d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Consistently check IPFW and DUMMYNET privileges in the configuration

Browse Source 
routines for those modules, rather than in the raw socket code.  This
each privilege check to occur in exactly once place and avoids
duplicate checks across layers.

MFC after:	3 weeks
Sponsored by:	nCircle Network Security, Inc.
This commit is contained in:
Robert Watson 2008-05-22 08:10:31 +00:00
parent d30b4ed2c9
commit 22c82719cf
2 changed files with 5 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
sys/netinet/ip_dummynet.c
View File

@ -63,6 +63,7 @@ __FBSDID("$FreeBSD$");
#include <sys/mbuf.h>
#include <sys/kernel.h>
#include <sys/module.h>
#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
@ -2124,6 +2125,10 @@ ip_dn_ctl(struct sockopt *sopt)
int error = 0 ;
struct dn_pipe *p, tmp_pipe;
error = priv_check(sopt->sopt_td, PRIV_NETINET_DUMMYNET);
if (error)
return (error);
/* Disallow sets in really-really secure mode. */
if (sopt->sopt_dir == SOPT_SET) {
#if __FreeBSD_version >= 500034

19
sys/netinet/raw_ip.c
View File

@ -381,13 +381,6 @@ rip_ctloutput(struct socket *so, struct sockopt *sopt)
case IP_FW_TABLE_LIST:
case IP_FW_NAT_GET_CONFIG:
case IP_FW_NAT_GET_LOG:
/*
* XXXRW: Isn't this checked one layer down? Yes, it
* is.
*/
error = priv_check(curthread, PRIV_NETINET_IPFW);
if (error != 0)
return (error);
if (ip_fw_ctl_ptr != NULL)
error = ip_fw_ctl_ptr(sopt);
else
@ -395,9 +388,6 @@ rip_ctloutput(struct socket *so, struct sockopt *sopt)
break;
case IP_DUMMYNET_GET:
error = priv_check(curthread, PRIV_NETINET_DUMMYNET);
if (error != 0)
return (error);
if (ip_dn_ctl_ptr != NULL)
error = ip_dn_ctl_ptr(sopt);
else
@ -452,12 +442,6 @@ rip_ctloutput(struct socket *so, struct sockopt *sopt)
case IP_FW_TABLE_FLUSH:
case IP_FW_NAT_CFG:
case IP_FW_NAT_DEL:
/*
* XXXRW: Isn't this checked one layer down?
*/
error = priv_check(curthread, PRIV_NETINET_IPFW);
if (error != 0)
return (error);
if (ip_fw_ctl_ptr != NULL)
error = ip_fw_ctl_ptr(sopt);
else
@ -467,9 +451,6 @@ rip_ctloutput(struct socket *so, struct sockopt *sopt)
case IP_DUMMYNET_CONFIGURE:
case IP_DUMMYNET_DEL:
case IP_DUMMYNET_FLUSH:
error = priv_check(curthread, PRIV_NETINET_DUMMYNET);
if (error != 0)
return (error);
if (ip_dn_ctl_ptr != NULL)
error = ip_dn_ctl_ptr(sopt);
else