Attachment #156767 for bug #200185




The Ethernet tunnel device, normally
.Pa /dev/tap Ns Sy N ,
is exclusive-open
(it cannot be opened if it is already open).
and is restricted to the super-user, unless the
.Xr sysctl 8
variable
.Va net.link.tap.user_open
is non-zero.
If the
.Xr sysctl 8
variable

Lines 3724-3730 Link Here

(-)sys/kern/kern_jail.c (-1 lines)
3724	case PRIV_NET_BPF:	3724	case PRIV_NET_BPF:
3725	case PRIV_NET_RAW: /* Dup, cond. in legacy jail case. */	3725	case PRIV_NET_RAW: /* Dup, cond. in legacy jail case. */
3726	case PRIV_NET_ROUTE:	3726	case PRIV_NET_ROUTE:
3727	case PRIV_NET_TAP:
3728	case PRIV_NET_SETIFMTU:	3727	case PRIV_NET_SETIFMTU:
3729	case PRIV_NET_SETIFFLAGS:	3728	case PRIV_NET_SETIFFLAGS:
3730	case PRIV_NET_SETIFCAP:	3729	case PRIV_NET_SETIFCAP:




 */
static struct mtx		tapmtx;
static int			tapdebug = 0;        /* debug flag   */
static int			tapuopen = 0;        /* allow user open() */
static int			tapuponopen = 0;    /* IFF_UP on open() */
static int			tapdclone = 1;	/* enable devfs cloning */
static SLIST_HEAD(, tap_softc)	taphead;             /* first device */

SYSCTL_DECL(_net_link);
static SYSCTL_NODE(_net_link, OID_AUTO, tap, CTLFLAG_RW, 0,
    "Ethernet tunnel software network interface");
SYSCTL_INT(_net_link_tap, OID_AUTO, user_open, CTLFLAG_RW, &tapuopen, 0,
	"Allow user to open /dev/tap (based on node permissions)");
SYSCTL_INT(_net_link_tap, OID_AUTO, up_on_open, CTLFLAG_RW, &tapuponopen, 0,
	"Bring interface up when /dev/tap is opened");
SYSCTL_INT(_net_link_tap, OID_AUTO, devfs_cloning, CTLFLAG_RWTUN, &tapdclone, 0,
	"Enable legacy devfs interface creation");
SYSCTL_INT(_net_link_tap, OID_AUTO, debug, CTLFLAG_RW, &tapdebug, 0, "");

DEV_MODULE(if_tap, tapmodevent, NULL);

	if (*dev != NULL)
		return;

	if (!tapdclone || priv_check_cred(cred, PRIV_NET_IFCREATE, 0) != 0)
	    (!tapuopen && priv_check_cred(cred, PRIV_NET_IFCREATE, 0) != 0))
		return;

	unit = 0;

{
	struct tap_softc	*tp = NULL;
	struct ifnet		*ifp = NULL;
	int			 error;

	if (tapuopen == 0) {
		error = priv_check(td, PRIV_NET_TAP);
		if (error)
			return (error);
	}

	if ((dev2unit(dev) & CLONE_UNITMASK) > TAPMAXUNIT)
		return (ENXIO);


Lines 317-323 Link Here

(-)sys/sys/priv.h (-1 lines)
317	#define PRIV_NET_BPF 394 /* Monitor BPF. */	317	#define PRIV_NET_BPF 394 /* Monitor BPF. */
318	#define PRIV_NET_RAW 395 /* Open raw socket. */	318	#define PRIV_NET_RAW 395 /* Open raw socket. */
319	#define PRIV_NET_ROUTE 396 /* Administer routing. */	319	#define PRIV_NET_ROUTE 396 /* Administer routing. */
320	#define PRIV_NET_TAP 397 /* Can open tap device. */
321	#define PRIV_NET_SETIFMTU 398 /* Set interface MTU. */	320	#define PRIV_NET_SETIFMTU 398 /* Set interface MTU. */
322	#define PRIV_NET_SETIFFLAGS 399 /* Set interface flags. */	321	#define PRIV_NET_SETIFFLAGS 399 /* Set interface flags. */
323	#define PRIV_NET_SETIFCAP 400 /* Set interface capabilities. */	322	#define PRIV_NET_SETIFCAP 400 /* Set interface capabilities. */

Return to bug 200185

Lines 118-129 Link Here

(-)share/man/man4/tap.4 (-6 / +1 lines)
118	The Ethernet tunnel device, normally	118	The Ethernet tunnel device, normally
119	.Pa /dev/tap Ns Sy N ,	119	.Pa /dev/tap Ns Sy N ,
120	is exclusive-open	120	is exclusive-open
121	(it cannot be opened if it is already open)	121	(it cannot be opened if it is already open).
122	and is restricted to the super-user, unless the
123	.Xr sysctl 8
124	variable
125	.Va net.link.tap.user_open
126	is non-zero.
127	If the	122	If the
128	.Xr sysctl 8	123	.Xr sysctl 8
129	variable	124	variable

Lines 153-159 Link Here

(-)sys/net/if_tap.c (-13 / +2 lines)
153	*/	153	*/
154	static struct mtx tapmtx;	154	static struct mtx tapmtx;
155	static int tapdebug = 0; /* debug flag */	155	static int tapdebug = 0; /* debug flag */
156	static int tapuopen = 0; /* allow user open() */
157	static int tapuponopen = 0; /* IFF_UP on open() */	156	static int tapuponopen = 0; /* IFF_UP on open() */
158	static int tapdclone = 1; /* enable devfs cloning */	157	static int tapdclone = 1; /* enable devfs cloning */
159	static SLIST_HEAD(, tap_softc) taphead; /* first device */	158	static SLIST_HEAD(, tap_softc) taphead; /* first device */
Lines 166-177 Link Here
166	SYSCTL_DECL(_net_link);	165	SYSCTL_DECL(_net_link);
167	static SYSCTL_NODE(_net_link, OID_AUTO, tap, CTLFLAG_RW, 0,	166	static SYSCTL_NODE(_net_link, OID_AUTO, tap, CTLFLAG_RW, 0,
168	"Ethernet tunnel software network interface");	167	"Ethernet tunnel software network interface");
169	SYSCTL_INT(_net_link_tap, OID_AUTO, user_open, CTLFLAG_RW, &tapuopen, 0,
170	"Allow user to open /dev/tap (based on node permissions)");
171	SYSCTL_INT(_net_link_tap, OID_AUTO, up_on_open, CTLFLAG_RW, &tapuponopen, 0,	168	SYSCTL_INT(_net_link_tap, OID_AUTO, up_on_open, CTLFLAG_RW, &tapuponopen, 0,
172	"Bring interface up when /dev/tap is opened");	169	"Bring interface up when /dev/tap is opened");
173	SYSCTL_INT(_net_link_tap, OID_AUTO, devfs_cloning, CTLFLAG_RWTUN, &tapdclone, 0,	170	SYSCTL_INT(_net_link_tap, OID_AUTO, devfs_cloning, CTLFLAG_RWTUN, &tapdclone, 0,
174	"Enably legacy devfs interface creation");	171	"Enable legacy devfs interface creation");
175	SYSCTL_INT(_net_link_tap, OID_AUTO, debug, CTLFLAG_RW, &tapdebug, 0, "");	172	SYSCTL_INT(_net_link_tap, OID_AUTO, debug, CTLFLAG_RW, &tapdebug, 0, "");
176		173
177	DEV_MODULE(if_tap, tapmodevent, NULL);	174	DEV_MODULE(if_tap, tapmodevent, NULL);
Lines 345-352 Link Here
345	if (*dev != NULL)	342	if (*dev != NULL)
346	return;	343	return;
347		344
348	if (!tapdclone \|\|	345	if (!tapdclone \|\| priv_check_cred(cred, PRIV_NET_IFCREATE, 0) != 0)
349	(!tapuopen && priv_check_cred(cred, PRIV_NET_IFCREATE, 0) != 0))
350	return;	346	return;
351		347
352	unit = 0;	348	unit = 0;
Lines 477-490 Link Here
477	{	473	{
478	struct tap_softc *tp = NULL;	474	struct tap_softc *tp = NULL;
479	struct ifnet *ifp = NULL;	475	struct ifnet *ifp = NULL;
480	int error;
481		476
482	if (tapuopen == 0) {
483	error = priv_check(td, PRIV_NET_TAP);
484	if (error)
485	return (error);
486	}
487
488	if ((dev2unit(dev) & CLONE_UNITMASK) > TAPMAXUNIT)	477	if ((dev2unit(dev) & CLONE_UNITMASK) > TAPMAXUNIT)
489	return (ENXIO);	478	return (ENXIO);
490		479