if_me: Use dedicated network privilege

Separate if_me privileges from if_gif. Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D36691
2022-10-15 17:05:36 +02:00 · 2022-10-15 17:05:36 +02:00 · 43f8c763cd
commit 43f8c763cd
parent b37707bb39
3 changed files with 3 additions and 1 deletions
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@ -3757,6 +3757,7 @@ prison_priv_check(struct ucred *cred, int priv)
 	case PRIV_NET_SETIFVNET:
 	case PRIV_NET_SETIFFIB:
 	case PRIV_NET_OVPN:
+	case PRIV_NET_ME:

 		/*
 		 * 802.11-related privileges.
--- a/sys/net/if_me.c
+++ b/sys/net/if_me.c
@ -322,7 +322,7 @@ me_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 		ifr->ifr_fib = sc->me_fibnum;
 		break;
 	case SIOCSTUNFIB:
-		if ((error = priv_check(curthread, PRIV_NET_GRE)) != 0)
+		if ((error = priv_check(curthread, PRIV_NET_ME)) != 0)
 			break;
 		if (ifr->ifr_fib >= rt_numfibs)
 			error = EINVAL;
--- a/sys/sys/priv.h
+++ b/sys/sys/priv.h
@ -349,6 +349,7 @@
 #define	PRIV_NET_SETLANPCP	421	/* Set LAN priority. */
 #define	PRIV_NET_SETVLANPCP	PRIV_NET_SETLANPCP /* Alias Set VLAN priority */
 #define	PRIV_NET_OVPN		422	/* Administer OpenVPN DCO. */
+#define	PRIV_NET_ME		423	/* Administer ME interface. */

 /*
 * 802.11-related privileges.