I am a fourth-year undergraduate student in Department of EE at IIT Kanpur,
India. I am an open-source enthusiast and interested in Operating Systems,
Computer Networks, and system security. As a part of Google Summer of
Code'19, I wrote a loadable kernel MAC module with the TrustedBSD MAC
framework to limit the set of IP addresses for a VNET-enabled Jail to
choose from. I was mentored by Bjoern A. Zeeb ([hidden email]).
*About the project:*
With the introduction of VNET(9) in FreeBSD, Jails are free to set their IP
addresses. However, this privilege may need to be limited by the host as
per its need for multiple security reasons.
This project uses mac(9) for an access control framework to impose
restrictions on FreeBSD jails according to rules defined by the root of the
host using sysctl(8). It involves the development of a dynamically loadable
kernel module (mac_ipacl) based on The TrustedBSD MAC Framework to
implement a security policy for configuring the network stack.
This project allows the root of the host to define the policy rules to
limit a jail to a set of IP (v4 or v6) addresses and/or subnets for a set
Features this new MAC policy module are:
- Host can define the list(multiple lists) of IP addresses/subnets for
the jail to choose from.
- Host can restrict the jail from setting the certain IP addresses or
- Host can restrict this privilege to a few networks interfaces.
*How to use the module:*
I have also wrote a man page for the module. Please refer to the
mac_ipacl(4) for using the new MAC module and examples on it.
Test Scripts integrated with kyua and ATF are included with the module.