PERFORCE change 41832 for review

Robert Watson rwatson at FreeBSD.org
Sun Nov 9 23:09:05 GMT 2003 

http://perforce.freebsd.org/chv.cgi?CH=41832

Change 41832 by rwatson at rwatson_none on 2003/11/09 15:08:44

	Mix and match things a bit due to relatively recent IPv6 updates
	integrated previously.  Revert slightly our capability checking
	to look more like the original suser checking (cache a privilege
	decision).  I don't really like this, but for now it makes
	changes easier to merge while IPv6 code is in flux.  Also now
	compiles...

Affected files ...

.. //depot/projects/trustedbsd/sebsd/sys/netinet6/ip6_output.c#7 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/sys/netinet6/ip6_output.c#7 (text+ko) ====

@@ -1423,7 +1423,7 @@
 	struct socket *so;
 	struct sockopt *sopt;
 {
-	int optdatalen, uproto;
+	int privileged, optdatalen, uproto;
 	void *optdata;
 	struct inpcb *in6p = sotoinpcb(so);
 	int error, optval;
@@ -1442,8 +1442,9 @@
 	}
 	error = optval = 0;
 
+	/* XXX: does CAP_NET_ADMIN or CAP_NET_RAW apply here? */
+	privileged = (td == 0 || cap_check(td, CAP_NET_ADMIN)) ? 0 : 1;
 	uproto = (int)so->so_proto->pr_protocol;
-	/* XXX: does CAP_NET_ADMIN or CAP_NET_RAW apply here? */
 
 	if (level == IPPROTO_IPV6) {
 		switch (op) {
@@ -1707,14 +1708,12 @@
 					 * Check super-user privilege.
 					 * See comments for IPV6_RECVHOPOPTS.
 					 */
-				        if (td == NULL ||
-					    cap_check (td, CAP_NET_ADMIN))
+					if (!privileged)
 						return (EPERM);
 					OPTSET2292(IN6P_HOPOPTS);
 					break;
 				case IPV6_2292DSTOPTS:
-					if (td == NULL ||
-					    cap_check (td, CAP_NET_ADMIN))
+					if (!privileged)
 						return (EPERM);
 					OPTSET2292(IN6P_DSTOPTS|IN6P_RTHDRDSTOPTS); /* XXX */
 					break;
@@ -1845,8 +1844,7 @@
 
 				/* XXX: passing privilege flag into another function */
 				error = ipsec6_set_policy(in6p, optname, req,
-				                          len,
-				     td && !cap_check(td,CAP_NET_ADMIN)));
+							  len, privileged);
 				m_freem(m);
 			    }
 				break;
@@ -2163,7 +2161,7 @@
 	}
 
 	/*  set options specified by user. */
-	if (td && !cap_check(td, CAP_NET_ADMIN))
+	if (td != NULL && cap_check(td, CAP_NET_ADMIN) == 0)
 		priv = 1;
 	if ((error = ip6_setpktoptions(m, opt, NULL, priv, 1,
 	    so->so_proto->pr_protocol)) != 0) {
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list