Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 29 May 2026 23:11:32 +0000
From:      Ed Maste <emaste@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 96dbc9a8de10 - main - netlink: Check permissions for interface flag changes
Message-ID:  <6a1a1d24.43c1e.1bfef5c@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch main has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=96dbc9a8de105065b6b1e55702aa648319176587

commit 96dbc9a8de105065b6b1e55702aa648319176587
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2026-05-29 15:52:03 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2026-05-29 23:11:21 +0000

    netlink: Check permissions for interface flag changes
    
    Reviewed by:    pouria, melifaro
    Sponsored by:   The FreeBSD Foundation
    Differential Revision: https://reviews.freebsd.org/D57332
---
 sys/netlink/route/iface_drivers.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/sys/netlink/route/iface_drivers.c b/sys/netlink/route/iface_drivers.c
index d26e92044ff5..79daa4215dba 100644
--- a/sys/netlink/route/iface_drivers.c
+++ b/sys/netlink/route/iface_drivers.c
@@ -83,6 +83,10 @@ _nl_modify_ifp_generic(struct ifnet *ifp, struct nl_parsed_link *lattrs,
 
 	if ((lattrs->ifi_change & IFF_UP) != 0 || lattrs->ifi_change == 0) {
 		/* Request to up or down the interface */
+		if (!nlp_has_priv(npt->nlp, PRIV_NET_SETIFFLAGS)) {
+			nlmsg_report_err_msg(npt, "Not enough privileges to set flags");
+			return (EPERM);
+		}
 		if (lattrs->ifi_flags & IFF_UP)
 			if_up(ifp);
 		else
@@ -104,7 +108,7 @@ _nl_modify_ifp_generic(struct ifnet *ifp, struct nl_parsed_link *lattrs,
 	}
 
 	if ((lattrs->ifi_change & IFF_PROMISC) != 0 ||
-	    lattrs->ifi_change == 0)
+	    lattrs->ifi_change == 0) {
 		/*
 		 * When asking for IFF_PROMISC, set permanent flag instead
 		 * (IFF_PPROMISC) as we have no way of doing promiscuity
@@ -112,7 +116,12 @@ _nl_modify_ifp_generic(struct ifnet *ifp, struct nl_parsed_link *lattrs,
 		 * function either sets or unsets IFF_PROMISC, and ifi_change
 		 * is usually set to 0xFFFFFFFF.
 		 */
+		if (!nlp_has_priv(npt->nlp, PRIV_NET_SETIFFLAGS)) {
+			nlmsg_report_err_msg(npt, "Not enough privileges to set promisc");
+			return (EPERM);
+		}
 		if_setppromisc(ifp, (lattrs->ifi_flags & IFF_PROMISC) != 0);
+	}
 
 	if (lattrs->ifla_address != NULL) {
 		if (!nlp_has_priv(npt->nlp, PRIV_NET_SETIFMAC)) {
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a1a1d24.43c1e.1bfef5c>