git: f977328c7277 - releng/14.4 - cap_net: do not allow new limits to drop keys from the old ones
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 20 May 2026 19:40:03 UTC
The branch releng/14.4 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=f977328c727735f32f7615f19ef6aff96484ffeb
commit f977328c727735f32f7615f19ef6aff96484ffeb
Author: Mariusz Zaborski <oshogbo@FreeBSD.org>
AuthorDate: 2026-05-12 08:33:41 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-05-20 02:17:57 +0000
cap_net: do not allow new limits to drop keys from the old ones
If the old limit had family/hosts/sockaddr set, the new limit must
have them too. Before, a missing key in the new limit was treated as
"allow any", which let a caller silently extend their limits.
Approved by: so
Security: FreeBSD-SA-26:24.cap_net
Security: CVE-2026-45254
Reported by: Joshua Rogers of AISLE Research Team
Reviewed by: markj
MFC after: 1 day
Differential Revision: https://reviews.freebsd.org/D56991
(cherry picked from commit d705a519525f2acae3c1efba11436ec6ee8aea0a)
(cherry picked from commit b79faca1c5964d89c125d02de35928b733041f3f)
---
lib/libcasper/services/cap_net/cap_net.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/lib/libcasper/services/cap_net/cap_net.c b/lib/libcasper/services/cap_net/cap_net.c
index 40d18319ae28..303a8e4b2120 100644
--- a/lib/libcasper/services/cap_net/cap_net.c
+++ b/lib/libcasper/services/cap_net/cap_net.c
@@ -1099,12 +1099,37 @@ net_connect(const nvlist_t *limits, nvlist_t *nvlin, nvlist_t *nvlout)
return (0);
}
+/*
+ * If the old sublimit restricted a subkey, the new one must too;
+ * a missing subkey means "allow any" at request time.
+ */
+static bool
+verify_subkeys_present(const nvlist_t *oldfunclimits,
+ const nvlist_t *newfunclimit)
+{
+ void *cookie;
+ const char *name;
+
+ if (oldfunclimits == NULL)
+ return (true);
+
+ cookie = NULL;
+ while ((name = nvlist_next(oldfunclimits, NULL, &cookie)) != NULL) {
+ if (!nvlist_exists(newfunclimit, name))
+ return (false);
+ }
+ return (true);
+}
+
static bool
verify_only_sa_newlimts(const nvlist_t *oldfunclimits,
const nvlist_t *newfunclimit)
{
void *cookie;
+ if (!verify_subkeys_present(oldfunclimits, newfunclimit))
+ return (false);
+
cookie = NULL;
while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) {
void *sacookie;
@@ -1177,6 +1202,9 @@ verify_addr2name_newlimits(const nvlist_t *oldlimits,
LIMIT_NV_ADDR2NAME, NULL);
}
+ if (!verify_subkeys_present(oldfunclimits, newfunclimit))
+ return (false);
+
cookie = NULL;
while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) {
if (strcmp(cnvlist_name(cookie), "sockaddr") == 0) {
@@ -1235,6 +1263,9 @@ verify_name2addr_newlimits(const nvlist_t *oldlimits,
LIMIT_NV_NAME2ADDR, NULL);
}
+ if (!verify_subkeys_present(oldfunclimits, newfunclimit))
+ return (false);
+
cookie = NULL;
while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) {
if (strcmp(cnvlist_name(cookie), "hosts") == 0) {