Date: Mon, 9 Jun 2025 23:48:02 GMT From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: e17485c2bdc1 - main - inpcb: provide policy cr_canexport_ktlskeys() and the privilege PRIV_NETINET_KTLSKEYS Message-ID: <202506092348.559Nm2Ma088791@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=e17485c2bdc164a73c72aa73006025a31983e20b commit e17485c2bdc164a73c72aa73006025a31983e20b Author: Konstantin Belousov <kib@FreeBSD.org> AuthorDate: 2025-06-07 13:49:11 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2025-06-09 23:47:13 +0000 inpcb: provide policy cr_canexport_ktlskeys() and the privilege PRIV_NETINET_KTLSKEYS The policy defines the visibility of the ktls session keys to a thread. Reviewed by: markj Sponsored by: NVidia networking Differential revision: https://reviews.freebsd.org/D50653 --- sys/netinet/in_prot.c | 14 ++++++++++++++ sys/netinet/in_systm.h | 2 ++ sys/sys/priv.h | 1 + 3 files changed, 17 insertions(+) diff --git a/sys/netinet/in_prot.c b/sys/netinet/in_prot.c index 204f4f60456e..d81f24d6c040 100644 --- a/sys/netinet/in_prot.c +++ b/sys/netinet/in_prot.c @@ -38,6 +38,7 @@ #include <sys/kernel.h> #include <sys/lock.h> #include <sys/mutex.h> +#include <sys/priv.h> #include <sys/proc.h> #include <sys/socket.h> #include <sys/jail.h> @@ -72,3 +73,16 @@ cr_canseeinpcb(struct ucred *cred, struct inpcb *inp) return (0); } + +bool +cr_canexport_ktlskeys(struct thread *td, struct inpcb *inp) +{ + int error; + + if (cr_canseeinpcb(td->td_ucred, inp) == 0 && + cr_xids_subset(td->td_ucred, inp->inp_cred)) + return (true); + error = priv_check(td, PRIV_NETINET_KTLSKEYS); + return (error == 0); + +} diff --git a/sys/netinet/in_systm.h b/sys/netinet/in_systm.h index 2f057b962d79..e2f553ec461c 100644 --- a/sys/netinet/in_systm.h +++ b/sys/netinet/in_systm.h @@ -58,8 +58,10 @@ typedef u_int32_t n_time; /* ms since 00:00 UTC, byte rev */ #ifdef _KERNEL struct inpcb; struct ucred; +struct thread; int cr_canseeinpcb(struct ucred *cred, struct inpcb *inp); +bool cr_canexport_ktlskeys(struct thread *td, struct inpcb *inp); uint32_t iptime(void); #endif diff --git a/sys/sys/priv.h b/sys/sys/priv.h index 9a1886454d86..1f73877ab450 100644 --- a/sys/sys/priv.h +++ b/sys/sys/priv.h @@ -406,6 +406,7 @@ #define PRIV_NETINET_SETHDROPTS 505 /* Set certain IPv4/6 header options. */ #define PRIV_NETINET_BINDANY 506 /* Allow bind to any address. */ #define PRIV_NETINET_HASHKEY 507 /* Get and set hash keys for IPv4/6. */ +#define PRIV_NETINET_KTLSKEYS 508 /* Read ktls session keys. */ /* * Placeholders for IPX/SPX privileges, not supported any more.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202506092348.559Nm2Ma088791>