tuntap(4): restrict scope of net.link.tap.user_open slightly
net.link.tap.user_open has historically allowed non-root users to do devfs cloning and open /dev/tap* nodes based on permissions. Loosen this up to make it only allow users to do devfs cloning -- we no longer check it in tunopen. This allows tap devices to be created that can actually be opened by a user, rather than swiftly restricting them to root because the magic sysctl has not been set. The sysctl has not yet been completely deprecated, because more thought is needed for how to handle the devfs cloning case. There is not an easy suitable replacement for the sysctl there, and more care needs to be placed in determining whether that's OK or not. PR: 200185
This commit is contained in:
kevans
parent
bd88b63725
commit
26d6f82958
9
UPDATING
9
UPDATING
@ -26,6 +26,15 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 13.x IS SLOW:
|
||||
disable the most expensive debugging functionality run
|
||||
"ln -s 'abort:false,junk:false' /etc/malloc.conf".)
|
||||
|
||||
20191021:
|
||||
The net.link.tap.user_open sysctl no longer prevents user opening of
|
||||
already created /dev/tapNN devices. Access is still controlled by
|
||||
node permissions, just like tun devices. The net.link.tap.user_open
|
||||
sysctl is now used only to allow users to perform devfs cloning of
|
||||
tap devices, and the subsequent open may not succeed if the user is not
|
||||
in the appropriate group. This sysctl may be deprecated/removed
|
||||
completely in the future.
|
||||
|
||||
20191009:
|
||||
mips, powerpc, and sparc64 are no longer built as part of
|
||||
universe / tinderbox unless MAKE_OBSOLETE_GCC is defined. If
|
||||
|
||||
@ -181,7 +181,7 @@ static const char vmnetname[] = "vmnet";
|
||||
static MALLOC_DEFINE(M_TUN, tunname, "Tunnel Interface");
|
||||
static int tundebug = 0;
|
||||
static int tundclone = 1;
|
||||
static int tap_allow_uopen = 0; /* allow user open() */
|
||||
static int tap_allow_uopen = 0; /* allow user devfs cloning */
|
||||
static int tapuponopen = 0; /* IFF_UP on open() */
|
||||
static int tapdclone = 1; /* enable devfs cloning */
|
||||
|
||||
@ -202,7 +202,7 @@ SYSCTL_INT(_net_link_tun, OID_AUTO, devfs_cloning, CTLFLAG_RWTUN, &tundclone, 0,
|
||||
static SYSCTL_NODE(_net_link, OID_AUTO, tap, CTLFLAG_RW, 0,
|
||||
"Ethernet tunnel software network interface");
|
||||
SYSCTL_INT(_net_link_tap, OID_AUTO, user_open, CTLFLAG_RW, &tap_allow_uopen, 0,
|
||||
"Allow user to open /dev/tap (based on node permissions)");
|
||||
"Enable legacy devfs interface creation for all users");
|
||||
SYSCTL_INT(_net_link_tap, OID_AUTO, up_on_open, CTLFLAG_RW, &tapuponopen, 0,
|
||||
"Bring interface up when /dev/tap is opened");
|
||||
SYSCTL_INT(_net_link_tap, OID_AUTO, devfs_cloning, CTLFLAG_RWTUN, &tapdclone, 0,
|
||||
@ -1049,17 +1049,6 @@ tunopen(struct cdev *dev, int flag, int mode, struct thread *td)
|
||||
return (error); /* Shouldn't happen */
|
||||
}
|
||||
|
||||
if ((tunflags & TUN_L2) != 0) {
|
||||
/* Restrict? */
|
||||
if (tap_allow_uopen == 0) {
|
||||
error = priv_check(td, PRIV_NET_TAP);
|
||||
if (error != 0) {
|
||||
CURVNET_RESTORE();
|
||||
return (error);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
tp = dev->si_drv1;
|
||||
KASSERT(tp != NULL,
|
||||
("si_drv1 should have been initialized at creation"));
|
||||
|
||||
Loading…
Reference in New Issue
Block a user