xref: /freebsd/sys/netinet6/in6_jail.c (revision 4d3fc8b0570b29fb0d6ee9525f104d52176ff0d4) 
1 /*-
2  * Copyright (c) 1999 Poul-Henning Kamp.
3  * Copyright (c) 2008 Bjoern A. Zeeb.
4  * Copyright (c) 2009 James Gritton.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26  * SUCH DAMAGE.
27  */
28 
29 #include <sys/cdefs.h>
30 __FBSDID("$FreeBSD$");
31 
32 #include "opt_ddb.h"
33 #include "opt_inet.h"
34 #include "opt_inet6.h"
35 
36 #include <sys/param.h>
37 #include <sys/types.h>
38 #include <sys/kernel.h>
39 #include <sys/systm.h>
40 #include <sys/errno.h>
41 #include <sys/sysproto.h>
42 #include <sys/malloc.h>
43 #include <sys/osd.h>
44 #include <sys/priv.h>
45 #include <sys/proc.h>
46 #include <sys/taskqueue.h>
47 #include <sys/fcntl.h>
48 #include <sys/jail.h>
49 #include <sys/lock.h>
50 #include <sys/mutex.h>
51 #include <sys/racct.h>
52 #include <sys/refcount.h>
53 #include <sys/sx.h>
54 #include <sys/namei.h>
55 #include <sys/mount.h>
56 #include <sys/queue.h>
57 #include <sys/socket.h>
58 #include <sys/syscallsubr.h>
59 #include <sys/sysctl.h>
60 #include <sys/vnode.h>
61 
62 #include <net/if.h>
63 #include <net/vnet.h>
64 
65 #include <netinet/in.h>
66 
67 static void
68 prison_bcopy_primary_ip6(const struct prison *pr, struct in6_addr *ia6)
69 {
70 
71 	bcopy(prison_ip_get0(pr, PR_INET6), ia6, sizeof(struct in6_addr));
72 }
73 
74 int
75 prison_qcmp_v6(const void *ip1, const void *ip2)
76 {
77 	const struct in6_addr *ia6a, *ia6b;
78 	int i, rc;
79 
80 	ia6a = (const struct in6_addr *)ip1;
81 	ia6b = (const struct in6_addr *)ip2;
82 
83 	rc = 0;
84 	for (i = 0; rc == 0 && i < sizeof(struct in6_addr); i++) {
85 		if (ia6a->s6_addr[i] > ia6b->s6_addr[i])
86 			rc = 1;
87 		else if (ia6a->s6_addr[i] < ia6b->s6_addr[i])
88 			rc = -1;
89 	}
90 	return (rc);
91 }
92 
93 bool
94 prison_valid_v6(const void *ip)
95 {
96 	const struct in6_addr *ia = ip;
97 
98 	return (!IN6_IS_ADDR_UNSPECIFIED(ia));
99 }
100 
101 /*
102  * Pass back primary IPv6 address for this jail.
103  *
104  * If not restricted return success but do not alter the address.  Caller has
105  * to make sure to initialize it correctly (e.g. IN6ADDR_ANY_INIT).
106  *
107  * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv6.
108  */
109 int
110 prison_get_ip6(struct ucred *cred, struct in6_addr *ia6)
111 {
112 	struct prison *pr;
113 
114 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
115 	KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
116 
117 	pr = cred->cr_prison;
118 	if (!(pr->pr_flags & PR_IP6))
119 		return (0);
120 	mtx_lock(&pr->pr_mtx);
121 	if (!(pr->pr_flags & PR_IP6)) {
122 		mtx_unlock(&pr->pr_mtx);
123 		return (0);
124 	}
125 	if (pr->pr_addrs[PR_INET6] == NULL) {
126 		mtx_unlock(&pr->pr_mtx);
127 		return (EAFNOSUPPORT);
128 	}
129 
130 	prison_bcopy_primary_ip6(pr, ia6);
131 	mtx_unlock(&pr->pr_mtx);
132 	return (0);
133 }
134 
135 /*
136  * Return true if we should do proper source address selection or are not jailed.
137  * We will return false if we should bypass source address selection in favour
138  * of the primary jail IPv6 address. Only in this case *ia will be updated and
139  * returned in NBO.
140  * Return true, even in case this jail does not allow IPv6.
141  */
142 bool
143 prison_saddrsel_ip6(struct ucred *cred, struct in6_addr *ia6)
144 {
145 	struct prison *pr;
146 	struct in6_addr lia6;
147 
148 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
149 	KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
150 
151 	if (!jailed(cred))
152 		return (true);
153 
154 	pr = cred->cr_prison;
155 	if (pr->pr_flags & PR_IP6_SADDRSEL)
156 		return (true);
157 
158 	lia6 = in6addr_any;
159 	if (prison_get_ip6(cred, &lia6) != 0)
160 		return (true);
161 	if (IN6_IS_ADDR_UNSPECIFIED(&lia6))
162 		return (true);
163 
164 	bcopy(&lia6, ia6, sizeof(struct in6_addr));
165 	return (false);
166 }
167 
168 /*
169  * Return true if pr1 and pr2 have the same IPv6 address restrictions.
170  */
171 bool
172 prison_equal_ip6(struct prison *pr1, struct prison *pr2)
173 {
174 
175 	if (pr1 == pr2)
176 		return (true);
177 
178 	while (pr1 != &prison0 &&
179 #ifdef VIMAGE
180 	       !(pr1->pr_flags & PR_VNET) &&
181 #endif
182 	       !(pr1->pr_flags & PR_IP6_USER))
183 		pr1 = pr1->pr_parent;
184 	while (pr2 != &prison0 &&
185 #ifdef VIMAGE
186 	       !(pr2->pr_flags & PR_VNET) &&
187 #endif
188 	       !(pr2->pr_flags & PR_IP6_USER))
189 		pr2 = pr2->pr_parent;
190 	return (pr1 == pr2);
191 }
192 
193 /*
194  * Make sure our (source) address is set to something meaningful to this jail.
195  *
196  * v6only should be set based on (inp->inp_flags & IN6P_IPV6_V6ONLY != 0)
197  * when needed while binding.
198  *
199  * Returns 0 if jail doesn't restrict IPv6 or if address belongs to jail,
200  * EADDRNOTAVAIL if the address doesn't belong, or EAFNOSUPPORT if the jail
201  * doesn't allow IPv6.
202  */
203 int
204 prison_local_ip6(struct ucred *cred, struct in6_addr *ia6, int v6only)
205 {
206 	struct prison *pr;
207 	int error;
208 
209 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
210 	KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
211 
212 	pr = cred->cr_prison;
213 	if (!(pr->pr_flags & PR_IP6))
214 		return (0);
215 	mtx_lock(&pr->pr_mtx);
216 	if (!(pr->pr_flags & PR_IP6)) {
217 		mtx_unlock(&pr->pr_mtx);
218 		return (0);
219 	}
220 	if (pr->pr_addrs[PR_INET6] == NULL) {
221 		mtx_unlock(&pr->pr_mtx);
222 		return (EAFNOSUPPORT);
223 	}
224 
225 	if (IN6_IS_ADDR_UNSPECIFIED(ia6)) {
226 		/*
227 		 * In case there is only 1 IPv6 address, and v6only is true,
228 		 * then bind directly.
229 		 */
230 		if (v6only != 0 && prison_ip_cnt(pr, PR_INET6) == 1)
231 			prison_bcopy_primary_ip6(pr, ia6);
232 		mtx_unlock(&pr->pr_mtx);
233 		return (0);
234 	}
235 
236 	error = prison_check_ip6_locked(pr, ia6);
237 	if (error == EADDRNOTAVAIL && IN6_IS_ADDR_LOOPBACK(ia6)) {
238 		prison_bcopy_primary_ip6(pr, ia6);
239 		error = 0;
240 	}
241 
242 	mtx_unlock(&pr->pr_mtx);
243 	return (error);
244 }
245 
246 /*
247  * Rewrite destination address in case we will connect to loopback address.
248  *
249  * Returns 0 on success, EAFNOSUPPORT if the jail doesn't allow IPv6.
250  */
251 int
252 prison_remote_ip6(struct ucred *cred, struct in6_addr *ia6)
253 {
254 	struct prison *pr;
255 
256 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
257 	KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
258 
259 	pr = cred->cr_prison;
260 	if (!(pr->pr_flags & PR_IP6))
261 		return (0);
262 	mtx_lock(&pr->pr_mtx);
263 	if (!(pr->pr_flags & PR_IP6)) {
264 		mtx_unlock(&pr->pr_mtx);
265 		return (0);
266 	}
267 	if (pr->pr_addrs[PR_INET6] == NULL) {
268 		mtx_unlock(&pr->pr_mtx);
269 		return (EAFNOSUPPORT);
270 	}
271 
272 	if (IN6_IS_ADDR_LOOPBACK(ia6) &&
273             prison_check_ip6_locked(pr, ia6) == EADDRNOTAVAIL) {
274 		prison_bcopy_primary_ip6(pr, ia6);
275 		mtx_unlock(&pr->pr_mtx);
276 		return (0);
277 	}
278 
279 	/*
280 	 * Return success because nothing had to be changed.
281 	 */
282 	mtx_unlock(&pr->pr_mtx);
283 	return (0);
284 }
285 
286 /*
287  * Check if given address belongs to the jail referenced by cred/prison.
288  *
289  * Returns 0 if address belongs to jail,
290  * EADDRNOTAVAIL if the address doesn't belong to the jail.
291  */
292 int
293 prison_check_ip6_locked(const struct prison *pr, const struct in6_addr *ia6)
294 {
295 
296 	if (!(pr->pr_flags & PR_IP6))
297 		return (0);
298 
299 	return (prison_ip_check(pr, PR_INET6, ia6));
300 }
301 
302 int
303 prison_check_ip6(const struct ucred *cred, const struct in6_addr *ia6)
304 {
305 	struct prison *pr;
306 	int error;
307 
308 	KASSERT(cred != NULL, ("%s: cred is NULL", __func__));
309 	KASSERT(ia6 != NULL, ("%s: ia6 is NULL", __func__));
310 
311 	pr = cred->cr_prison;
312 	if (!(pr->pr_flags & PR_IP6))
313 		return (0);
314 	mtx_lock(&pr->pr_mtx);
315 	if (!(pr->pr_flags & PR_IP6)) {
316 		mtx_unlock(&pr->pr_mtx);
317 		return (0);
318 	}
319 	if (pr->pr_addrs[PR_INET6] == NULL) {
320 		mtx_unlock(&pr->pr_mtx);
321 		return (EAFNOSUPPORT);
322 	}
323 
324 	error = prison_check_ip6_locked(pr, ia6);
325 	mtx_unlock(&pr->pr_mtx);
326 	return (error);
327 }
328