Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 4 Jul 2005 12:49:54 GMT
From:      Robert Watson <rwatson@FreeBSD.org>
To:        Perforce Change Reviews <perforce@freebsd.org>
Subject:   PERFORCE change 79545 for review
Message-ID:  <200507041249.j64CnsB0081351@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help 
http://perforce.freebsd.org/chv.cgi?CH=79545

Change 79545 by rwatson@rwatson_paprika on 2005/07/04 12:49:03

	Convert new suser() checks in the network stack to either
	CAP_NET_ADMIN or CAP_SYS_MODULE.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/sys/contrib/dev/ath/freebsd/ah_osdep.c#7 edit
.. //depot/projects/trustedbsd/sebsd/sys/contrib/pf/net/if_pfsync.c#5 edit
.. //depot/projects/trustedbsd/sebsd/sys/net80211/ieee80211_freebsd.c#2 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/sys/contrib/dev/ath/freebsd/ah_osdep.c#7 (text+ko) ====

@@ -182,7 +182,8 @@
 	int error;
 
 	if (enable) {
-		error = suser(curthread);
+		/* XXXRW: Races on /tmp/ath_hal.log? */
+		error = cap_check(curthread, CAP_SYS_ADMIN);
 		if (error == 0) {
 			error = alq_open(&ath_hal_alq, ath_hal_logfile,
 				curthread->td_ucred, ALQ_DEFAULT_CMODE,

==== //depot/projects/trustedbsd/sebsd/sys/contrib/pf/net/if_pfsync.c#5 (text+ko) ====

@@ -43,6 +43,9 @@
 #endif
 
 #include <sys/param.h>
+#ifdef __FreeBSD__
+#include <sys/capability.h>
+#endif
 #include <sys/proc.h>
 #include <sys/systm.h>
 #include <sys/time.h>
@@ -1016,7 +1019,7 @@
 		break;
 	case SIOCSETPFSYNC:
 #ifdef __FreeBSD__
-		if ((error = suser(curthread)) != 0)
+		if ((error = cap_check(curthread, CAP_NET_ADMIN)) != 0)
 #else
 		if ((error = suser(p, p->p_acflag)) != 0)
 #endif

==== //depot/projects/trustedbsd/sebsd/sys/net80211/ieee80211_freebsd.c#2 (text+ko) ====

@@ -306,7 +306,8 @@
 #ifdef notyet
 	struct thread *td = curthread;
 
-	if (suser(td) == 0 && securelevel_gt(td->td_ucred, 0) == 0) {
+	if (cap_check(td, CAP_SYS_MODULE) == 0 &&
+	    securelevel_gt(td->td_ucred, 0) == 0) {
 		mtx_lock(&Giant);
 		(void) linker_load_module(modname, NULL, NULL, NULL, NULL);
 		mtx_unlock(&Giant);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507041249.j64CnsB0081351>