From owner-cvs-all@FreeBSD.ORG  Sun Feb  4 21:49:02 2007
Return-Path: <owner-cvs-all@FreeBSD.ORG>
X-Original-To: cvs-all@FreeBSD.org
Delivered-To: cvs-all@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id E0E9616A400;
	Sun,  4 Feb 2007 21:49:02 +0000 (UTC) (envelope-from bms@FreeBSD.org)
Received: from out4.smtp.messagingengine.com (out4.smtp.messagingengine.com
	[66.111.4.28])
	by mx1.freebsd.org (Postfix) with ESMTP id B2AA213C4B3;
	Sun,  4 Feb 2007 21:49:02 +0000 (UTC) (envelope-from bms@FreeBSD.org)
Received: from out1.internal (unknown [10.202.2.149])
	by out1.messagingengine.com (Postfix) with ESMTP id 17E73ADCA9;
	Sun,  4 Feb 2007 16:49:02 -0500 (EST)
Received: from heartbeat2.messagingengine.com ([10.202.2.161])
	by out1.internal (MEProxy); Sun, 04 Feb 2007 16:49:02 -0500
X-Sasl-enc: DYwPE0NYM0OSr6P5Lvbksuo1E8DXyx5mRK/CQaj6vNX/ 1170625741
Received: from [192.168.123.18]
	(82-35-112-254.cable.ubr07.dals.blueyonder.co.uk [82.35.112.254])
	by mail.messagingengine.com (Postfix) with ESMTP id 6219B190D1;
	Sun,  4 Feb 2007 16:49:01 -0500 (EST)
Message-ID: <45C654CC.6040202@FreeBSD.org>
Date: Sun, 04 Feb 2007 21:49:00 +0000
From: "Bruce M. Simpson" <bms@FreeBSD.org>
User-Agent: Thunderbird 1.5.0.9 (X11/20070125)
MIME-Version: 1.0
To: Robert Watson <rwatson@FreeBSD.org>
References: <200702041632.l14GWlwX033519@repoman.freebsd.org>
	<20070204202722.K91177@fledge.watson.org>
In-Reply-To: <20070204202722.K91177@fledge.watson.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/net if_tap.c if_tun.c src/share/man/man4
 tap.4         tun.4
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Feb 2007 21:49:03 -0000

Robert Watson wrote:
>
> Perhaps the tapclone privilege check should also check tapuopen, as 
> the open check does?
>
You mean like this? Haven't tested this, but it feels right (let users 
create tap/tun interfaces if the user_open sysctl is enabled):-

Index: if_tap.c
===================================================================
RCS file: /home/ncvs/src/sys/net/if_tap.c,v
retrieving revision 1.69
diff -u -p -r1.69 if_tap.c
--- if_tap.c    4 Feb 2007 16:32:46 -0000       1.69
+++ if_tap.c    4 Feb 2007 21:48:04 -0000
@@ -340,11 +340,7 @@ tapclone(void *arg, struct ucred *cred,
        if (*dev != NULL)
                return;

-       /*
-        * If tap cloning is enabled, only the superuser can create
-        * an interface.
-        */
-       if (!tapdclone || priv_check_cred(cred, PRIV_NET_IFCREATE, 0) != 0)
+       if (!tapuopen && priv_check_cred(cred, PRIV_NET_IFCREATE, 0) != 0)
                return;

        unit = 0;
Exit 1