mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-15 04:43:53 +00:00
Re-enable network ioctls in capability mode
This reverts a portion of 274579831b
("capsicum: Limit socket
operations in capability mode") as at least rtsol and dhcpcd rely on
being able to configure network interfaces while in capability mode.
Reported by: bapt, Greg V
Sponsored by: The FreeBSD Foundation
This commit is contained in:
parent
694407528f
commit
8e8f1cc9bb
|
@ -227,6 +227,10 @@ FORK_TEST_F(WithFiles, AllowedSocketSyscallsIfRoot) {
|
||||||
|
|
||||||
// Interface configuration ioctls are not permitted in capability
|
// Interface configuration ioctls are not permitted in capability
|
||||||
// mode.
|
// mode.
|
||||||
|
//
|
||||||
|
// This test is disabled for now as the corresponding kernel change was
|
||||||
|
// disabled.
|
||||||
|
#if 0
|
||||||
#ifdef __FreeBSD__
|
#ifdef __FreeBSD__
|
||||||
struct if_clonereq req;
|
struct if_clonereq req;
|
||||||
|
|
||||||
|
@ -238,6 +242,7 @@ FORK_TEST_F(WithFiles, AllowedSocketSyscallsIfRoot) {
|
||||||
|
|
||||||
free(req.ifcr_buffer);
|
free(req.ifcr_buffer);
|
||||||
#endif
|
#endif
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef HAVE_SEND_RECV_MMSG
|
#ifdef HAVE_SEND_RECV_MMSG
|
||||||
|
|
|
@ -271,7 +271,7 @@ soo_ioctl(struct file *fp, u_long cmd, void *data, struct ucred *active_cred,
|
||||||
error = ifioctl(so, cmd, data, td);
|
error = ifioctl(so, cmd, data, td);
|
||||||
else if (IOCGROUP(cmd) == 'r') {
|
else if (IOCGROUP(cmd) == 'r') {
|
||||||
CURVNET_SET(so->so_vnet);
|
CURVNET_SET(so->so_vnet);
|
||||||
error = rtioctl_fib(cmd, data, so->so_fibnum, td);
|
error = rtioctl_fib(cmd, data, so->so_fibnum);
|
||||||
CURVNET_RESTORE();
|
CURVNET_RESTORE();
|
||||||
} else {
|
} else {
|
||||||
CURVNET_SET(so->so_vnet);
|
CURVNET_SET(so->so_vnet);
|
||||||
|
|
|
@ -2968,15 +2968,6 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct thread *td)
|
||||||
bool shutdown;
|
bool shutdown;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/*
|
|
||||||
* Interface ioctls access a global namespace. There is currently no
|
|
||||||
* capability-based representation for interfaces, so the configuration
|
|
||||||
* interface is simply unaccessible from capability mode. If necessary,
|
|
||||||
* select ioctls may be permitted here.
|
|
||||||
*/
|
|
||||||
if (IN_CAPABILITY_MODE(td))
|
|
||||||
return (ECAPMODE);
|
|
||||||
|
|
||||||
CURVNET_SET(so->so_vnet);
|
CURVNET_SET(so->so_vnet);
|
||||||
#ifdef VIMAGE
|
#ifdef VIMAGE
|
||||||
/* Make sure the VNET is stable. */
|
/* Make sure the VNET is stable. */
|
||||||
|
|
|
@ -43,7 +43,6 @@
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/systm.h>
|
#include <sys/systm.h>
|
||||||
#include <sys/capsicum.h>
|
|
||||||
#include <sys/malloc.h>
|
#include <sys/malloc.h>
|
||||||
#include <sys/mbuf.h>
|
#include <sys/mbuf.h>
|
||||||
#include <sys/socket.h>
|
#include <sys/socket.h>
|
||||||
|
@ -246,10 +245,8 @@ rib_add_redirect(u_int fibnum, struct sockaddr *dst, struct sockaddr *gateway,
|
||||||
* Routing table ioctl interface.
|
* Routing table ioctl interface.
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
rtioctl_fib(u_long req, caddr_t data, u_int fibnum, struct thread *td)
|
rtioctl_fib(u_long req, caddr_t data, u_int fibnum)
|
||||||
{
|
{
|
||||||
if (IN_CAPABILITY_MODE(td))
|
|
||||||
return (ECAPMODE);
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* If more ioctl commands are added here, make sure the proper
|
* If more ioctl commands are added here, make sure the proper
|
||||||
|
|
|
@ -431,13 +431,11 @@ void rt_updatemtu(struct ifnet *);
|
||||||
|
|
||||||
void rt_flushifroutes(struct ifnet *ifp);
|
void rt_flushifroutes(struct ifnet *ifp);
|
||||||
|
|
||||||
struct thread;
|
|
||||||
|
|
||||||
/* XXX MRT NEW VERSIONS THAT USE FIBs
|
/* XXX MRT NEW VERSIONS THAT USE FIBs
|
||||||
* For now the protocol indepedent versions are the same as the AF_INET ones
|
* For now the protocol indepedent versions are the same as the AF_INET ones
|
||||||
* but this will change..
|
* but this will change..
|
||||||
*/
|
*/
|
||||||
int rtioctl_fib(u_long, caddr_t, u_int, struct thread *);
|
int rtioctl_fib(u_long, caddr_t, u_int);
|
||||||
int rib_lookup_info(uint32_t, const struct sockaddr *, uint32_t, uint32_t,
|
int rib_lookup_info(uint32_t, const struct sockaddr *, uint32_t, uint32_t,
|
||||||
struct rt_addrinfo *);
|
struct rt_addrinfo *);
|
||||||
void rib_free_info(struct rt_addrinfo *info);
|
void rib_free_info(struct rt_addrinfo *info);
|
||||||
|
|
|
@ -36,7 +36,6 @@
|
||||||
__FBSDID("$FreeBSD$");
|
__FBSDID("$FreeBSD$");
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/capsicum.h>
|
|
||||||
#include <sys/eventhandler.h>
|
#include <sys/eventhandler.h>
|
||||||
#include <sys/systm.h>
|
#include <sys/systm.h>
|
||||||
#include <sys/sockio.h>
|
#include <sys/sockio.h>
|
||||||
|
@ -238,9 +237,6 @@ in_control(struct socket *so, u_long cmd, caddr_t data, struct ifnet *ifp,
|
||||||
if (ifp == NULL)
|
if (ifp == NULL)
|
||||||
return (EADDRNOTAVAIL);
|
return (EADDRNOTAVAIL);
|
||||||
|
|
||||||
if (td != NULL && IN_CAPABILITY_MODE(td))
|
|
||||||
return (ECAPMODE);
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Filter out 4 ioctls we implement directly. Forward the rest
|
* Filter out 4 ioctls we implement directly. Forward the rest
|
||||||
* to specific functions and ifp->if_ioctl().
|
* to specific functions and ifp->if_ioctl().
|
||||||
|
|
|
@ -69,7 +69,6 @@ __FBSDID("$FreeBSD$");
|
||||||
#include "opt_inet6.h"
|
#include "opt_inet6.h"
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/capsicum.h>
|
|
||||||
#include <sys/eventhandler.h>
|
#include <sys/eventhandler.h>
|
||||||
#include <sys/errno.h>
|
#include <sys/errno.h>
|
||||||
#include <sys/jail.h>
|
#include <sys/jail.h>
|
||||||
|
@ -255,9 +254,6 @@ in6_control(struct socket *so, u_long cmd, caddr_t data,
|
||||||
int error;
|
int error;
|
||||||
u_long ocmd = cmd;
|
u_long ocmd = cmd;
|
||||||
|
|
||||||
if (td != NULL && IN_CAPABILITY_MODE(td))
|
|
||||||
return (ECAPMODE);
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Compat to make pre-10.x ifconfig(8) operable.
|
* Compat to make pre-10.x ifconfig(8) operable.
|
||||||
*/
|
*/
|
||||||
|
|
Loading…
Reference in a new issue