Date: Tue, 9 Dec 2003 07:52:16 -0800 (PST) From: Chris Vance <cvance@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 43676 for review Message-ID: <200312091552.hB9FqG4R099661@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=43676 Change 43676 by cvance@cvance_sony on 2003/12/09 07:51:31 Cache privilege decision; use cap_check instead of suser Affected files ... .. //depot/projects/trustedbsd/sebsd/sys/netinet6/in6.c#7 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/sys/netinet6/in6.c#7 (text+ko) ==== @@ -79,7 +79,6 @@ #include <sys/time.h> #include <sys/kernel.h> #include <sys/syslog.h> -#include <sys/capability.h> #include <net/if.h> #include <net/if_types.h> @@ -335,8 +334,11 @@ struct in6_ifreq *ifr = (struct in6_ifreq *)data; struct in6_ifaddr *ia = NULL; struct in6_aliasreq *ifra = (struct in6_aliasreq *)data; + int privileged; - /* XXX: This function considers the caller privileged if td is NULL */ + privileged = 0; + if (td == NULL || !cap_check(td, CAP_NET_ADMIN)) + privileged++; switch (cmd) { case SIOCGETSGCNT_IN6: @@ -361,9 +363,9 @@ case SIOCSRTRFLUSH_IN6: case SIOCSDEFIFACE_IN6: case SIOCSIFINFO_FLAGS: - if (td != NULL && cap_check (td, CAP_NET_ADMIN)) + if (!privileged) return (EPERM); - /* fall through */ + /* FALLTHROUGH */ case OSIOCGIFINFO_IN6: case SIOCGIFINFO_IN6: case SIOCGDRLST_IN6: @@ -388,8 +390,8 @@ switch (cmd) { case SIOCSSCOPE6: - if (td != NULL && cap_check (td, CAP_NET_ADMIN)) - return(EPERM); + if (!privileged) + return (EPERM); return (scope6_set(ifp, (struct scope6_id *)ifr->ifr_ifru.ifru_scope_id)); case SIOCGSCOPE6: @@ -403,7 +405,7 @@ switch (cmd) { case SIOCALIFADDR: case SIOCDLIFADDR: - if (td != NULL && cap_check (td, CAP_NET_ADMIN)) + if (!privileged) return (EPERM); /* FALLTHROUGH */ case SIOCGLIFADDR: @@ -467,7 +469,7 @@ if (ifra->ifra_addr.sin6_family != AF_INET6 || ifra->ifra_addr.sin6_len != sizeof(struct sockaddr_in6)) return (EAFNOSUPPORT); - if (td != NULL && cap_check(td, CAP_NET_ADMIN)) + if (!privileged) return (EPERM); break; @@ -487,7 +489,7 @@ { struct in6_addrlifetime *lt; - if (td != NULL && cap_check(td, CAP_NET_ADMIN)) + if (!privileged) return (EPERM); if (ia == NULL) return (EADDRNOTAVAIL);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200312091552.hB9FqG4R099661>