock(&pr->pr_mtx);
224 		return (EAFNOSUPPORT);
225 	}
226 
227 	if (IN6_IS_ADDR_UNSPECIFIED(ia6)) {
228 		/*
229 		 * In case there is only 1 IPv6 address, and v6only is true,
230 		 * then bind directly.
231 		 */
232 		if (v6only != 0 && prison_ip_cnt(pr, PR_INET6) == 1)
233 			prison_bcopy_primary_ip6(pr, ia6);
234 		mtx_unlock(&pr->pr_mtx);
235 		return (0);
236 	}
237 
238 	error = prison_check_ip6_locked(pr, ia6);
239 	if (error == EADDRNOTAVAIL && IN6_IS_ADDR_LOOPBACK(ia6)) {
240 		prison_bcopy_primary_ip6(pr, ia6);
241 		error = 0;
242 	}
243 
244 	mtx_unlock(&pr->pr_mtx);
245 	return (error);
246 }
247 
248 /*
249  * Rewrite destination address in case we will connect to loopback address.
250  *
251  * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv6.
252  */
253 int
254 prison_remote_ip6(struct ucred *cred, struct in6_addr *ia6)
255 {
256 	struct prison *pr;
257 
258 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
259 	KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
260 
261 	pr = cred->cr_prison;
262 	if (!(pr->pr_flags & PR_IP6))
263 		return (0);
264 	mtx_lock(&pr->pr_mtx);
265 	if (!(pr->pr_flags & PR_IP6)) {
266 		mtx_unlock(&pr->pr_mtx);
267 		return (0);
268 	}
269 	if (pr->pr_addrs[PR_INET6] == NULL) {
270 		mtx_unlock(&pr->pr_mtx);
271 		return (EAFNOSUPPORT);
272 	}
273 
274 	if (IN6_IS_ADDR_LOOPBACK(ia6) &&
275             prison_check_ip6_locked(pr, ia6) == EADDRNOTAVAIL) {
276 		prison_bcopy_primary_ip6(pr, ia6);
277 		mtx_unlock(&pr->pr_mtx);
278 		return (0);
279 	}
280 
281 	/*
282 	 * Return success because nothing had to be changed.
283 	 */
284 	mtx_unlock(&pr->pr_mtx);
285 	return (0);
286 }
287 
288 /*
289  * Check if given address belongs to the jail referenced by cred/prison.
290  *
291  * Returns 0 if address belongs to jail,
292  * EADDRNOTAVAIL if the address doesn't belong to the jail.
293  */
294 int
295 prison_check_ip6_locked(const struct prison *pr, const struct in6_addr *ia6)
296 {
297 
298 	if (!(pr->pr_flags & PR_IP6))
299 		return (0);
300 
301 	return (prison_ip_check(pr, PR_INET6, ia6));
302 }
303 
304 int
305 prison_check_ip6(const struct ucred *cred, const struct in6_addr *ia6)
306 {
307 	struct prison *pr;
308 	int error;
309 
310 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
311 	KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
312 
313 	pr = cred->cr_prison;
314 	if (!(pr->pr_flags & PR_IP6))
315 		return (0);
316 	mtx_lock(&pr->pr_mtx);
317 	if (!(pr->pr_flags & PR_IP6)) {
318 		mtx_unlock(&pr->pr_mtx);
319 		return (0);
320 	}
321 	if (pr->pr_addrs[PR_INET6] == NULL) {
322 		mtx_unlock(&pr->pr_mtx);
323 		return (EAFNOSUPPORT);
324 	}
325 
326 	error = prison_check_ip6_locked(pr, ia6);
327 	mtx_unlock(&pr->pr_mtx);
328 	return (error);
329 }
330