git: 310f6f2448ed - stable/13 - if_me: Use dedicated network privilege

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Zhenlei Huang <zlei_at_FreeBSD.org>
Date: Wed, 11 Jan 2023 10:39:58 UTC
The branch stable/13 has been updated by zlei:

URL: https://cgit.FreeBSD.org/src/commit/?id=310f6f2448ed5baf0d74fba7660468df84dce184

commit 310f6f2448ed5baf0d74fba7660468df84dce184
Author:     Zhenlei Huang <zlei.huang@gmail.com>
AuthorDate: 2022-10-15 15:05:36 +0000
Commit:     Zhenlei Huang <zlei@FreeBSD.org>
CommitDate: 2023-01-11 10:35:59 +0000

    if_me: Use dedicated network privilege
    
    Separate if_me privileges from if_gif.
    
    Reviewed by:    kp
    Approved by:    kp (mentor)
    Differential Revision:  https://reviews.freebsd.org/D36691
    
    (cherry picked from commit 43f8c763cdeea29f95b6f0eebce3ad80dd210c7a)
---
 sys/kern/kern_jail.c | 1 +
 sys/net/if_me.c      | 2 +-
 sys/sys/priv.h       | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 8a3d3eb35759..1dfdb30a463c 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -3469,6 +3469,7 @@ prison_priv_check(struct ucred *cred, int priv)
 	case PRIV_NET_GIF:
 	case PRIV_NET_SETIFVNET:
 	case PRIV_NET_SETIFFIB:
+	case PRIV_NET_ME:
 	case PRIV_NET_WG:
 
 		/*
diff --git a/sys/net/if_me.c b/sys/net/if_me.c
index 067ab22cd84d..bcc89aa130f7 100644
--- a/sys/net/if_me.c
+++ b/sys/net/if_me.c
@@ -322,7 +322,7 @@ me_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 		ifr->ifr_fib = sc->me_fibnum;
 		break;
 	case SIOCSTUNFIB:
-		if ((error = priv_check(curthread, PRIV_NET_GRE)) != 0)
+		if ((error = priv_check(curthread, PRIV_NET_ME)) != 0)
 			break;
 		if (ifr->ifr_fib >= rt_numfibs)
 			error = EINVAL;
diff --git a/sys/sys/priv.h b/sys/sys/priv.h
index 21a969432f1a..8522231a2863 100644
--- a/sys/sys/priv.h
+++ b/sys/sys/priv.h
@@ -348,6 +348,7 @@
 #define	PRIV_NET_VXLAN		420	/* Administer vxlan. */
 #define	PRIV_NET_SETLANPCP	421	/* Set LAN priority. */
 #define	PRIV_NET_SETVLANPCP	PRIV_NET_SETLANPCP /* Alias Set VLAN priority */
+#define	PRIV_NET_ME		423	/* Administer ME interface. */
 #define	PRIV_NET_WG		424	/* Administer WireGuard interface. */
 
 /*