git: 96dbc9a8de10 - main - netlink: Check permissions for interface flag changes
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 29 May 2026 23:11:32 UTC
The branch main has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=96dbc9a8de105065b6b1e55702aa648319176587
commit 96dbc9a8de105065b6b1e55702aa648319176587
Author: Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2026-05-29 15:52:03 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2026-05-29 23:11:21 +0000
netlink: Check permissions for interface flag changes
Reviewed by: pouria, melifaro
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57332
---
sys/netlink/route/iface_drivers.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/sys/netlink/route/iface_drivers.c b/sys/netlink/route/iface_drivers.c
index d26e92044ff5..79daa4215dba 100644
--- a/sys/netlink/route/iface_drivers.c
+++ b/sys/netlink/route/iface_drivers.c
@@ -83,6 +83,10 @@ _nl_modify_ifp_generic(struct ifnet *ifp, struct nl_parsed_link *lattrs,
if ((lattrs->ifi_change & IFF_UP) != 0 || lattrs->ifi_change == 0) {
/* Request to up or down the interface */
+ if (!nlp_has_priv(npt->nlp, PRIV_NET_SETIFFLAGS)) {
+ nlmsg_report_err_msg(npt, "Not enough privileges to set flags");
+ return (EPERM);
+ }
if (lattrs->ifi_flags & IFF_UP)
if_up(ifp);
else
@@ -104,7 +108,7 @@ _nl_modify_ifp_generic(struct ifnet *ifp, struct nl_parsed_link *lattrs,
}
if ((lattrs->ifi_change & IFF_PROMISC) != 0 ||
- lattrs->ifi_change == 0)
+ lattrs->ifi_change == 0) {
/*
* When asking for IFF_PROMISC, set permanent flag instead
* (IFF_PPROMISC) as we have no way of doing promiscuity
@@ -112,7 +116,12 @@ _nl_modify_ifp_generic(struct ifnet *ifp, struct nl_parsed_link *lattrs,
* function either sets or unsets IFF_PROMISC, and ifi_change
* is usually set to 0xFFFFFFFF.
*/
+ if (!nlp_has_priv(npt->nlp, PRIV_NET_SETIFFLAGS)) {
+ nlmsg_report_err_msg(npt, "Not enough privileges to set promisc");
+ return (EPERM);
+ }
if_setppromisc(ifp, (lattrs->ifi_flags & IFF_PROMISC) != 0);
+ }
if (lattrs->ifla_address != NULL) {
if (!nlp_has_priv(npt->nlp, PRIV_NET_SETIFMAC)) {