raw_ip.c (163606) | raw_ip.c (164033) |
---|---|
1/*- 2 * Copyright (c) 1982, 1986, 1988, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 13 unchanged lines hidden (view full) --- 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * @(#)raw_ip.c 8.7 (Berkeley) 5/15/95 | 1/*- 2 * Copyright (c) 1982, 1986, 1988, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 13 unchanged lines hidden (view full) --- 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * @(#)raw_ip.c 8.7 (Berkeley) 5/15/95 |
30 * $FreeBSD: head/sys/netinet/raw_ip.c 163606 2006-10-22 11:52:19Z rwatson $ | 30 * $FreeBSD: head/sys/netinet/raw_ip.c 164033 2006-11-06 13:42:10Z rwatson $ |
31 */ 32 33#include "opt_inet6.h" 34#include "opt_ipsec.h" 35#include "opt_mac.h" 36 37#include <sys/param.h> 38#include <sys/jail.h> 39#include <sys/kernel.h> 40#include <sys/lock.h> 41#include <sys/malloc.h> 42#include <sys/mbuf.h> | 31 */ 32 33#include "opt_inet6.h" 34#include "opt_ipsec.h" 35#include "opt_mac.h" 36 37#include <sys/param.h> 38#include <sys/jail.h> 39#include <sys/kernel.h> 40#include <sys/lock.h> 41#include <sys/malloc.h> 42#include <sys/mbuf.h> |
43#include <sys/priv.h> |
|
43#include <sys/proc.h> 44#include <sys/protosw.h> 45#include <sys/signalvar.h> 46#include <sys/socket.h> 47#include <sys/socketvar.h> 48#include <sys/sx.h> 49#include <sys/sysctl.h> 50#include <sys/systm.h> --- 331 unchanged lines hidden (view full) --- 382 optval = inp->inp_flags & INP_HDRINCL; 383 error = sooptcopyout(sopt, &optval, sizeof optval); 384 break; 385 386 case IP_FW_ADD: /* ADD actually returns the body... */ 387 case IP_FW_GET: 388 case IP_FW_TABLE_GETSIZE: 389 case IP_FW_TABLE_LIST: | 44#include <sys/proc.h> 45#include <sys/protosw.h> 46#include <sys/signalvar.h> 47#include <sys/socket.h> 48#include <sys/socketvar.h> 49#include <sys/sx.h> 50#include <sys/sysctl.h> 51#include <sys/systm.h> --- 331 unchanged lines hidden (view full) --- 383 optval = inp->inp_flags & INP_HDRINCL; 384 error = sooptcopyout(sopt, &optval, sizeof optval); 385 break; 386 387 case IP_FW_ADD: /* ADD actually returns the body... */ 388 case IP_FW_GET: 389 case IP_FW_TABLE_GETSIZE: 390 case IP_FW_TABLE_LIST: |
390 error = suser(curthread); | 391 /* 392 * XXXRW: Isn't this checked one layer down? Yes, it 393 * is. 394 */ 395 error = priv_check(curthread, PRIV_NETINET_IPFW); |
391 if (error != 0) 392 return (error); 393 if (ip_fw_ctl_ptr != NULL) 394 error = ip_fw_ctl_ptr(sopt); 395 else 396 error = ENOPROTOOPT; 397 break; 398 399 case IP_DUMMYNET_GET: | 396 if (error != 0) 397 return (error); 398 if (ip_fw_ctl_ptr != NULL) 399 error = ip_fw_ctl_ptr(sopt); 400 else 401 error = ENOPROTOOPT; 402 break; 403 404 case IP_DUMMYNET_GET: |
400 error = suser(curthread); | 405 error = priv_check(curthread, PRIV_NETINET_DUMMYNET); |
401 if (error != 0) 402 return (error); 403 if (ip_dn_ctl_ptr != NULL) 404 error = ip_dn_ctl_ptr(sopt); 405 else 406 error = ENOPROTOOPT; 407 break ; 408 --- 4 unchanged lines hidden (view full) --- 413 case MRT_ADD_MFC: 414 case MRT_DEL_MFC: 415 case MRT_VERSION: 416 case MRT_ASSERT: 417 case MRT_API_SUPPORT: 418 case MRT_API_CONFIG: 419 case MRT_ADD_BW_UPCALL: 420 case MRT_DEL_BW_UPCALL: | 406 if (error != 0) 407 return (error); 408 if (ip_dn_ctl_ptr != NULL) 409 error = ip_dn_ctl_ptr(sopt); 410 else 411 error = ENOPROTOOPT; 412 break ; 413 --- 4 unchanged lines hidden (view full) --- 418 case MRT_ADD_MFC: 419 case MRT_DEL_MFC: 420 case MRT_VERSION: 421 case MRT_ASSERT: 422 case MRT_API_SUPPORT: 423 case MRT_API_CONFIG: 424 case MRT_ADD_BW_UPCALL: 425 case MRT_DEL_BW_UPCALL: |
421 error = suser(curthread); | 426 error = priv_check(curthread, PRIV_NETINET_MROUTE); |
422 if (error != 0) 423 return (error); 424 error = ip_mrouter_get ? ip_mrouter_get(so, sopt) : 425 EOPNOTSUPP; 426 break; 427 428 default: 429 error = ip_ctloutput(so, sopt); --- 17 unchanged lines hidden (view full) --- 447 case IP_FW_ADD: 448 case IP_FW_DEL: 449 case IP_FW_FLUSH: 450 case IP_FW_ZERO: 451 case IP_FW_RESETLOG: 452 case IP_FW_TABLE_ADD: 453 case IP_FW_TABLE_DEL: 454 case IP_FW_TABLE_FLUSH: | 427 if (error != 0) 428 return (error); 429 error = ip_mrouter_get ? ip_mrouter_get(so, sopt) : 430 EOPNOTSUPP; 431 break; 432 433 default: 434 error = ip_ctloutput(so, sopt); --- 17 unchanged lines hidden (view full) --- 452 case IP_FW_ADD: 453 case IP_FW_DEL: 454 case IP_FW_FLUSH: 455 case IP_FW_ZERO: 456 case IP_FW_RESETLOG: 457 case IP_FW_TABLE_ADD: 458 case IP_FW_TABLE_DEL: 459 case IP_FW_TABLE_FLUSH: |
455 error = suser(curthread); | 460 /* 461 * XXXRW: Isn't this checked one layer down? 462 */ 463 error = priv_check(curthread, PRIV_NETINET_IPFW); |
456 if (error != 0) 457 return (error); 458 if (ip_fw_ctl_ptr != NULL) 459 error = ip_fw_ctl_ptr(sopt); 460 else 461 error = ENOPROTOOPT; 462 break; 463 464 case IP_DUMMYNET_CONFIGURE: 465 case IP_DUMMYNET_DEL: 466 case IP_DUMMYNET_FLUSH: | 464 if (error != 0) 465 return (error); 466 if (ip_fw_ctl_ptr != NULL) 467 error = ip_fw_ctl_ptr(sopt); 468 else 469 error = ENOPROTOOPT; 470 break; 471 472 case IP_DUMMYNET_CONFIGURE: 473 case IP_DUMMYNET_DEL: 474 case IP_DUMMYNET_FLUSH: |
467 error = suser(curthread); | 475 error = priv_check(curthread, PRIV_NETINET_DUMMYNET); |
468 if (error != 0) 469 return (error); 470 if (ip_dn_ctl_ptr != NULL) 471 error = ip_dn_ctl_ptr(sopt); 472 else 473 error = ENOPROTOOPT ; 474 break ; 475 476 case IP_RSVP_ON: | 476 if (error != 0) 477 return (error); 478 if (ip_dn_ctl_ptr != NULL) 479 error = ip_dn_ctl_ptr(sopt); 480 else 481 error = ENOPROTOOPT ; 482 break ; 483 484 case IP_RSVP_ON: |
477 error = suser(curthread); | 485 error = priv_check(curthread, PRIV_NETINET_MROUTE); |
478 if (error != 0) 479 return (error); 480 error = ip_rsvp_init(so); 481 break; 482 483 case IP_RSVP_OFF: | 486 if (error != 0) 487 return (error); 488 error = ip_rsvp_init(so); 489 break; 490 491 case IP_RSVP_OFF: |
484 error = suser(curthread); | 492 error = priv_check(curthread, PRIV_NETINET_MROUTE); |
485 if (error != 0) 486 return (error); 487 error = ip_rsvp_done(); 488 break; 489 490 case IP_RSVP_VIF_ON: 491 case IP_RSVP_VIF_OFF: | 493 if (error != 0) 494 return (error); 495 error = ip_rsvp_done(); 496 break; 497 498 case IP_RSVP_VIF_ON: 499 case IP_RSVP_VIF_OFF: |
492 error = suser(curthread); | 500 error = priv_check(curthread, PRIV_NETINET_MROUTE); |
493 if (error != 0) 494 return (error); 495 error = ip_rsvp_vif ? 496 ip_rsvp_vif(so, sopt) : EINVAL; 497 break; 498 499 case MRT_INIT: 500 case MRT_DONE: 501 case MRT_ADD_VIF: 502 case MRT_DEL_VIF: 503 case MRT_ADD_MFC: 504 case MRT_DEL_MFC: 505 case MRT_VERSION: 506 case MRT_ASSERT: 507 case MRT_API_SUPPORT: 508 case MRT_API_CONFIG: 509 case MRT_ADD_BW_UPCALL: 510 case MRT_DEL_BW_UPCALL: | 501 if (error != 0) 502 return (error); 503 error = ip_rsvp_vif ? 504 ip_rsvp_vif(so, sopt) : EINVAL; 505 break; 506 507 case MRT_INIT: 508 case MRT_DONE: 509 case MRT_ADD_VIF: 510 case MRT_DEL_VIF: 511 case MRT_ADD_MFC: 512 case MRT_DEL_MFC: 513 case MRT_VERSION: 514 case MRT_ASSERT: 515 case MRT_API_SUPPORT: 516 case MRT_API_CONFIG: 517 case MRT_ADD_BW_UPCALL: 518 case MRT_DEL_BW_UPCALL: |
511 error = suser(curthread); | 519 error = priv_check(curthread, PRIV_NETINET_MROUTE); |
512 if (error != 0) 513 return (error); 514 error = ip_mrouter_set ? ip_mrouter_set(so, sopt) : 515 EOPNOTSUPP; 516 break; 517 518 default: 519 error = ip_ctloutput(so, sopt); --- 73 unchanged lines hidden (view full) --- 593static int 594rip_attach(struct socket *so, int proto, struct thread *td) 595{ 596 struct inpcb *inp; 597 int error; 598 599 inp = sotoinpcb(so); 600 KASSERT(inp == NULL, ("rip_attach: inp != NULL")); | 520 if (error != 0) 521 return (error); 522 error = ip_mrouter_set ? ip_mrouter_set(so, sopt) : 523 EOPNOTSUPP; 524 break; 525 526 default: 527 error = ip_ctloutput(so, sopt); --- 73 unchanged lines hidden (view full) --- 601static int 602rip_attach(struct socket *so, int proto, struct thread *td) 603{ 604 struct inpcb *inp; 605 int error; 606 607 inp = sotoinpcb(so); 608 KASSERT(inp == NULL, ("rip_attach: inp != NULL")); |
609 /* 610 * XXXRW: Centralize privilege decision in kern_jail.c. 611 */ |
|
601 if (jailed(td->td_ucred) && !jail_allow_raw_sockets) 602 return (EPERM); | 612 if (jailed(td->td_ucred) && !jail_allow_raw_sockets) 613 return (EPERM); |
603 if ((error = suser_cred(td->td_ucred, SUSER_ALLOWJAIL)) != 0) | 614 error = priv_check_cred(td->td_ucred, PRIV_NETINET_RAW, 615 SUSER_ALLOWJAIL); 616 if (error) |
604 return error; 605 if (proto >= IPPROTO_MAX || proto < 0) 606 return EPROTONOSUPPORT; 607 error = soreserve(so, rip_sendspace, rip_recvspace); 608 if (error) 609 return error; 610 INP_INFO_WLOCK(&ripcbinfo); 611 error = in_pcballoc(so, &ripcbinfo); --- 325 unchanged lines hidden --- | 617 return error; 618 if (proto >= IPPROTO_MAX || proto < 0) 619 return EPROTONOSUPPORT; 620 error = soreserve(so, rip_sendspace, rip_recvspace); 621 if (error) 622 return error; 623 INP_INFO_WLOCK(&ripcbinfo); 624 error = in_pcballoc(so, &ripcbinfo); --- 325 unchanged lines hidden --- |