On Fri, 23 Jun 2023, at 10:27 AM, Alexander Chernikov wrote: > > > On Fri, 23 Jun 2023, at 7:53 AM, Shivank Garg wrote: >> Hi, >> >> I want to check credentials of the thread setting the IP address with >> SIOCAIFADDR ioctl. >> If the thread is jailed (jailed(td_ucred) == 1), I'm applying some checks on >> ip address. >> >> My expectation was that (cred->cr_prison != &prison0) for an ifconfig call >> made by the jail. > If you’re using -head, it’s a bit more complicated. ifconfig(8) uses > rtnetlink(4) interfaces to communicate with the kernel. Privilege check is > done in Netlink: > https://github.com/freebsd/freebsd-src/blob/764464af49688e74fd6d803df0404ca4726dd460/sys/netlink/route/iface.c#L1472 > . After that, (as of now) netlink calls ioctl code from its own kernel > thread, which may be the reason of the behavior you’re observing. Apparently the previous message was not delivered everywhere. >> However, it is showing me some weird behavior. Here are the logs for a >> tweaked kernel: >> >> @@ -339,7 +343,7 @@ in_control(struct socket *so, u_long cmd, void *data, >> struct ifnet *ifp, >> return (EADDRNOTAVAIL); >> struct ucred *cred = (td != NULL) ? td->td_ucred : NULL; >> - >> + printf("in_control jailed? %d jid %d prison_owns_vnet? >> %d\n",jailed(cred),cred->cr_prison->pr_id,prison_owns_vnet(cred)); >> >> # jexec 1 ifconfig epair0b inet 169.254.123.101/24 up >> >> Dmesg logs: >> *[256] in_control jailed? 0 jid 0 prison_owns_vnet? 1* >> >> Cred value indicates host and jail is 0 but the PR_VNET flag is set. >> >> Is this behavior expected? or something going wrong - what's the next debug >> step? >> >> I greatly appreciate your help! >> >> Thanks, >> Shivank > > /Alexander >
/Alexander
