MAC policy on IP addresses for FreeBSD Jail

With the introduction of VNET(9) in FreeBSD, Jails are free to set their IP addresses. However, this privilege may need to be limited by the host as per its need for multiple security reasons.

This project uses mac(9) for an access control framework to impose restrictions on FreeBSD jails according to rules defined by the root of the host using sysctl(8). It involves the development of a dynamically loadable kernel module(mac_ipacl) based on The TrustedBSD MAC Framework to implement a security policy for configuring the network stack.

This project allows the root of the host to define the policy rules to limit a jail to a set of IP(v4 or v6) addresses and/or subnets for a set of interfaces.

The features of the mac_ipacl policy module are-

• Host is able to limit the restrict the desired jail to particular IP addresses(or subnets).
• Host can the restrict the certain jail from setting certain IP address or prefixes.
• Host can enforce the policy for a particular network interface(or all interfaces) for a jail.
• sysctl interface for tuning the mac_ipacl module.

Apart from the module, Proper Test Suite (with ATF and Kyua) and a man page for the mac_ipacl is also part of the project.