freebsd-nq/sys/netinet6
Mark Johnston 274579831b capsicum: Limit socket operations in capability mode
Capsicum did not prevent certain privileged networking operations,
specifically creation of raw sockets and network configuration ioctls.
However, these facilities can be used to circumvent some of the
restrictions that capability mode is supposed to enforce.

Add capability mode checks to disallow network configuration ioctls and
creation of sockets other than PF_LOCAL and SOCK_DGRAM/STREAM/SEQPACKET
internet sockets.

Reviewed by:	oshogbo
Discussed with:	emaste
Reported by:	manu
Sponsored by:	The FreeBSD Foundation
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D29423
2021-04-07 14:32:56 -04:00
..
dest6.c
frag6.c net: Introduce IPV6_DSCP(), IPV6_ECN() and IPV6_TRAFFIC_CLASS() macros 2021-03-04 20:56:48 +01:00
icmp6.c Remove per-packet ifa refcounting from IPv6 fast path. 2021-02-15 22:33:12 +00:00
icmp6.h
in6_cksum.c net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
in6_fib_algo.c Fix dpdk/ldradix fib lookup algorithm preference calculation. 2021-03-07 22:17:53 +00:00
in6_fib.c Fix unused-function waring when compiling with FIB_ALGO. 2021-01-30 23:25:56 +00:00
in6_fib.h Add modular fib lookup framework. 2020-12-25 11:33:17 +00:00
in6_gif.c net: Introduce IPV6_DSCP(), IPV6_ECN() and IPV6_TRAFFIC_CLASS() macros 2021-03-04 20:56:48 +01:00
in6_ifattach.c Remove per-packet ifa refcounting from IPv6 fast path. 2021-02-15 22:33:12 +00:00
in6_ifattach.h
in6_jail.c
in6_mcast.c net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
in6_pcb.c Enforce net epoch in in6_selectsrc(). 2021-02-15 22:33:12 +00:00
in6_pcb.h Filter TCP connections to SO_REUSEPORT_LB listen sockets by NUMA domain 2020-12-19 22:04:46 +00:00
in6_pcbgroup.c
in6_proto.c capsicum: Limit socket operations in capability mode 2021-04-07 14:32:56 -04:00
in6_rmx.c Introduce scalable route multipath. 2020-10-03 10:47:17 +00:00
in6_rss.c Implement flowid calculation for outbound connections to balance 2020-10-18 17:15:47 +00:00
in6_rss.h Implement flowid calculation for outbound connections to balance 2020-10-18 17:15:47 +00:00
in6_src.c Remove per-packet ifa refcounting from IPv6 fast path. 2021-02-15 22:33:12 +00:00
in6_var.h Remove per-packet ifa refcounting from IPv6 fast path. 2021-02-15 22:33:12 +00:00
in6.c capsicum: Limit socket operations in capability mode 2021-04-07 14:32:56 -04:00
in6.h Expose nonstandard IPv6 kernel definitions to standalone builds. 2020-12-04 21:51:47 +00:00
ip6_ecn.h
ip6_fastfwd.c net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
ip6_forward.c ipv6: quit dropping packets looping back on p2p interfaces 2020-08-31 01:45:48 +00:00
ip6_gre.c
ip6_id.c
ip6_input.c Flush remaining routes from the routing table during VNET shutdown. 2021-03-10 21:10:14 +00:00
ip6_mroute.c Revert "SO_RERROR indicates that receive buffer overflows should be handled as errors." 2021-02-08 22:32:32 +00:00
ip6_mroute.h
ip6_output.c net: Introduce IPV6_DSCP(), IPV6_ECN() and IPV6_TRAFFIC_CLASS() macros 2021-03-04 20:56:48 +01:00
ip6_var.h
ip6.h
ip6protosw.h
ip_fw_nat64.h
ip_fw_nptv6.h net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
mld6_var.h
mld6.c net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
mld6.h
nd6_nbr.c Enforce net epoch in in6_selectsrc(). 2021-02-15 22:33:12 +00:00
nd6_rtr.c Fix crash with rtadv-originated multipath IPv6 routes. 2021-02-24 16:44:10 +00:00
nd6.c base: remove if_wg(4) and associated utilities, manpage 2021-03-17 09:14:48 -05:00
nd6.h Switch inet6 default route subscription to the new rib subscription api. 2020-07-12 11:24:23 +00:00
pim6_var.h
pim6.h
raw_ip6.c Enforce net epoch in in6_selectsrc(). 2021-02-15 22:33:12 +00:00
raw_ip6.h
route6.c
scope6_var.h Make net.inet6.ip6.deembed_scopeid behaviour default & remove sysctl. 2020-08-15 11:37:44 +00:00
scope6.c net: clean up empty lines in .c and .h files 2020-09-01 21:19:14 +00:00
sctp6_usrreq.c net: Introduce IPV6_DSCP(), IPV6_ECN() and IPV6_TRAFFIC_CLASS() macros 2021-03-04 20:56:48 +01:00
sctp6_var.h
send.c Remove per-packet ifa refcounting from IPv6 fast path. 2021-02-15 22:33:12 +00:00
send.h
tcp6_var.h
udp6_usrreq.c [udp6] fix possible panic due to lack of locking. 2021-02-11 12:00:25 +03:00
udp6_var.h