Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 14 Mar 2007 13:12:59 +0100
From:      "Frank Behrens" <frank@pinky.sax.de>
To:        "Bruce M. Simpson" <bms@freebsd.org>
Cc:        freebsd-net@freebsd.org
Subject:   Re: tap(4) should go UP if opened
Message-ID:  <200703141213.l2ECDntN087975@pinky.frank-behrens.de>
In-Reply-To: <45F15378.3020207@FreeBSD.org>
References:  <200703091036.l29AawwJ005466@pinky.frank-behrens.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
Bruce M. Simpson <bms@freebsd.org> wrote on 9 Mar 2007 12:30:
> However, we also support the creation of tap/tun instances by 
> non-super-users, so there is motivation for the change. Configuring a 
> tap interface to up by a non-superuser should only be permitted if the 
> interface itself was created by a non-superuser, and if 
> net.link.tap.user_open is set to 1.
> 
> A more involved patch is needed to do this right for all cases -- we 
> should not do this by default.

After thinking about the problem I agree with you and propose the following patch:
--- sys/net/if_tap.c.orig       Thu Mar  8 19:10:59 2007
+++ sys/net/if_tap.c    Wed Mar 14 12:35:58 2007
@@ -501,6 +501,8 @@
        s = splimp();
        ifp->if_drv_flags |= IFF_DRV_RUNNING;
        ifp->if_drv_flags &= ~IFF_DRV_OACTIVE;
+       if (tapuopen)
+               ifp->if_flags |= IFF_UP;
        splx(s);

        TAPDEBUG("%s is open. minor = %#x\n", ifp->if_xname, minor(dev));

Rationale:
For transmitting packets via tap(4) device (at least) two conditions have to met:
1. The control device must be opened by an process.
2. The ethernet interface must be UP.

For 1. we allow non-root processes the access, when
a) sysctl net.link.tap.user_open=1   AND
b) /dev/tapx has sufficient permissions

If we have no possibility to mark the interface as UP for the non-root process the 
net.link.tap.user_open=1 is useless, because we can not transmit any packets. With the 
patch the interface goes UP only, when the administrator allowed non-root user access.

Regards,
   Frank
-- 
Frank Behrens, Osterwieck, Germany
PGP-key 0x5B7C47ED on public servers available.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200703141213.l2ECDntN087975>