Changeset 91769 in vbox

Timestamp:

Oct 15, 2021 7:24:43 PM (3 years ago)

Author:

vboxsync

Message:

VBoxNetAdp: (bugref:10077) More administrative control over network ranges

Location:

trunk

Files:

• doc/manual/en_US/user_Networking.xml (modified) (1 diff)
• src/VBox/HostDrivers/adpctl/Makefile.kmk (modified) (1 diff)
• src/VBox/HostDrivers/adpctl/VBoxNetAdpCtl.cpp (modified) (7 diffs)
• src/VBox/Main/src-server/HostNetworkInterfaceImpl.cpp (modified) (1 diff)
• src/VBox/Main/src-server/generic/NetIf-generic.cpp (modified) (1 diff)

trunk/doc/manual/en_US/user_Networking.xml

@@ -1185 +1185 @@
     </note>
 
+    <para>
+      On Linux, Mac OS X and Solaris &product-name; will only allow IP
+      addresses in 192.68.56.0/21 range to be assigned to host-only
+      adapters. For IPv6 only link-local addresses are allowed. If other
+      ranges are desired, they can be enabled by creating
+      <filename>/etc/vbox/networks.conf</filename> and specifying allowed
+      ranges there. For example, to allow 10.0.0.0/8 and 192.168.0.0/16
+      IPv4 ranges as well as 2001::/64 range put the following lines into
+      <filename>/etc/vbox/networks.conf</filename>:
+      <screen>
+      * 10.0.0.0/8 192.168.0.0/16
+      * 2001::/64
+      </screen>
+      Lines starting with the hash <command>#</command> are ignored. Next
+      example allows any addresses, effectively disabling range control:
+      <screen>
+      * 0.0.0.0/0 ::/0
+      </screen>
+      If the file exists, but no ranges are specified in it, no addresses
+      will be assigned to host-only adapters. The following example
+      effectively disables all ranges:
+      <screen>
+      # No addresses are allowed for host-only adapters
+      </screen>
+    </para>
+
   </sect1>
 

trunk/src/VBox/HostDrivers/adpctl/Makefile.kmk

@@ -21 +21 @@
 include $(KBUILD_PATH)/subheader.kmk
 
-PROGRAMS              += VBoxNetAdpCtl
+PROGRAMS               += VBoxNetAdpCtl
 ### Another template? We must *not* set RPATH!
-VBoxNetAdpCtl_TEMPLATE = VBOXR3HARDENEDEXE
-VBoxNetAdpCtl_SOURCES  = VBoxNetAdpCtl.cpp
+ifneq ($(KBUILD_TYPE),debug)
+ VBoxNetAdpCtl_TEMPLATE = VBoxR3SetUidToRoot
+ VBoxNetAdpCtl_LIBS    += $(LIB_RUNTIME)
+else
+ VBoxNetAdpCtl_TEMPLATE = VBoxR3Static
+endif
+VBoxNetAdpCtl_SOURCES   = VBoxNetAdpCtl.cpp
 
 include $(FILE_KBUILD_SUB_FOOTER)

trunk/src/VBox/HostDrivers/adpctl/VBoxNetAdpCtl.cpp

@@ -33 +33 @@
 #include <sys/stat.h>
 #include <fcntl.h>
+
+#include <iprt/err.h>
+#include <iprt/initterm.h>
+#include <iprt/message.h>
+#include <iprt/net.h>
+#include <iprt/string.h>
+#include <iprt/uint128.h>
+
 #ifdef RT_OS_LINUX
 # include <arpa/inet.h>
@@ -49 +57 @@
 # include <sys/ioccom.h>
 #endif
-
-#define NOREF(x) (void)x
 
 /** @todo Error codes must be moved to some header file */
@@ -729 +735 @@
 
 /*********************************************************************************************************************************
+*   Global config file implementation                                                                                            *
+*********************************************************************************************************************************/
+
+#define VBOX_GLOBAL_NETWORK_CONFIG_PATH "/etc/vbox/networks.conf"
+#define VBOXNET_DEFAULT_IPV4MASK "255.255.255.0"
+
+class NetworkAddress
+{
+    public:
+        bool isValidString(const char *pcszNetwork);
+        bool isValid() { return m_fValid; };
+        virtual bool matches(const char *pcszNetwork) = 0;
+        virtual const char *defaultNetwork() = 0;
+    protected:
+        bool m_fValid;
+
+        int RTNetStrToIPv4CidrWithZeroPrefixAllowed(const char *pcszAddr, PRTNETADDRIPV4 pAddr, int *piPrefix);
+        int RTNetStrToIPv6CidrWithZeroPrefixAllowed(const char *pcszAddr, PRTNETADDRIPV6 pAddr, int *piPrefix);
+};
+
+int NetworkAddress::RTNetStrToIPv4CidrWithZeroPrefixAllowed(const char *pcszAddr, PRTNETADDRIPV4 pAddr, int *piPrefix)
+{
+    RTNETADDRIPV4 addr;
+    char *pszNext;
+
+    AssertPtrReturn(pcszAddr, VERR_INVALID_PARAMETER);
+    AssertPtrReturn(pAddr, VERR_INVALID_PARAMETER);
+    AssertPtrReturn(piPrefix, VERR_INVALID_PARAMETER);
+
+    pcszAddr = RTStrStripL(pcszAddr);
+    int rc = RTNetStrToIPv4AddrEx(pcszAddr, &addr, &pszNext);
+    if (RT_FAILURE(rc))
+        return rc;
+
+    /*
+     * If the prefix is missing, treat is as exact (/32) address
+     * specification.
+     */
+    if (*pszNext == '\0' || rc == VWRN_TRAILING_SPACES)
+    {
+        *pAddr = addr;
+        *piPrefix = 32;
+        return VINF_SUCCESS;
+    }
+
+    if (*pszNext == '/')
+        ++pszNext;
+    else
+        return VERR_INVALID_PARAMETER;
+
+    uint32_t prefix;
+    rc = RTStrToUInt32Ex(pszNext, &pszNext, 16, &prefix);
+    if ((rc == VINF_SUCCESS || rc == VWRN_TRAILING_SPACES) && prefix == 0)
+    {
+        *pAddr = addr;
+        *piPrefix = 0;
+        return VINF_SUCCESS;
+    }
+    return RTNetStrToIPv4Cidr(pcszAddr, pAddr, piPrefix);
+}
+
+RTDECL(int) NetworkAddress::RTNetStrToIPv6CidrWithZeroPrefixAllowed(const char *pcszAddr, PRTNETADDRIPV6 pAddr, int *piPrefix)
+{
+    RTNETADDRIPV6 Addr;
+    uint8_t u8Prefix;
+    char *pszNext;
+    int rc;
+
+    AssertPtrReturn(pcszAddr, VERR_INVALID_PARAMETER);
+    AssertPtrReturn(pAddr, VERR_INVALID_PARAMETER);
+    AssertPtrReturn(piPrefix, VERR_INVALID_PARAMETER);
+
+    pcszAddr = RTStrStripL(pcszAddr);
+    rc = RTNetStrToIPv6AddrEx(pcszAddr, &Addr, &pszNext);
+    if (RT_FAILURE(rc))
+        return rc;
+
+    /*
+     * If the prefix is missing, treat is as exact (/128) address
+     * specification.
+     */
+    if (*pszNext == '\0' || rc == VWRN_TRAILING_SPACES)
+    {
+        *pAddr = Addr;
+        *piPrefix = 128;
+        return VINF_SUCCESS;
+    }
+
+    if (*pszNext != '/')
+        return VERR_INVALID_PARAMETER;
+
+    ++pszNext;
+    rc = RTStrToUInt8Ex(pszNext, &pszNext, 10, &u8Prefix);
+    if (RT_FAILURE(rc) || rc == VWRN_TRAILING_CHARS)
+        return VERR_INVALID_PARAMETER;
+
+    if (u8Prefix > 128)
+        return VERR_INVALID_PARAMETER;
+
+    *pAddr = Addr;
+    *piPrefix = u8Prefix;
+    return VINF_SUCCESS;
+}
+
+bool NetworkAddress::isValidString(const char *pcszNetwork)
+{
+    RTNETADDRIPV4 addrv4;
+    RTNETADDRIPV6 addrv6;
+    int prefix;
+    int rc = RTNetStrToIPv4CidrWithZeroPrefixAllowed(pcszNetwork, &addrv4, &prefix);
+    if (RT_SUCCESS(rc))
+        return true;
+    rc = RTNetStrToIPv6CidrWithZeroPrefixAllowed(pcszNetwork, &addrv6, &prefix);
+    return RT_SUCCESS(rc);
+}
+
+class NetworkAddressIPv4 : public NetworkAddress
+{
+    public:
+        NetworkAddressIPv4(const char *pcszIpAddress, const char *pcszNetMask = VBOXNET_DEFAULT_IPV4MASK);
+        virtual bool matches(const char *pcszNetwork);
+        virtual const char *defaultNetwork() { return "192.168.56.1/21"; }; /* Matches defaults in VBox/Main/include/netif.h, see @bugref{10077}. */
+
+    private:
+        RTNETADDRIPV4 m_address;
+        int m_prefix;
+};
+
+NetworkAddressIPv4::NetworkAddressIPv4(const char *pcszIpAddress, const char *pcszNetMask)
+{
+    int rc = RTNetStrToIPv4Addr(pcszIpAddress, &m_address);
+    if (RT_SUCCESS(rc))
+    {
+        RTNETADDRIPV4 mask;
+        rc = RTNetStrToIPv4Addr(pcszNetMask, &mask);
+        if (RT_FAILURE(rc))
+            m_fValid = false;
+        else
+            rc = RTNetMaskToPrefixIPv4(&mask, &m_prefix);
+    }
+#if 0 /* cmd.set() does not support CIDR syntax */
+    else
+        rc = RTNetStrToIPv4Cidr(pcszIpAddress, &m_address, &m_prefix);
+#endif
+    m_fValid = RT_SUCCESS(rc);
+}
+
+bool NetworkAddressIPv4::matches(const char *pcszNetwork)
+{
+    RTNETADDRIPV4 allowedNet, allowedMask;
+    int allowedPrefix;
+    int rc = RTNetStrToIPv4CidrWithZeroPrefixAllowed(pcszNetwork, &allowedNet, &allowedPrefix);
+    if (RT_SUCCESS(rc))
+        rc = RTNetPrefixToMaskIPv4(allowedPrefix, &allowedMask);
+    if (RT_FAILURE(rc))
+        return false;
+    return m_prefix >= allowedPrefix && (m_address.au32[0] & allowedMask.au32[0]) == (allowedNet.au32[0] & allowedMask.au32[0]);
+}
+
+class NetworkAddressIPv6 : public NetworkAddress
+{
+    public:
+        NetworkAddressIPv6(const char *pcszIpAddress);
+        virtual bool matches(const char *pcszNetwork);
+        virtual const char *defaultNetwork() { return "FE80::/10"; };
+    private:
+        RTNETADDRIPV6 m_address;
+        int m_prefix;
+};
+
+NetworkAddressIPv6::NetworkAddressIPv6(const char *pcszIpAddress)
+{
+    int rc = RTNetStrToIPv6Cidr(pcszIpAddress, &m_address, &m_prefix);
+    m_fValid = RT_SUCCESS(rc);
+}
+
+bool NetworkAddressIPv6::matches(const char *pcszNetwork)
+{
+    RTNETADDRIPV6 allowedNet, allowedMask;
+    int allowedPrefix;
+    int rc = RTNetStrToIPv6CidrWithZeroPrefixAllowed(pcszNetwork, &allowedNet, &allowedPrefix);
+    if (RT_SUCCESS(rc))
+        rc = RTNetPrefixToMaskIPv6(allowedPrefix, &allowedMask);
+    if (RT_FAILURE(rc))
+        return false;
+    RTUINT128U u128Provided, u128Allowed;
+    return m_prefix >= allowedPrefix
+        && RTUInt128Compare(RTUInt128And(&u128Provided, &m_address, &allowedMask), RTUInt128And(&u128Allowed, &allowedNet, &allowedMask)) == 0;
+}
+
+
+class GlobalNetworkPermissionsConfig
+{
+    public:
+        bool forbids(const char *pcszIpAddress); /* address or address with mask in cidr */
+        bool forbids(const char *pcszIpAddress, const char *pcszNetMask);
+
+    private:
+        bool forbids(NetworkAddress& address);
+};
+
+bool GlobalNetworkPermissionsConfig::forbids(const char *pcszIpAddress)
+{
+    NetworkAddressIPv6 addrv6(pcszIpAddress);
+
+    if (addrv6.isValid())
+        return forbids(addrv6);
+
+    NetworkAddressIPv4 addrv4(pcszIpAddress);
+
+    if (addrv4.isValid())
+        return forbids(addrv4);
+
+    fprintf(stderr, "Error: invalid address '%s'\n", pcszIpAddress);
+    return true;
+}
+
+bool GlobalNetworkPermissionsConfig::forbids(const char *pcszIpAddress, const char *pcszNetMask)
+{
+    NetworkAddressIPv4 addrv4(pcszIpAddress, pcszNetMask);
+
+    if (addrv4.isValid())
+        return forbids(addrv4);
+
+    fprintf(stderr, "Error: invalid address '%s' with mask '%s'\n", pcszIpAddress, pcszNetMask);
+    return true;
+}
+
+bool GlobalNetworkPermissionsConfig::forbids(NetworkAddress& address)
+{
+    FILE *fp = fopen(VBOX_GLOBAL_NETWORK_CONFIG_PATH, "r");
+    if (!fp)
+    {
+        if (verbose)
+            fprintf(stderr, "Info: matching against default '%s' => %s\n", address.defaultNetwork(),
+                address.matches(address.defaultNetwork()) ? "MATCH" : "no match");
+        return !address.matches(address.defaultNetwork());
+    }
+
+    char *pszToken, szLine[1024];
+    for (int line = 1; fgets(szLine, sizeof(szLine), fp); ++line)
+    {
+        /* Skip anything except '*' lines */
+        if (strcmp("*", strtok(szLine, " \t\n")))
+            continue;
+        /* Match the specified address against each network */
+        while ((pszToken = strtok(NULL, " \t\n")) != NULL)
+        {
+            if (!address.isValidString(pszToken))
+            {
+                fprintf(stderr, "Warning: %s(%d) invalid network '%s'\n", VBOX_GLOBAL_NETWORK_CONFIG_PATH, line, pszToken);
+                continue;
+            }
+            if (verbose)
+                fprintf(stderr, "Info: %s(%d) matching against '%s' => %s\n", VBOX_GLOBAL_NETWORK_CONFIG_PATH, line, pszToken,
+                    address.matches(pszToken) ? "MATCH" : "no match");
+            if (address.matches(pszToken))
+                return false;
+        }
+    }
+    fclose(fp);
+    return true;
+}
+
+
+/*********************************************************************************************************************************
 *   Main logic, argument parsing, etc.                                                                                           *
 *********************************************************************************************************************************/
@@ -756 +1028 @@
 {
     char szAdapterName[VBOXNETADP_MAX_NAME_LEN];
-    int rc;
+    int rc = RTR3InitExe(argc, &argv, 0 /*fFlags*/);
+    if (RT_FAILURE(rc))
+        return RTMsgInitFailure(rc);
+
 
     AddressCommand& cmd = chooseAddressCommand();
@@ -899 +1174 @@
     const char * const keyword = argv[2];
 
+    GlobalNetworkPermissionsConfig config;
 
     /*
@@ -905 +1181 @@
     if (keyword == NULL)
     {
+        if (config.forbids(addr))
+        {
+            fprintf(stderr, "Error: permission denied\n");
+            return -VERR_ACCESS_DENIED;
+        }
+
         return cmd.set(ifname, addr);
     }
@@ -917 +1199 @@
 
         const char * const mask = argv[3];
+        if (config.forbids(addr, mask))
+        {
+            fprintf(stderr, "Error: permission denied\n");
+            return -VERR_ACCESS_DENIED;
+        }
+
         return cmd.set(ifname, addr, mask);
     }

trunk/src/VBox/Main/src-server/HostNetworkInterfaceImpl.cpp

@@ -603 +603 @@
             {
                 LogRel(("Failed to EnableStaticIpConfig with rc=%Rrc\n", rc));
-                return rc == VERR_NOT_IMPLEMENTED ? E_NOTIMPL : E_FAIL;
+                return rc == VERR_NOT_IMPLEMENTED ? E_NOTIMPL : (rc == VERR_ACCESS_DENIED ? E_ACCESSDENIED : E_FAIL);
             }
 

trunk/src/VBox/Main/src-server/generic/NetIf-generic.cpp

@@ -81 +81 @@
             LogRel(("NetIfAdpCtl: failed to create process for %s: iStats=%d enmReason=%d\n",
                     szAdpCtl, Status.iStatus, Status.enmReason));
-            rc = VERR_GENERAL_FAILURE;
+            rc = -Status.iStatus;
         }
     }