From nobody Sun Mar 26 08:53:30 2023
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PkqVL2RfYz41WjK;
	Sun, 26 Mar 2023 08:53:30 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PkqVL1t3Tz47mM;
	Sun, 26 Mar 2023 08:53:30 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1679820810;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=uN4NBqd0zwNqfzLTwJJPfKP2lcaGd2t58St01vaqmBQ=;
	b=JTQ5Dc8mUdaTuZWl3/jA0VdDN/YcfGUohn+UUhhqKUWK8/+rZkJB3WTiyCFdShUEkxAgtc
	3HP9gXAdgNQ5Ou1CzauIdp/Czu66CQkygWzPIGEMZEiWzUmsHUszmA80VI9bTirnwhgvSI
	tdiV32ZbWpS+cbdfK5jd0VII59Ac7krySlbFucfuU+Z2ZfA8Ggoz8NzgZ1EecQt9XApGnl
	HAR3hMEWYzzlQ4n0DYe9HOVeDTB+jjFxBsmhVQxmSxYN1/jU3q0p97FGAYMkzT7yq+XZpi
	Nt+n0qIjc4HGA6/2NJ389YABmIZLt6Afvb0Qv8g/BRQBS0N6uL2hMXrp465SPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1679820810;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=uN4NBqd0zwNqfzLTwJJPfKP2lcaGd2t58St01vaqmBQ=;
	b=Q2JDcElNJmDT8Lun0yLHLuSNdfo7RwzTP1ve8ItB6SMEN66752u+D5xodEiR99LcfXzrru
	joNXlA+0p1fUYSBthWNIY+8WKfI0IqHGe4ItVcKJ/dKzrjRuZnRKgJNSr16Yk/O8G/5gKd
	TkXTTyxkYpQLbUdzBZIzEqo57K5JwMVXKbSkVPphVIdV0GHBGHG4Eo9mbSs5ExCsAgfHIY
	uCOebidPMrXqbUajiBL0gqQKRKtskS7qAuWmxg1ju9LkTy/vRRXffXptBX7cIQ0mahI7kO
	NbIFQ88LM9te0cJ0Nxis/ztJV5yPlykw4kFCLKhpKvgvNR/va+0eqmxeA/NH3w==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1679820810; a=rsa-sha256; cv=none;
	b=ejUv2qo+IglTZZQfZtDb7CXIBvidq0nweQ9gwcU3xFGiJnNBmLDh0GwQuQjQZtsSIt2LWP
	vnYCtNlCueLwyyumlUlG1dKy5Msf7JFnFPfjS0vIL7wc+VtseSThm3U5fsrBnyJav9u5ri
	nZvmJcNu9JkcE8d4DlO4tKx7xqrK+6Y+kdOifuT9I25kcMRvRK3VcP4Z/hrvQqH9QTxREL
	ZINr3Bq6kA0WAgfF292oEhQLT/h354rwezxAL4OZb+0yCNIbcO/uu5Iwg5/VGCQbQyg0TD
	1eqNKClPjt9J0AN6UgTYgF7yNsF+tLZ+4uhbZzgeeUZXC+OPaDCE7Ny9C8XZwA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PkqVL0xMSzYyy;
	Sun, 26 Mar 2023 08:53:30 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 32Q8rUFM039415;
	Sun, 26 Mar 2023 08:53:30 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 32Q8rUSo039414;
	Sun, 26 Mar 2023 08:53:30 GMT
	(envelope-from git)
Date: Sun, 26 Mar 2023 08:53:30 GMT
Message-Id: <202303260853.32Q8rUSo039414@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: "Alexander V. Chernikov" <melifaro@FreeBSD.org>
Subject: git: 04f75b980293 - main - netlink: allow netlink sockets in non-vnet jails.
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-main@freebsd.org
X-BeenThere: dev-commits-src-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: melifaro
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 04f75b980293d517558990a7fda6900445edcac6
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by melifaro:

URL: https://cgit.FreeBSD.org/src/commit/?id=04f75b980293d517558990a7fda6900445edcac6

commit 04f75b980293d517558990a7fda6900445edcac6
Author:     Alexander V. Chernikov <melifaro@FreeBSD.org>
AuthorDate: 2023-03-26 08:42:51 +0000
Commit:     Alexander V. Chernikov <melifaro@FreeBSD.org>
CommitDate: 2023-03-26 08:44:09 +0000

    netlink: allow netlink sockets in non-vnet jails.
    
    This change allow to open Netlink sockets in the non-vnet jails, even for
     unpriviledged processes.
    The security model largely follows the existing one. To be more specific:
    * by default, every `NETLINK_ROUTE` command is **NOT** allowed in non-VNET
     jail UNLESS `RTNL_F_ALLOW_NONVNET_JAIL` flag is specified in the command
     handler.
    * All notifications are **disabled** for non-vnet jails (requests to
     subscribe for the notifications are ignored). This will change to be more
     fine-grained model once the first netlink provider requiring this gets
     committed.
    * Listing interfaces (RTM_GETLINK) is **allowed** w/o limits (**including**
     interfaces w/o any addresses attached to the jail). The value of this is
     questionable, but it follows the existing approach.
    * Listing ARP/NDP neighbours is **forbidden**. This is a **change** from the
     current approach - currently we list static ARP/ND entries belonging to the
     addresses attached to the jail.
    * Listing interface addresses is **allowed**, but the addresses are filtered
     to match only ones attached to the jail.
    * Listing routes is **allowed**, but the routes are filtered to provide only
     host routes matching the addresses attached to the jail.
    * By default, every `NETLINK_GENERIC` command is **allowed** in non-VNET jail
     (as sub-families may be unrelated to network at all).
     It is the goal of the family author to implement the restriction if
     necessary.
    
    Differential Revision: https://reviews.freebsd.org/D39206
    MFC after:      1 month
---
 sys/kern/kern_jail.c          |  1 +
 sys/netlink/netlink_ctl.h     |  1 +
 sys/netlink/netlink_domain.c  | 12 ++++++++++++
 sys/netlink/netlink_generic.c |  1 +
 sys/netlink/netlink_route.c   |  5 +++++
 sys/netlink/netlink_var.h     |  1 +
 sys/netlink/route/iface.c     |  8 +++++++-
 sys/netlink/route/route_var.h |  3 ++-
 sys/netlink/route/rt.c        |  6 ++++++
 9 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 7b57e5bb9d61..0558c7d9b7fe 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -3440,6 +3440,7 @@ prison_check_af(struct ucred *cred, int af)
 #endif
 	case AF_LOCAL:
 	case AF_ROUTE:
+	case AF_NETLINK:
 		break;
 	default:
 		if (!(pr->pr_allow & PR_ALLOW_SOCKET_AF))
diff --git a/sys/netlink/netlink_ctl.h b/sys/netlink/netlink_ctl.h
index 8cd29cf56d10..9369194151af 100644
--- a/sys/netlink/netlink_ctl.h
+++ b/sys/netlink/netlink_ctl.h
@@ -81,6 +81,7 @@ bool netlink_unregister_proto(int proto);
 bool nl_has_listeners(int netlink_family, uint32_t groups_mask);
 bool nlp_has_priv(struct nlpcb *nlp, int priv);
 struct ucred *nlp_get_cred(struct nlpcb *nlp);
+bool nlp_unconstrained_vnet(const struct nlpcb *nlp);
 
 /* netlink_generic.c */
 struct genl_cmd {
diff --git a/sys/netlink/netlink_domain.c b/sys/netlink/netlink_domain.c
index 2704974173b4..24ca9de877f0 100644
--- a/sys/netlink/netlink_domain.c
+++ b/sys/netlink/netlink_domain.c
@@ -36,6 +36,7 @@
 #include <sys/lock.h>
 #include <sys/rmlock.h>
 #include <sys/domain.h>
+#include <sys/jail.h>
 #include <sys/mbuf.h>
 #include <sys/protosw.h>
 #include <sys/proc.h>
@@ -111,6 +112,10 @@ nl_add_group_locked(struct nlpcb *nlp, unsigned int group_id)
 	MPASS(group_id <= NLP_MAX_GROUPS);
 	--group_id;
 
+	/* TODO: add family handler callback */
+	if (!nlp_unconstrained_vnet(nlp))
+		return;
+
 	nlp->nl_groups[group_id / 64] |= (uint64_t)1 << (group_id % 64);
 }
 
@@ -212,6 +217,12 @@ nlp_has_priv(struct nlpcb *nlp, int priv)
 	return (priv_check_cred(nlp->nl_cred, priv) == 0);
 }
 
+bool
+nlp_unconstrained_vnet(const struct nlpcb *nlp)
+{
+	return (nlp->nl_unconstrained_vnet);
+}
+
 struct ucred *
 nlp_get_cred(struct nlpcb *nlp)
 {
@@ -308,6 +319,7 @@ nl_pru_attach(struct socket *so, int proto, struct thread *td)
 	nlp->nl_process_id = curproc->p_pid;
 	nlp->nl_linux = is_linux;
 	nlp->nl_active = true;
+	nlp->nl_unconstrained_vnet = !jailed_without_vnet(so->so_cred);
 	NLP_LOCK_INIT(nlp);
 	refcount_init(&nlp->nl_refcount, 1);
 	nl_init_io(nlp);
diff --git a/sys/netlink/netlink_generic.c b/sys/netlink/netlink_generic.c
index d4022c2c2a75..a2bd624f99d9 100644
--- a/sys/netlink/netlink_generic.c
+++ b/sys/netlink/netlink_generic.c
@@ -31,6 +31,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/ck.h>
 #include <sys/epoch.h>
 #include <sys/kernel.h>
+#include <sys/jail.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
 #include <sys/priv.h>
diff --git a/sys/netlink/netlink_route.c b/sys/netlink/netlink_route.c
index 037fd2170c66..ce0c0eb36dbc 100644
--- a/sys/netlink/netlink_route.c
+++ b/sys/netlink/netlink_route.c
@@ -93,6 +93,11 @@ rtnl_handle_message(struct nlmsghdr *hdr, struct nl_pstate *npt)
 	} else if (cmd->priv != 0)
 		NLP_LOG(LOG_DEBUG3, nlp, "priv %d check passed for msg %s", cmd->priv, cmd->name);
 
+	if (!nlp_unconstrained_vnet(nlp) && (cmd->flags & RTNL_F_ALLOW_NONVNET_JAIL) == 0) {
+		NLP_LOG(LOG_DEBUG2, nlp, "jail check failed for msg %s", cmd->name);
+		return (EPERM);
+	}
+
 	bool need_epoch = !(cmd->flags & RTNL_F_NOEPOCH);
 
 	if (need_epoch)
diff --git a/sys/netlink/netlink_var.h b/sys/netlink/netlink_var.h
index ed19008248e9..0114306885cf 100644
--- a/sys/netlink/netlink_var.h
+++ b/sys/netlink/netlink_var.h
@@ -61,6 +61,7 @@ struct nlpcb {
         bool			nl_task_pending;
 	bool			nl_tx_blocked; /* No new requests accepted */
 	bool			nl_linux; /* true if running under compat */
+	bool			nl_unconstrained_vnet; /* true if running under VNET jail (or without jail) */
 	struct nl_io_queue	rx_queue;
 	struct nl_io_queue	tx_queue;
 	struct taskqueue	*nl_taskqueue;
diff --git a/sys/netlink/route/iface.c b/sys/netlink/route/iface.c
index 6704acd1624f..18eab05576b7 100644
--- a/sys/netlink/route/iface.c
+++ b/sys/netlink/route/iface.c
@@ -32,6 +32,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/types.h>
 #include <sys/eventhandler.h>
 #include <sys/kernel.h>
+#include <sys/jail.h>
 #include <sys/malloc.h>
 #include <sys/socket.h>
 #include <sys/sockio.h>
@@ -61,6 +62,7 @@ struct netlink_walkargs {
 	struct nl_writer *nw;
 	struct nlmsghdr hdr;
 	struct nlpcb *so;
+	struct ucred *cred;
 	uint32_t fibnum;
 	int family;
 	int error;
@@ -833,6 +835,8 @@ dump_iface_addrs(struct netlink_walkargs *wa, struct ifnet *ifp)
 			continue;
 		if (ifa->ifa_addr->sa_family == AF_LINK)
 			continue;
+		if (prison_if(wa->cred, ifa->ifa_addr) != 0)
+			continue;
 		wa->count++;
 		if (!dump_iface_addr(wa->nw, ifp, ifa, &wa->hdr))
 			return (ENOMEM);
@@ -856,6 +860,7 @@ rtnl_handle_getaddr(struct nlmsghdr *hdr, struct nlpcb *nlp, struct nl_pstate *n
 	struct netlink_walkargs wa = {
 		.so = nlp,
 		.nw = npt->nw,
+		.cred = nlp_get_cred(nlp),
 		.family = attrs.ifa_family,
 		.hdr.nlmsg_pid = hdr->nlmsg_pid,
 		.hdr.nlmsg_seq = hdr->nlmsg_seq,
@@ -977,7 +982,7 @@ static const struct rtnl_cmd_handler cmd_handlers[] = {
 		.cmd = NL_RTM_GETLINK,
 		.name = "RTM_GETLINK",
 		.cb = &rtnl_handle_getlink,
-		.flags = RTNL_F_NOEPOCH,
+		.flags = RTNL_F_NOEPOCH | RTNL_F_ALLOW_NONVNET_JAIL,
 	},
 	{
 		.cmd = NL_RTM_DELLINK,
@@ -997,6 +1002,7 @@ static const struct rtnl_cmd_handler cmd_handlers[] = {
 		.cmd = NL_RTM_GETADDR,
 		.name = "RTM_GETADDR",
 		.cb = &rtnl_handle_getaddr,
+		.flags = RTNL_F_ALLOW_NONVNET_JAIL,
 	},
 	{
 		.cmd = NL_RTM_NEWADDR,
diff --git a/sys/netlink/route/route_var.h b/sys/netlink/route/route_var.h
index f3b1d7d929a5..a11857b14a1f 100644
--- a/sys/netlink/route/route_var.h
+++ b/sys/netlink/route/route_var.h
@@ -48,7 +48,8 @@ struct rtnl_cmd_handler {
 	int		flags;
 };
 
-#define	RTNL_F_NOEPOCH	0x01
+#define	RTNL_F_NOEPOCH			0x01	/* Do not enter epoch when handling command */
+#define	RTNL_F_ALLOW_NONVNET_JAIL	0x02	/* Allow command execution inside non-VNET jail */
 
 bool rtnl_register_messages(const struct rtnl_cmd_handler *handlers, int count);
 
diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c
index badd8d937be2..ef52dbf4edd6 100644
--- a/sys/netlink/route/rt.c
+++ b/sys/netlink/route/rt.c
@@ -513,6 +513,8 @@ dump_rtentry(struct rtentry *rt, void *_arg)
 	wa->count++;
 	if (wa->error != 0)
 		return (0);
+	if (!rt_is_exportable(rt, nlp_get_cred(wa->nlp)))
+		return (0);
 	wa->dumped++;
 
 	rt_get_rnd(rt, &wa->rnd);
@@ -606,6 +608,9 @@ handle_rtm_getroute(struct nlpcb *nlp, struct nl_parsed_route *attrs,
 
 	RIB_RUNLOCK(rnh);
 
+	if (!rt_is_exportable(rt, nlp_get_cred(nlp)))
+		return (ESRCH);
+
 	IF_DEBUG_LEVEL(LOG_DEBUG2) {
 		char rtbuf[NHOP_PRINT_BUFSIZE] __unused, nhbuf[NHOP_PRINT_BUFSIZE] __unused;
 		FIB_LOG(LOG_DEBUG2, fibnum, family, "getroute completed: got %s for %s",
@@ -1026,6 +1031,7 @@ static const struct rtnl_cmd_handler cmd_handlers[] = {
 		.cmd = NL_RTM_GETROUTE,
 		.name = "RTM_GETROUTE",
 		.cb = &rtnl_handle_getroute,
+		.flags = RTNL_F_ALLOW_NONVNET_JAIL,
 	},
 	{
 		.cmd = NL_RTM_DELROUTE,