IP options broken for raw sockets on cred downgrade (was: Re: why required root privileges to set multicast options now?)

[Robert Watson]

On Tue, 12 Oct 2004, Giorgos Keramidas wrote:

> On 2004-10-11 16:31, Robert Watson <rwatson at freebsd.org> wrote:
> > + * NOTE: Regarding access control.  Raw sockets may only be created by
> > + * privileged processes; however, as a result of jailed processes and the
> > + * ability for processes to downgrade privilege yet retain a reference to the
> > + * raw socket.  As such, explicit access control is required here, or when
> > + * unimplemented requests are passed to ip_ctloutput(), are required there.
> 
> Can we rewrite this descriptive comment a bit?  I can't really
> understand what is being said by reading the comment.  Reading the diff
> of the source is easy, but we should try to make the comment more
> comprehensible too ;-) 

Maybe something like the following:

 * IMPORTANT NOTE regarding access control: Traditionally, raw sockets
 * could only be created by a privileged process, and as such, socket
 * option operations to manage system properties on any raw socket were
 * allowed to take place without explicit additional access control
 * checks.  However, raw sockets can now also be created in jail(), and
 * therefore explicit checks are now required.  Likewise, raw sockets can
 * be used by a process after it gives up privilege, so some caution is
 * required.  For options passed down to the IP layer via ip_ctloutput(),
 * checks are assumed to be performed in ip_ctloutput() and therefore no
 * check occurs here.  Unilaterally checking suser() here breaks normal IP
 * socket option operations on raw sockets.
 *
 * When adding new socket options here, make sure to add access control
 * checks here as necessary.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Principal Research Scientist, McAfee Research