svn commit: r188284 - in stable/7/sys: . contrib/pf dev/ath/ath_hal
dev/cxgb net
Bjoern A. Zeeb
bz at FreeBSD.org
Sat Feb 7 05:46:56 PST 2009
Author: bz
Date: Sat Feb 7 13:46:51 2009
New Revision: 188284
URL: http://svn.freebsd.org/changeset/base/188284
Log:
MFC:
r186956
Take the cred from curthread rather than curproc as curproc would need
locking but the credential from curthread (usually) never changes.
r186980
Restrict arp, ndp and theoretically the FIB listing (if not
read with libkvm) to the addresses of a prison, when inside a
jail.
While touching RTM_GET in route_output(), consistently use
curthread credentials rather than the creds from the socket
there.
r186986
Rather than using the cred from curthread, take it from the thread
referenced in the sysctl req argument.
Modified:
stable/7/sys/ (props changed)
stable/7/sys/contrib/pf/ (props changed)
stable/7/sys/dev/ath/ath_hal/ (props changed)
stable/7/sys/dev/cxgb/ (props changed)
stable/7/sys/net/rtsock.c
Modified: stable/7/sys/net/rtsock.c
==============================================================================
--- stable/7/sys/net/rtsock.c Sat Feb 7 13:32:49 2009 (r188283)
+++ stable/7/sys/net/rtsock.c Sat Feb 7 13:46:51 2009 (r188284)
@@ -585,6 +585,12 @@ route_output(struct mbuf *m, struct sock
case RTM_GET:
report:
RT_LOCK_ASSERT(rt);
+ if (jailed(curthread->td_ucred) &&
+ ((rt->rt_flags & RTF_HOST) == 0 ||
+ !prison_if(curthread->td_ucred, rt_key(rt)))) {
+ RT_UNLOCK(rt);
+ senderr(ESRCH);
+ }
info.rti_info[RTAX_DST] = rt_key(rt);
info.rti_info[RTAX_GATEWAY] = rt->rt_gateway;
info.rti_info[RTAX_NETMASK] = rt_mask(rt);
@@ -594,10 +600,10 @@ route_output(struct mbuf *m, struct sock
if (ifp) {
info.rti_info[RTAX_IFP] =
ifp->if_addr->ifa_addr;
- if (jailed(so->so_cred)) {
+ if (jailed(curthread->td_ucred)) {
error = rtm_get_jailed(
&info, ifp, rt, &saun,
- so->so_cred);
+ curthread->td_ucred);
if (error != 0) {
RT_UNLOCK(rt);
senderr(ESRCH);
@@ -1224,6 +1230,10 @@ sysctl_dumpentry(struct radix_node *rn,
if (w->w_op == NET_RT_FLAGS && !(rt->rt_flags & w->w_arg))
return 0;
+ if (jailed(w->w_req->td->td_ucred) &&
+ ((rt->rt_flags & RTF_HOST) == 0 ||
+ !prison_if(w->w_req->td->td_ucred, rt_key(rt))))
+ return (0);
bzero((caddr_t)&info, sizeof(info));
info.rti_info[RTAX_DST] = rt_key(rt);
info.rti_info[RTAX_GATEWAY] = rt->rt_gateway;
@@ -1283,8 +1293,8 @@ sysctl_iflist(int af, struct walkarg *w)
while ((ifa = TAILQ_NEXT(ifa, ifa_link)) != NULL) {
if (af && af != ifa->ifa_addr->sa_family)
continue;
- if (jailed(curthread->td_ucred) &&
- !prison_if(curthread->td_ucred, ifa->ifa_addr))
+ if (jailed(w->w_req->td->td_ucred) &&
+ !prison_if(w->w_req->td->td_ucred, ifa->ifa_addr))
continue;
info.rti_info[RTAX_IFA] = ifa->ifa_addr;
info.rti_info[RTAX_NETMASK] = ifa->ifa_netmask;
@@ -1311,7 +1321,7 @@ done:
return (error);
}
-int
+static int
sysctl_ifmalist(int af, struct walkarg *w)
{
struct ifnet *ifp;
@@ -1331,8 +1341,8 @@ sysctl_ifmalist(int af, struct walkarg *
TAILQ_FOREACH(ifma, &ifp->if_multiaddrs, ifma_link) {
if (af && af != ifma->ifma_addr->sa_family)
continue;
- if (jailed(curproc->p_ucred) &&
- !prison_if(curproc->p_ucred, ifma->ifma_addr))
+ if (jailed(w->w_req->td->td_ucred) &&
+ !prison_if(w->w_req->td->td_ucred, ifma->ifma_addr))
continue;
info.rti_info[RTAX_IFA] = ifma->ifma_addr;
info.rti_info[RTAX_GATEWAY] =
@@ -1397,7 +1407,7 @@ sysctl_rtsock(SYSCTL_HANDLER_ARGS)
} else /* dump only one table */
i = lim = af;
for (error = 0; error == 0 && i <= lim; i++)
- if ((rnh = rt_tables[curthread->td_proc->p_fibnum][i]) != NULL) {
+ if ((rnh = rt_tables[req->td->td_proc->p_fibnum][i]) != NULL) {
RADIX_NODE_HEAD_LOCK(rnh);
error = rnh->rnh_walktree(rnh,
sysctl_dumpentry, &w);
More information about the svn-src-stable-7
mailing list