From owner-cvs-all@FreeBSD.ORG  Tue Oct 12 16:47:26 2004
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 1BF8116A4CE; Tue, 12 Oct 2004 16:47:26 +0000 (GMT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 1014643D1D; Tue, 12 Oct 2004 16:47:26 +0000 (GMT)
	(envelope-from rwatson@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.11/8.12.11) with ESMTP id i9CGlPPU027134;
	Tue, 12 Oct 2004 16:47:25 GMT
	(envelope-from rwatson@repoman.freebsd.org)
Received: (from rwatson@localhost)
	by repoman.freebsd.org (8.12.11/8.12.11/Submit) id i9CGlPBw027133;
	Tue, 12 Oct 2004 16:47:25 GMT
	(envelope-from rwatson)
Message-Id: <200410121647.i9CGlPBw027133@repoman.freebsd.org>
From: Robert Watson <rwatson@FreeBSD.org>
Date: Tue, 12 Oct 2004 16:47:25 +0000 (UTC)
To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org,
	cvs-all@FreeBSD.org
X-FreeBSD-CVS-Branch: HEAD
Subject: cvs commit: src/sys/netinet raw_ip.c
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Oct 2004 16:47:26 -0000

rwatson     2004-10-12 16:47:25 UTC

  FreeBSD src repository

  Modified files:
    sys/netinet          raw_ip.c 
  Log:
  When the access control on creating raw sockets was modified so that
  processes in jail could create raw sockets, additional access control
  checks were added to raw IP sockets to limit the ways in which those
  sockets could be used.  Specifically, only the socket option IP_HDRINCL
  was permitted in rip_ctloutput().  Other socket options were protected
  by a call to suser().  This change was required to prevent processes
  in a Jail from modifying system properties such as multicast routing
  and firewall rule sets.
  
  However, it also introduced a regression: processes that create a raw
  socket with root privilege, but then downgraded credential (i.e., a
  daemon giving up root, or a setuid process switching back to the real
  uid) could no longer issue other unprivileged generic IP socket option
  operations, such as IP_TOS, IP_TTL, and the multicast group membership
  options, which prevented multicast routing daemons (and some other
  tools) from operating correctly.
  
  This change pushes the access control decision down to the granularity
  of individual socket options, rather than all socket options, on raw
  IP sockets.  When rip_ctloutput() doesn't implement an option, it will
  now pass the request directly to in_control() without an access
  control check.  This should restore the functionality of the generic
  IP socket options for raw sockets in the above-described scenarios,
  which may be confirmed with the ipsockopt regression test.
  
  RELENG_5 candidate.
  
  Reviewed by:    csjp
  
  Revision  Changes    Path
  1.145     +41 -20    src/sys/netinet/raw_ip.c