Re-enable network ioctls in capability mode

This reverts a portion of 274579831b ("capsicum: Limit socket
operations in capability mode") as at least rtsol and dhcpcd rely on
being able to configure network interfaces while in capability mode.

Reported by:	bapt, Greg V
Sponsored by:	The FreeBSD Foundation

contrib/capsicum-test/capmode.cc

@@ -227,6 +227,10 @@ FORK_TEST_F(WithFiles, AllowedSocketSyscallsIfRoot) {
 
   // Interface configuration ioctls are not permitted in capability
   // mode.
+  //
+  // This test is disabled for now as the corresponding kernel change was
+  // disabled.
+#if 0
 #ifdef __FreeBSD__
   struct if_clonereq req;
 
@@ -238,6 +242,7 @@ FORK_TEST_F(WithFiles, AllowedSocketSyscallsIfRoot) {
 
   free(req.ifcr_buffer);
 #endif
+#endif
 }
 
 #ifdef HAVE_SEND_RECV_MMSG

sys/kern/sys_socket.c

@@ -271,7 +271,7 @@ soo_ioctl(struct file *fp, u_long cmd, void *data, struct ucred *active_cred,
 			error = ifioctl(so, cmd, data, td);
 		else if (IOCGROUP(cmd) == 'r') {
 			CURVNET_SET(so->so_vnet);
-			error = rtioctl_fib(cmd, data, so->so_fibnum, td);
+			error = rtioctl_fib(cmd, data, so->so_fibnum);
 			CURVNET_RESTORE();
 		} else {
 			CURVNET_SET(so->so_vnet);

sys/net/if.c

@@ -2968,15 +2968,6 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct thread *td)
 	bool shutdown;
 #endif
 
-	/*
-	 * Interface ioctls access a global namespace.  There is currently no
-	 * capability-based representation for interfaces, so the configuration
-	 * interface is simply unaccessible from capability mode.  If necessary,
-	 * select ioctls may be permitted here.
-	 */
-	if (IN_CAPABILITY_MODE(td))
-		return (ECAPMODE);
-
 	CURVNET_SET(so->so_vnet);
 #ifdef VIMAGE
 	/* Make sure the VNET is stable. */

sys/net/route.c

@@ -43,7 +43,6 @@
 
 #include <sys/param.h>
 #include <sys/systm.h>
-#include <sys/capsicum.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/socket.h>
@@ -246,10 +245,8 @@ rib_add_redirect(u_int fibnum, struct sockaddr *dst, struct sockaddr *gateway,
  * Routing table ioctl interface.
  */
 int
-rtioctl_fib(u_long req, caddr_t data, u_int fibnum, struct thread *td)
+rtioctl_fib(u_long req, caddr_t data, u_int fibnum)
 {
-	if (IN_CAPABILITY_MODE(td))
-		return (ECAPMODE);
 
 	/*
 	 * If more ioctl commands are added here, make sure the proper

sys/net/route.h

@@ -431,13 +431,11 @@ void	rt_updatemtu(struct ifnet *);
 
 void	rt_flushifroutes(struct ifnet *ifp);
 
-struct thread;
-
 /* XXX MRT NEW VERSIONS THAT USE FIBs
  * For now the protocol indepedent versions are the same as the AF_INET ones
  * but this will change.. 
  */
-int	rtioctl_fib(u_long, caddr_t, u_int, struct thread *);
+int	rtioctl_fib(u_long, caddr_t, u_int);
 int	rib_lookup_info(uint32_t, const struct sockaddr *, uint32_t, uint32_t,
 	    struct rt_addrinfo *);
 void	rib_free_info(struct rt_addrinfo *info);

sys/netinet/in.c

@@ -36,7 +36,6 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
-#include <sys/capsicum.h>
 #include <sys/eventhandler.h>
 #include <sys/systm.h>
 #include <sys/sockio.h>
@@ -238,9 +237,6 @@ in_control(struct socket *so, u_long cmd, caddr_t data, struct ifnet *ifp,
 	if (ifp == NULL)
 		return (EADDRNOTAVAIL);
 
-	if (td != NULL && IN_CAPABILITY_MODE(td))
-		return (ECAPMODE);
-
 	/*
 	 * Filter out 4 ioctls we implement directly.  Forward the rest
 	 * to specific functions and ifp->if_ioctl().

sys/netinet6/in6.c

@@ -69,7 +69,6 @@ __FBSDID("$FreeBSD$");
 #include "opt_inet6.h"
 
 #include <sys/param.h>
-#include <sys/capsicum.h>
 #include <sys/eventhandler.h>
 #include <sys/errno.h>
 #include <sys/jail.h>
@@ -255,9 +254,6 @@ in6_control(struct socket *so, u_long cmd, caddr_t data,
 	int error;
 	u_long ocmd = cmd;
 
-	if (td != NULL && IN_CAPABILITY_MODE(td))
-		return (ECAPMODE);
-
 	/*
 	 * Compat to make pre-10.x ifconfig(8) operable.
 	 */