freebsd security - May 2005 - Jail support for mac_portacl(4).

Hi.

When we don't have too many IP addresses available and we want to run
for example www server inside a jail, but use the same IP address as
the main system, we need to actually use an internal IP address and
forward http port with firewall from external IP to jail's IP.
In that way we know that if somebody breaks into out jail, he cannot
run sshd server (we have keys, I know) or any other not-http service
inside a jail with out public IP address.

This patch gives another option, so one don't need to use firewall for this
purpose. It adds new idtype - 'jid'. With this patch, one can configure
that jail with the given JID can use only defined ports:

	# sysctl security.mac.portacl.rules="jid:1:tcp:80"

Patch is here:

	http://people.freebsd.org/~pjd/patches/mac_portacl.c.patch

Any objections?

PS. With the above policy, processes from outside a jail can bind to
    port 80. We can change this behaviour to "allow port 80 to be used
    only inside a jail 1". This will be a warning for not jailed
    processes (don't use this port, because it can be used in a jail
    which will overwrite your service).

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd@FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20050524/b7656958/attachment.bin

On Tue, 24 May 2005, Pawel Jakub Dawidek wrote:
> This patch gives another option, so one don't need to use firewall for 
> this purpose. It adds new idtype - 'jid'. With this patch, one can 
> configure that jail with the given JID can use only defined ports:
>
> 	# sysctl security.mac.portacl.rules="jid:1:tcp:80"
>
> Patch is here:
>
> 	http://people.freebsd.org/~pjd/patches/mac_portacl.c.patch
>
> Any objections?
This sounds fine to me, especially since it doesn't break forwards 
compatibility from older mac_portacl rule sets.

However, I've CC'd Samy Al Bahra, who has a set of outstanding
mac_portacl
patches that are similar, and might have some comments on your proposed 
changes.  My primary concern with his changes was that they changed the 
syntax in a way that broke backwards compatibility to older defined rules; 
on the other hand, his version of the changes allowed further scoping of 
things like "user id 80 in jail 20 can bind port 80", whereas the
above
supports a single layer of scoping.

Robert N M Watson