kern/58541: npf(4) should be able to filter by socket uid/gid

[campbell+netbsd%mumble.net@localhost]

>Number:         58541
>Category:       kern
>Synopsis:       npf(4) should be able to filter by socket uid/gid
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Fri Aug 02 19:15:00 +0000 2024
>Originator:     Taylor R Campbell
>Release:        current, 10, 9, ...
>Organization:
The NetPF Fuidation
>Environment:
>Description:
Utility computing instances like Amazon EC2, Google Compute Engine, Oracle Compute Instances, OpenStack Compute, &c., expose secrets like random seeds and API keys to the guest typically via various paths at http://169.254.169.254.

The random seed is often the only source of entropy for /dev/urandom.  The API keys are typically used for things like uploading objects to storage buckets or other utility services.  For example, the guest might use its secret API key to authenticate publishing its newly generated ssh host key, which in turn is only unpredictable to parties that lack knowledge of the random seed.

In order to implement a privilege boundary around the metadata service, unprivileged processes must be forbidden to exchange packets with 169.254.169.254 (at least on port 80).

npf(4) should support filtering packets in TCP/UDP by the uid/gid of the associated socket.
>How-To-Repeat:
try to enforce a privilege boundary on a utility computing instance
>Fix:
Yes, please!