View | Details | Raw Unified | Return to bug 200185 | Differences between
and this patch

Collapse All | Expand All

(-)b/sys/amd64/conf/NOTES (+5 lines)
Lines 113-118 options IPOIB Link Here
113
options 	IPOIB_DEBUG
113
options 	IPOIB_DEBUG
114
options 	IPOIB_CM
114
options 	IPOIB_CM
115
115
116
# Opening tap devices is a privilege; requires PRIV_NET_TAP/super-user.
117
# The alternative (default) behavior is to leave control to user/group node
118
# permissions.
119
options 	TAP_OPEN_PRIVILEGED
120
116
121
117
#####################################################################
122
#####################################################################
118
# CLOCK OPTIONS
123
# CLOCK OPTIONS
(-)b/sys/conf/options (+1 lines)
Lines 449-454 RADIX_MPATH opt_mpath.h Link Here
449
ROUTETABLES		opt_route.h
449
ROUTETABLES		opt_route.h
450
RSS			opt_rss.h
450
RSS			opt_rss.h
451
SLIP_IFF_OPTS		opt_slip.h
451
SLIP_IFF_OPTS		opt_slip.h
452
TAP_OPEN_PRIVILEGED	opt_global.h
452
TCPDEBUG
453
TCPDEBUG
453
TCPPCAP		opt_global.h
454
TCPPCAP		opt_global.h
454
SIFTR
455
SIFTR
(-)b/sys/net/if_tuntap.c (-10 / +7 lines)
Lines 154-160 static const char vmnetname[] = "vmnet"; Link Here
154
static MALLOC_DEFINE(M_TUN, tunname, "Tunnel Interface");
154
static MALLOC_DEFINE(M_TUN, tunname, "Tunnel Interface");
155
static int tundebug = 0;
155
static int tundebug = 0;
156
static int tundclone = 1;
156
static int tundclone = 1;
157
static int tap_allow_uopen = 0;	/* allow user open() */
158
static int tapuponopen = 0;	/* IFF_UP on open() */
157
static int tapuponopen = 0;	/* IFF_UP on open() */
159
static int tapdclone = 1;	/* enable devfs cloning */
158
static int tapdclone = 1;	/* enable devfs cloning */
160
159
Lines 174-181 SYSCTL_INT(_net_link_tun, OID_AUTO, devfs_cloning, CTLFLAG_RWTUN, &tundclone, 0, Link Here
174
/* tap */
173
/* tap */
175
static SYSCTL_NODE(_net_link, OID_AUTO, tap, CTLFLAG_RW, 0,
174
static SYSCTL_NODE(_net_link, OID_AUTO, tap, CTLFLAG_RW, 0,
176
    "Ethernet tunnel software network interface");
175
    "Ethernet tunnel software network interface");
177
SYSCTL_INT(_net_link_tap, OID_AUTO, user_open, CTLFLAG_RW, &tap_allow_uopen, 0,
178
    "Allow user to open /dev/tap (based on node permissions)");
179
SYSCTL_INT(_net_link_tap, OID_AUTO, up_on_open, CTLFLAG_RW, &tapuponopen, 0,
176
SYSCTL_INT(_net_link_tap, OID_AUTO, up_on_open, CTLFLAG_RW, &tapuponopen, 0,
180
    "Bring interface up when /dev/tap is opened");
177
    "Bring interface up when /dev/tap is opened");
181
SYSCTL_INT(_net_link_tap, OID_AUTO, devfs_cloning, CTLFLAG_RWTUN, &tapdclone, 0,
178
SYSCTL_INT(_net_link_tap, OID_AUTO, devfs_cloning, CTLFLAG_RWTUN, &tapdclone, 0,
Lines 486-492 tunclone(void *arg, struct ucred *cred, char *name, int namelen, Link Here
486
	mayclone = priv_check_cred(cred, PRIV_NET_IFCREATE) == 0;
483
	mayclone = priv_check_cred(cred, PRIV_NET_IFCREATE) == 0;
487
	if ((tunflags & TUN_L2) != 0) {
484
	if ((tunflags & TUN_L2) != 0) {
488
		/* tap/vmnet allow user open with a sysctl */
485
		/* tap/vmnet allow user open with a sysctl */
489
		mayclone = (mayclone || tap_allow_uopen) && tapdclone;
486
		mayclone = mayclone && tapdclone;
490
	} else {
487
	} else {
491
		mayclone = mayclone && tundclone;
488
		mayclone = mayclone && tundclone;
492
	}
489
	}
Lines 852-867 tunopen(struct cdev *dev, int flag, int mode, struct thread *td) Link Here
852
		return (error);	/* Shouldn't happen */
849
		return (error);	/* Shouldn't happen */
853
	}
850
	}
854
851
852
#ifdef TAP_OPEN_PRIVILEGED
855
	if ((tunflags & TUN_L2) != 0) {
853
	if ((tunflags & TUN_L2) != 0) {
856
		/* Restrict? */
854
		/* Restrict? */
857
		if (tap_allow_uopen == 0) {
855
		error = priv_check(td, PRIV_NET_TAP);
858
			error = priv_check(td, PRIV_NET_TAP);
856
		if (error != 0) {
859
			if (error != 0) {
857
			CURVNET_RESTORE();
860
				CURVNET_RESTORE();
858
			return (error);
861
				return (error);
862
			}
863
		}
859
		}
864
	}
860
	}
861
#endif
865
862
866
	/*
863
	/*
867
	 * XXXRW: Non-atomic test and set of dev->si_drv1 requires
864
	 * XXXRW: Non-atomic test and set of dev->si_drv1 requires

Return to bug 200185