Date: Sun, 9 Nov 2003 15:09:05 -0800 (PST) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 41832 for review Message-ID: <200311092309.hA9N95Ab042592@repoman.freebsd.org>
index | next in thread | raw e-mail
http://perforce.freebsd.org/chv.cgi?CH=41832 Change 41832 by rwatson@rwatson_none on 2003/11/09 15:08:44 Mix and match things a bit due to relatively recent IPv6 updates integrated previously. Revert slightly our capability checking to look more like the original suser checking (cache a privilege decision). I don't really like this, but for now it makes changes easier to merge while IPv6 code is in flux. Also now compiles... Affected files ... .. //depot/projects/trustedbsd/sebsd/sys/netinet6/ip6_output.c#7 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/sys/netinet6/ip6_output.c#7 (text+ko) ==== @@ -1423,7 +1423,7 @@ struct socket *so; struct sockopt *sopt; { - int optdatalen, uproto; + int privileged, optdatalen, uproto; void *optdata; struct inpcb *in6p = sotoinpcb(so); int error, optval; @@ -1442,8 +1442,9 @@ } error = optval = 0; + /* XXX: does CAP_NET_ADMIN or CAP_NET_RAW apply here? */ + privileged = (td == 0 || cap_check(td, CAP_NET_ADMIN)) ? 0 : 1; uproto = (int)so->so_proto->pr_protocol; - /* XXX: does CAP_NET_ADMIN or CAP_NET_RAW apply here? */ if (level == IPPROTO_IPV6) { switch (op) { @@ -1707,14 +1708,12 @@ * Check super-user privilege. * See comments for IPV6_RECVHOPOPTS. */ - if (td == NULL || - cap_check (td, CAP_NET_ADMIN)) + if (!privileged) return (EPERM); OPTSET2292(IN6P_HOPOPTS); break; case IPV6_2292DSTOPTS: - if (td == NULL || - cap_check (td, CAP_NET_ADMIN)) + if (!privileged) return (EPERM); OPTSET2292(IN6P_DSTOPTS|IN6P_RTHDRDSTOPTS); /* XXX */ break; @@ -1845,8 +1844,7 @@ /* XXX: passing privilege flag into another function */ error = ipsec6_set_policy(in6p, optname, req, - len, - td && !cap_check(td,CAP_NET_ADMIN))); + len, privileged); m_freem(m); } break; @@ -2163,7 +2161,7 @@ } /* set options specified by user. */ - if (td && !cap_check(td, CAP_NET_ADMIN)) + if (td != NULL && cap_check(td, CAP_NET_ADMIN) == 0) priv = 1; if ((error = ip6_setpktoptions(m, opt, NULL, priv, 1, so->so_proto->pr_protocol)) != 0) {help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311092309.hA9N95Ab042592>