PERFORCE change 43676 for review

Chris Vance cvance at FreeBSD.org
Tue Dec 9 15:52:16 GMT 2003 

http://perforce.freebsd.org/chv.cgi?CH=43676

Change 43676 by cvance at cvance_sony on 2003/12/09 07:51:31

	Cache privilege decision; use cap_check instead of suser

Affected files ...

.. //depot/projects/trustedbsd/sebsd/sys/netinet6/in6.c#7 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/sys/netinet6/in6.c#7 (text+ko) ====

@@ -79,7 +79,6 @@
 #include <sys/time.h>
 #include <sys/kernel.h>
 #include <sys/syslog.h>
-#include <sys/capability.h>
 
 #include <net/if.h>
 #include <net/if_types.h>
@@ -335,8 +334,11 @@
 	struct	in6_ifreq *ifr = (struct in6_ifreq *)data;
 	struct	in6_ifaddr *ia = NULL;
 	struct	in6_aliasreq *ifra = (struct in6_aliasreq *)data;
+	int privileged;
 
-	/* XXX: This function considers the caller privileged if td is NULL */
+	privileged = 0;
+	if (td == NULL || !cap_check(td, CAP_NET_ADMIN))
+		privileged++;
 
 	switch (cmd) {
 	case SIOCGETSGCNT_IN6:
@@ -361,9 +363,9 @@
 	case SIOCSRTRFLUSH_IN6:
 	case SIOCSDEFIFACE_IN6:
 	case SIOCSIFINFO_FLAGS:
-		if (td != NULL && cap_check (td, CAP_NET_ADMIN))
+		if (!privileged)
 			return (EPERM);
-		/* fall through */
+		/* FALLTHROUGH */
 	case OSIOCGIFINFO_IN6:
 	case SIOCGIFINFO_IN6:
 	case SIOCGDRLST_IN6:
@@ -388,8 +390,8 @@
 
 	switch (cmd) {
 	case SIOCSSCOPE6:
-		if (td != NULL && cap_check (td, CAP_NET_ADMIN))
-			return(EPERM);
+		if (!privileged)
+			return (EPERM);
 		return (scope6_set(ifp,
 		    (struct scope6_id *)ifr->ifr_ifru.ifru_scope_id));
 	case SIOCGSCOPE6:
@@ -403,7 +405,7 @@
 	switch (cmd) {
 	case SIOCALIFADDR:
 	case SIOCDLIFADDR:
-		if (td != NULL && cap_check (td, CAP_NET_ADMIN))
+		if (!privileged)
 			return (EPERM);
 		/* FALLTHROUGH */
 	case SIOCGLIFADDR:
@@ -467,7 +469,7 @@
 		if (ifra->ifra_addr.sin6_family != AF_INET6 ||
 		    ifra->ifra_addr.sin6_len != sizeof(struct sockaddr_in6))
 			return (EAFNOSUPPORT);
-		if (td != NULL && cap_check(td, CAP_NET_ADMIN))
+		if (!privileged)
 			return (EPERM);
 
 		break;
@@ -487,7 +489,7 @@
 	    {
 		struct in6_addrlifetime *lt;
 
-		if (td != NULL && cap_check(td, CAP_NET_ADMIN))
+		if (!privileged)
 			return (EPERM);
 		if (ia == NULL)
 			return (EADDRNOTAVAIL);
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list