PERFORCE change 79545 for review

[Robert Watson]

http://perforce.freebsd.org/chv.cgi?CH=79545

Change 79545 by rwatson at rwatson_paprika on 2005/07/04 12:49:03

	Convert new suser() checks in the network stack to either
	CAP_NET_ADMIN or CAP_SYS_MODULE.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/sys/contrib/dev/ath/freebsd/ah_osdep.c#7 edit
.. //depot/projects/trustedbsd/sebsd/sys/contrib/pf/net/if_pfsync.c#5 edit
.. //depot/projects/trustedbsd/sebsd/sys/net80211/ieee80211_freebsd.c#2 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/sys/contrib/dev/ath/freebsd/ah_osdep.c#7 (text+ko) ====

@@ -182,7 +182,8 @@
 	int error;
 
 	if (enable) {
-		error = suser(curthread);
+		/* XXXRW: Races on /tmp/ath_hal.log? */
+		error = cap_check(curthread, CAP_SYS_ADMIN);
 		if (error == 0) {
 			error = alq_open(&ath_hal_alq, ath_hal_logfile,
 				curthread->td_ucred, ALQ_DEFAULT_CMODE,

==== //depot/projects/trustedbsd/sebsd/sys/contrib/pf/net/if_pfsync.c#5 (text+ko) ====

@@ -43,6 +43,9 @@
 #endif
 
 #include <sys/param.h>
+#ifdef __FreeBSD__
+#include <sys/capability.h>
+#endif
 #include <sys/proc.h>
 #include <sys/systm.h>
 #include <sys/time.h>
@@ -1016,7 +1019,7 @@
 		break;
 	case SIOCSETPFSYNC:
 #ifdef __FreeBSD__
-		if ((error = suser(curthread)) != 0)
+		if ((error = cap_check(curthread, CAP_NET_ADMIN)) != 0)
 #else
 		if ((error = suser(p, p->p_acflag)) != 0)
 #endif

==== //depot/projects/trustedbsd/sebsd/sys/net80211/ieee80211_freebsd.c#2 (text+ko) ====

@@ -306,7 +306,8 @@
 #ifdef notyet
 	struct thread *td = curthread;
 
-	if (suser(td) == 0 && securelevel_gt(td->td_ucred, 0) == 0) {
+	if (cap_check(td, CAP_SYS_MODULE) == 0 &&
+	    securelevel_gt(td->td_ucred, 0) == 0) {
 		mtx_lock(&Giant);
 		(void) linker_load_module(modname, NULL, NULL, NULL, NULL);
 		mtx_unlock(&Giant);
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message