Date: Wed, 14 Mar 2007 13:12:59 +0100 From: "Frank Behrens" <frank@pinky.sax.de> To: "Bruce M. Simpson" <bms@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: tap(4) should go UP if opened Message-ID: <200703141213.l2ECDntN087975@pinky.frank-behrens.de> In-Reply-To: <45F15378.3020207@FreeBSD.org> References: <200703091036.l29AawwJ005466@pinky.frank-behrens.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Bruce M. Simpson <bms@freebsd.org> wrote on 9 Mar 2007 12:30: > However, we also support the creation of tap/tun instances by > non-super-users, so there is motivation for the change. Configuring a > tap interface to up by a non-superuser should only be permitted if the > interface itself was created by a non-superuser, and if > net.link.tap.user_open is set to 1. > > A more involved patch is needed to do this right for all cases -- we > should not do this by default. After thinking about the problem I agree with you and propose the following patch: --- sys/net/if_tap.c.orig Thu Mar 8 19:10:59 2007 +++ sys/net/if_tap.c Wed Mar 14 12:35:58 2007 @@ -501,6 +501,8 @@ s = splimp(); ifp->if_drv_flags |= IFF_DRV_RUNNING; ifp->if_drv_flags &= ~IFF_DRV_OACTIVE; + if (tapuopen) + ifp->if_flags |= IFF_UP; splx(s); TAPDEBUG("%s is open. minor = %#x\n", ifp->if_xname, minor(dev)); Rationale: For transmitting packets via tap(4) device (at least) two conditions have to met: 1. The control device must be opened by an process. 2. The ethernet interface must be UP. For 1. we allow non-root processes the access, when a) sysctl net.link.tap.user_open=1 AND b) /dev/tapx has sufficient permissions If we have no possibility to mark the interface as UP for the non-root process the net.link.tap.user_open=1 is useless, because we can not transmit any packets. With the patch the interface goes UP only, when the administrator allowed non-root user access. Regards, Frank -- Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200703141213.l2ECDntN087975>