Date: Tue, 28 Apr 2026 16:05:10 +0000 From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 47c12f20bf58 - stable/15 - pf: only allow a subset of netlink calls when securelevel is set Message-ID: <69f0dab6.44d59.7949e6e5@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch stable/15 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=47c12f20bf58b69e7ab1707e6e705907ad0d277e commit 47c12f20bf58b69e7ab1707e6e705907ad0d277e Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2026-04-20 06:36:17 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2026-04-28 15:33:57 +0000 pf: only allow a subset of netlink calls when securelevel is set Extend the genl_cmd struct to allow calls to also carry a securelevel. If that's set compare the current securelevel to only allow the call if the level is lower than that. If no value is specified continue to allow calls in any securelevel, as before. This allows us to easily implement the same securelevel restrictions for pf as we have for the corresponding ioctls. Reviewed by: glebius MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D56390 (cherry picked from commit 9933bdcb12641839b7396ccd0c6b8a2d55d12744) --- sys/netlink/netlink_ctl.h | 3 +++ sys/netlink/netlink_generic.c | 7 +++++++ sys/netpfil/pf/pf_nl.c | 33 +++++++++++++++++++++++++++++++++ 3 files changed, 43 insertions(+) diff --git a/sys/netlink/netlink_ctl.h b/sys/netlink/netlink_ctl.h index 7f43e0f2c25e..4740d306dd54 100644 --- a/sys/netlink/netlink_ctl.h +++ b/sys/netlink/netlink_ctl.h @@ -89,6 +89,9 @@ struct genl_cmd { uint32_t cmd_flags; uint32_t cmd_priv; uint32_t cmd_num; + + /* Disallow this call from this level up (inclusive). */ + uint32_t cmd_securelevel; }; uint16_t genl_register_family(const char *family_name, size_t hdrsize, diff --git a/sys/netlink/netlink_generic.c b/sys/netlink/netlink_generic.c index d20ec4c7545f..3a73ecc0b339 100644 --- a/sys/netlink/netlink_generic.c +++ b/sys/netlink/netlink_generic.c @@ -150,6 +150,13 @@ genl_handle_message(struct nlmsghdr *hdr, struct nl_pstate *npt) return (EPERM); } + if (cmd->cmd_securelevel > 0 && + securelevel_ge(nlp_get_cred(nlp), cmd->cmd_securelevel)) { + NLP_LOG(LOG_DEBUG, nlp, "family %s: cmd %d securelevel_gt() failed", + gf->family_name, ghdr->cmd); + return (EPERM); + } + NLP_LOG(LOG_DEBUG2, nlp, "received family %s cmd %s(%d) len %d", gf->family_name, cmd->cmd_name, ghdr->cmd, hdr->nlmsg_len); diff --git a/sys/netpfil/pf/pf_nl.c b/sys/netpfil/pf/pf_nl.c index 9fc3c67bfb58..168c6ac63d90 100644 --- a/sys/netpfil/pf/pf_nl.c +++ b/sys/netpfil/pf/pf_nl.c @@ -2241,6 +2241,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_getstates, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GETCREATORS, @@ -2248,6 +2249,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_getcreators, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_START, @@ -2255,6 +2257,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_start, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_STOP, @@ -2262,6 +2265,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_stop, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_ADDRULE, @@ -2269,6 +2273,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_addrule, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_GETRULES, @@ -2276,6 +2281,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_getrules, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GETRULE, @@ -2283,6 +2289,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_getrule, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_CLRSTATES, @@ -2290,6 +2297,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_clear_states, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_KILLSTATES, @@ -2297,6 +2305,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_kill_states, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_SET_STATUSIF, @@ -2304,6 +2313,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_set_statusif, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_GET_STATUS, @@ -2311,6 +2321,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_status, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_CLEAR_STATUS, @@ -2318,6 +2329,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_clear_status, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_NATLOOK, @@ -2325,6 +2337,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_natlook, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_SET_DEBUG, @@ -2332,6 +2345,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_set_debug, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_SET_TIMEOUT, @@ -2339,6 +2353,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_set_timeout, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_GET_TIMEOUT, @@ -2346,6 +2361,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_timeout, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_SET_LIMIT, @@ -2353,6 +2369,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_set_limit, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_GET_LIMIT, @@ -2360,6 +2377,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_limit, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_BEGIN_ADDRS, @@ -2367,6 +2385,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_begin_addrs, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_ADD_ADDR, @@ -2374,6 +2393,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_add_addr, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GET_ADDRS, @@ -2381,6 +2401,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_addrs, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GET_ADDR, @@ -2388,6 +2409,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_addr, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GET_RULESETS, @@ -2395,6 +2417,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_rulesets, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GET_RULESET, @@ -2402,6 +2425,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_ruleset, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GET_SRCNODES, @@ -2409,6 +2433,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_srcnodes, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_CLEAR_TABLES, @@ -2416,6 +2441,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_clear_tables, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_ADD_TABLE, @@ -2423,6 +2449,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_add_table, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_DEL_TABLE, @@ -2430,6 +2457,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_del_table, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_GET_TSTATS, @@ -2437,6 +2465,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_tstats, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_CLR_TSTATS, @@ -2444,6 +2473,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_clear_tstats, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_CLR_ADDRS, @@ -2451,6 +2481,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_clear_addrs, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_TABLE_ADD_ADDR, @@ -2458,6 +2489,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_table_add_addrs, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_TABLE_DEL_ADDR, @@ -2465,6 +2497,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_table_del_addrs, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, };home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69f0dab6.44d59.7949e6e5>