56 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g4ldM0N5Dz3QCh for ; Tue, 28 Apr 2026 16:05:11 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777392311; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Y5cXg6Of5Otu1bLRfCnYWV6Qecn81Bqc1K+RT/ItDN8=; b=ecG4Y5JQwVU+9hxPSa9eN3JoTWKy2ahZj8iZj9OAANfdvUMmsJCbFjagDr9pWoQMMMDLl7 ATab2pzN+qjXb4hSxunZt8rGfaJceuqeHzh1+dXZvTTGPnAQl7uwyxlYYYg3dKN7Zi1OcC oKqTZRoTnvbBF6QAjtdwA3rLsC+NNnaW96MS2hN+Noq4Q4OhOctAXHCLIjE+3aBdTYkiUu PZHPMc9ToEoRJt2PaQ6fJaab466dKT+0xQvrfN9ca23xbVU/t9/Qv00mXiOfkXXEEaYXB0 JD7l6SyUmr+6AiA/ennRLfUF8BGxVYuTMQ2OXkaBC29Y7zOrn7a5hvWiAwawXQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777392311; a=rsa-sha256; cv=none; b=iDqIvkjwrgtqCHyHNhha5Ghw/i4zv1Wol0CBFBDJxllEhMJEciaIIQXeuJLtTLTHrkG+KM qH9u6TqlQUXHWBMO5xy8aUjxLlVPpYpye/hRhEzX6EJJA8g66TjIs3XUrbbfTBvcXVN6rW J//3OSWWckTbhJQa1ELc+FnLdNtJe2IEMEFKYggohpykqald9JuneVlxR7QZn5xNb64a2V /cIRbBljlhjdIzRapNEtxGTEwGoc+smn/RF6YlaVLVD1osmpdCP/sAiXr7PWt1eAAof72u x5w+g45BaGJ86q/ksuzbemkJwRUGL/BQsmyZJALhb51bZ48YwDzcqNBWg6j0iQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777392311; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Y5cXg6Of5Otu1bLRfCnYWV6Qecn81Bqc1K+RT/ItDN8=; b=hsEiyPmMOYhmXjgMjCbTejC658sggJSnm303yayPstaWRHK/nyvO8302v4bnaL2/dl+j0R XJ034ppKDuC5PakmhrrbyTwYNBXFoVuxg2uh8dmaBjR+XEebNkiKx15BPOwuLflG6ozjDW RtbLgHGIL6NAJZKMX6gis2OYULxikh4t1NJ9LF0qWcM86YaTvRdxTTImTTmQZZ4h63Miyy Z7oyajTA5LFBf8CraFqc2fSwLQ1tBzSxyZFVPYWTlv6jtW4CPBckDiivsegrVY3KV2HFvk EMJPKhg2W77Fn5QjirgaTxZLeBAS/F2m7EkyJ2c5NLbHRWSEmy9Ood/IhKT2zg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g4ldL6KbBz11CK for ; Tue, 28 Apr 2026 16:05:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 44d59 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 28 Apr 2026 16:05:10 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 47c12f20bf58 - stable/15 - pf: only allow a subset of netlink calls when securelevel is set List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: 47c12f20bf58b69e7ab1707e6e705907ad0d277e Auto-Submitted: auto-generated Date: Tue, 28 Apr 2026 16:05:10 +0000 Message-Id: <69f0dab6.44d59.7949e6e5@gitrepo.freebsd.org> The branch stable/15 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=47c12f20bf58b69e7ab1707e6e705907ad0d277e commit 47c12f20bf58b69e7ab1707e6e705907ad0d277e Author: Kristof Provost AuthorDate: 2026-04-20 06:36:17 +0000 Commit: Kristof Provost CommitDate: 2026-04-28 15:33:57 +0000 pf: only allow a subset of netlink calls when securelevel is set Extend the genl_cmd struct to allow calls to also carry a securelevel. If that's set compare the current securelevel to only allow the call if the level is lower than that. If no value is specified continue to allow calls in any securelevel, as before. This allows us to easily implement the same securelevel restrictions for pf as we have for the corresponding ioctls. Reviewed by: glebius MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D56390 (cherry picked from commit 9933bdcb12641839b7396ccd0c6b8a2d55d12744) --- sys/netlink/netlink_ctl.h | 3 +++ sys/netlink/netlink_generic.c | 7 +++++++ sys/netpfil/pf/pf_nl.c | 33 +++++++++++++++++++++++++++++++++ 3 files changed, 43 insertions(+) diff --git a/sys/netlink/netlink_ctl.h b/sys/netlink/netlink_ctl.h index 7f43e0f2c25e..4740d306dd54 100644 --- a/sys/netlink/netlink_ctl.h +++ b/sys/netlink/netlink_ctl.h @@ -89,6 +89,9 @@ struct genl_cmd { uint32_t cmd_flags; uint32_t cmd_priv; uint32_t cmd_num; + + /* Disallow this call from this level up (inclusive). */ + uint32_t cmd_securelevel; }; uint16_t genl_register_family(const char *family_name, size_t hdrsize, diff --git a/sys/netlink/netlink_generic.c b/sys/netlink/netlink_generic.c index d20ec4c7545f..3a73ecc0b339 100644 --- a/sys/netlink/netlink_generic.c +++ b/sys/netlink/netlink_generic.c @@ -150,6 +150,13 @@ genl_handle_message(struct nlmsghdr *hdr, struct nl_pstate *npt) return (EPERM); } + if (cmd->cmd_securelevel > 0 && + securelevel_ge(nlp_get_cred(nlp), cmd->cmd_securelevel)) { + NLP_LOG(LOG_DEBUG, nlp, "family %s: cmd %d securelevel_gt() failed", + gf->family_name, ghdr->cmd); + return (EPERM); + } + NLP_LOG(LOG_DEBUG2, nlp, "received family %s cmd %s(%d) len %d", gf->family_name, cmd->cmd_name, ghdr->cmd, hdr->nlmsg_len); diff --git a/sys/netpfil/pf/pf_nl.c b/sys/netpfil/pf/pf_nl.c index 9fc3c67bfb58..168c6ac63d90 100644 --- a/sys/netpfil/pf/pf_nl.c +++ b/sys/netpfil/pf/pf_nl.c @@ -2241,6 +2241,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_getstates, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GETCREATORS, @@ -2248,6 +2249,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_getcreators, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_START, @@ -2255,6 +2257,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_start, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_STOP, @@ -2262,6 +2265,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_stop, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_ADDRULE, @@ -2269,6 +2273,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_addrule, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_GETRULES, @@ -2276,6 +2281,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_getrules, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GETRULE, @@ -2283,6 +2289,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_getrule, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_CLRSTATES, @@ -2290,6 +2297,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_clear_states, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_KILLSTATES, @@ -2297,6 +2305,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_kill_states, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_SET_STATUSIF, @@ -2304,6 +2313,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_set_statusif, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_GET_STATUS, @@ -2311,6 +2321,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_status, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_CLEAR_STATUS, @@ -2318,6 +2329,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_clear_status, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_NATLOOK, @@ -2325,6 +2337,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_natlook, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_SET_DEBUG, @@ -2332,6 +2345,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_set_debug, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_SET_TIMEOUT, @@ -2339,6 +2353,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_set_timeout, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_GET_TIMEOUT, @@ -2346,6 +2361,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_timeout, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_SET_LIMIT, @@ -2353,6 +2369,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_set_limit, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_GET_LIMIT, @@ -2360,6 +2377,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_limit, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_BEGIN_ADDRS, @@ -2367,6 +2385,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_begin_addrs, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_ADD_ADDR, @@ -2374,6 +2393,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_add_addr, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GET_ADDRS, @@ -2381,6 +2401,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_addrs, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GET_ADDR, @@ -2388,6 +2409,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_addr, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GET_RULESETS, @@ -2395,6 +2417,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_rulesets, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GET_RULESET, @@ -2402,6 +2425,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_ruleset, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_GET_SRCNODES, @@ -2409,6 +2433,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_srcnodes, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_CLEAR_TABLES, @@ -2416,6 +2441,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_clear_tables, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_ADD_TABLE, @@ -2423,6 +2449,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_add_table, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_DEL_TABLE, @@ -2430,6 +2457,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_del_table, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 2, }, { .cmd_num = PFNL_CMD_GET_TSTATS, @@ -2437,6 +2465,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_get_tstats, .cmd_flags = GENL_CMD_CAP_DUMP | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_CLR_TSTATS, @@ -2444,6 +2473,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_clear_tstats, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_CLR_ADDRS, @@ -2451,6 +2481,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_clear_addrs, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_TABLE_ADD_ADDR, @@ -2458,6 +2489,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_table_add_addrs, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, { .cmd_num = PFNL_CMD_TABLE_DEL_ADDR, @@ -2465,6 +2497,7 @@ static const struct genl_cmd pf_cmds[] = { .cmd_cb = pf_handle_table_del_addrs, .cmd_flags = GENL_CMD_CAP_DO | GENL_CMD_CAP_HASPOL, .cmd_priv = PRIV_NETINET_PF, + .cmd_securelevel = 3, }, };