Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 9 Dec 2003 07:52:16 -0800 (PST)
From:      Chris Vance <cvance@FreeBSD.org>
To:        Perforce Change Reviews <perforce@freebsd.org>
Subject:   PERFORCE change 43676 for review
Message-ID:  <200312091552.hB9FqG4R099661@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help 
http://perforce.freebsd.org/chv.cgi?CH=43676

Change 43676 by cvance@cvance_sony on 2003/12/09 07:51:31

	Cache privilege decision; use cap_check instead of suser

Affected files ...

.. //depot/projects/trustedbsd/sebsd/sys/netinet6/in6.c#7 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/sys/netinet6/in6.c#7 (text+ko) ====

@@ -79,7 +79,6 @@
 #include <sys/time.h>
 #include <sys/kernel.h>
 #include <sys/syslog.h>
-#include <sys/capability.h>
 
 #include <net/if.h>
 #include <net/if_types.h>
@@ -335,8 +334,11 @@
 	struct	in6_ifreq *ifr = (struct in6_ifreq *)data;
 	struct	in6_ifaddr *ia = NULL;
 	struct	in6_aliasreq *ifra = (struct in6_aliasreq *)data;
+	int privileged;
 
-	/* XXX: This function considers the caller privileged if td is NULL */
+	privileged = 0;
+	if (td == NULL || !cap_check(td, CAP_NET_ADMIN))
+		privileged++;
 
 	switch (cmd) {
 	case SIOCGETSGCNT_IN6:
@@ -361,9 +363,9 @@
 	case SIOCSRTRFLUSH_IN6:
 	case SIOCSDEFIFACE_IN6:
 	case SIOCSIFINFO_FLAGS:
-		if (td != NULL && cap_check (td, CAP_NET_ADMIN))
+		if (!privileged)
 			return (EPERM);
-		/* fall through */
+		/* FALLTHROUGH */
 	case OSIOCGIFINFO_IN6:
 	case SIOCGIFINFO_IN6:
 	case SIOCGDRLST_IN6:
@@ -388,8 +390,8 @@
 
 	switch (cmd) {
 	case SIOCSSCOPE6:
-		if (td != NULL && cap_check (td, CAP_NET_ADMIN))
-			return(EPERM);
+		if (!privileged)
+			return (EPERM);
 		return (scope6_set(ifp,
 		    (struct scope6_id *)ifr->ifr_ifru.ifru_scope_id));
 	case SIOCGSCOPE6:
@@ -403,7 +405,7 @@
 	switch (cmd) {
 	case SIOCALIFADDR:
 	case SIOCDLIFADDR:
-		if (td != NULL && cap_check (td, CAP_NET_ADMIN))
+		if (!privileged)
 			return (EPERM);
 		/* FALLTHROUGH */
 	case SIOCGLIFADDR:
@@ -467,7 +469,7 @@
 		if (ifra->ifra_addr.sin6_family != AF_INET6 ||
 		    ifra->ifra_addr.sin6_len != sizeof(struct sockaddr_in6))
 			return (EAFNOSUPPORT);
-		if (td != NULL && cap_check(td, CAP_NET_ADMIN))
+		if (!privileged)
 			return (EPERM);
 
 		break;
@@ -487,7 +489,7 @@
 	    {
 		struct in6_addrlifetime *lt;
 
-		if (td != NULL && cap_check(td, CAP_NET_ADMIN))
+		if (!privileged)
 			return (EPERM);
 		if (ia == NULL)
 			return (EADDRNOTAVAIL);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200312091552.hB9FqG4R099661>