photo
Jordan Sissel
geek

Wed, 11 Jun 2008

FreeBSD, Jails, and BPF.

Tonight's fun was spent learning bpf's internals (the pseudo-machine code it uses). The point was to find out exactly how much effort it would take to add secure bpf support to jails. Ideally, we'd want to expose the bpf(4) device to any jail but only make available the traffic that is actually destined for the jail (or broadcast traffic).

It seems like you could get away with this, if you prefixed all jailed bpf filters with: (ip and (host [jail_ip] or multicast or broadcast)). I've got userland-code that does exactly this. Once I knew how to inject my own bpf code into an existing bpf_program struct, I was basically ready to go. The only other thing left was to figure out how, in the FreeBSD kernel, to figure out if you were in a jail and what that jail's IP was - turns out this is a trivial operation :)

Userland example code: pcapinject.c

Working Patch: bpf-jail.patch

The code in the patch is crappyish and has a pile of debug statements, but it does appear to work as intended.

Comments: 3 (view comments)
Tags: , , , , , ,
Permalink: /geekery/freebsd-jails-bpf
posted at: 05:15

3 responses to 'FreeBSD, Jails, and BPF.'

Adam posted at Thu Jun 12 11:42:37 2008...
Forgive my ignorance, Jordan, but does this mean I'll be able to have my pf configuration within the jail instead of outside it? I'll be able to let a jail administrator manage his own ruleset?

Jordan Sissel posted at Thu Jun 12 13:03:30 2008...
The patch provided is geared towards requiring that jails are only able to sniff their own traffic. It's for BPF (berkeley packet filter) not PF. BPF is used in tools like tcpdump.

It doesn't prevent using bpf to write raw traffic, so in that sense it's not a complete solution.

Adam posted at Fri Jun 13 10:17:27 2008...
Ah. I think I need to read more about bpf. I knew tcpdump used it, but wasn't sure what else did. I forgot I couldn't tcpdump within a jail.

Leave a reply

You need javascript enabled to use this form. Anti-spam efforts ongoing. Also, if the comment doesn't show up, it's because the form expired. Go back and copy your comment, reload the form, and resubmit. Apologies if this is a hassle, I'm just playing with antispam methods right now. If this insists on not working, please email me about it.

Name (required)
E-mail (optional, if you want me to be able to email you back)
URL (also optional)
Comment:

Search this site

Navigation

Metadata

Home About Resume My Code (SVN)

Articles

ARP Security Dynamic DNS with DHCP OpenLDAP+Kerberos+SASL PPP over SSH SSH Security: /bin/false Week of Unix Tools Work Efficiency

Projects

fex firefox tabsearch firefox urledit grok keynav liboverride newpsm (FreeBSD) nis2ldap pam_captcha poor man's backup Solaris audio utility xboxproxy xdotool xmlpresenter xpathtool misc scripts

Presentations

Yahoo! Hack Day '06 Unix Essentials Vi/Vim Essentials

Tag Cloud

Calendar

< June 2008 >
SuMoTuWeThFrSa
1 2 3 4 5 6 7
8 91011121314
15161718192021
22232425262728
2930     

Friends

BarCamp Kent Brewster Tantek Çelik John Resig Wesley Shields Tyler Shields

Technorati