FreeBSD Bugzilla – Attachment 207504 Details for
Bug 200185
if_tap: Deprecate net.link.tap.user_open sysctl
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
git(1) diff
tappriv.diff (text/plain), 2.77 KB, created by
Kyle Evans
on 2019-09-15 02:18:22 UTC
(
hide
)
Description:
git(1) diff
Filename:
MIME Type:
Creator:
Kyle Evans
Created:
2019-09-15 02:18:22 UTC
Size:
2.77 KB
patch
obsolete
>diff --git a/sys/amd64/conf/NOTES b/sys/amd64/conf/NOTES >index 86308526749..2411cab04f8 100644 >--- a/sys/amd64/conf/NOTES >+++ b/sys/amd64/conf/NOTES >@@ -113,6 +113,11 @@ options IPOIB > options IPOIB_DEBUG > options IPOIB_CM > >+# Opening tap devices is a privilege; requires PRIV_NET_TAP/super-user. >+# The alternative (default) behavior is to leave control to user/group node >+# permissions. >+options TAP_OPEN_PRIVILEGED >+ > > ##################################################################### > # CLOCK OPTIONS >diff --git a/sys/conf/options b/sys/conf/options >index 6957a2d236e..63193288b51 100644 >--- a/sys/conf/options >+++ b/sys/conf/options >@@ -449,6 +449,7 @@ RADIX_MPATH opt_mpath.h > ROUTETABLES opt_route.h > RSS opt_rss.h > SLIP_IFF_OPTS opt_slip.h >+TAP_OPEN_PRIVILEGED opt_global.h > TCPDEBUG > TCPPCAP opt_global.h > SIFTR >diff --git a/sys/net/if_tuntap.c b/sys/net/if_tuntap.c >index 54694240897..869d922a86c 100644 >--- a/sys/net/if_tuntap.c >+++ b/sys/net/if_tuntap.c >@@ -154,7 +154,6 @@ static const char vmnetname[] = "vmnet"; > static MALLOC_DEFINE(M_TUN, tunname, "Tunnel Interface"); > static int tundebug = 0; > static int tundclone = 1; >-static int tap_allow_uopen = 0; /* allow user open() */ > static int tapuponopen = 0; /* IFF_UP on open() */ > static int tapdclone = 1; /* enable devfs cloning */ > >@@ -174,8 +173,6 @@ SYSCTL_INT(_net_link_tun, OID_AUTO, devfs_cloning, CTLFLAG_RWTUN, &tundclone, 0, > /* tap */ > static SYSCTL_NODE(_net_link, OID_AUTO, tap, CTLFLAG_RW, 0, > "Ethernet tunnel software network interface"); >-SYSCTL_INT(_net_link_tap, OID_AUTO, user_open, CTLFLAG_RW, &tap_allow_uopen, 0, >- "Allow user to open /dev/tap (based on node permissions)"); > SYSCTL_INT(_net_link_tap, OID_AUTO, up_on_open, CTLFLAG_RW, &tapuponopen, 0, > "Bring interface up when /dev/tap is opened"); > SYSCTL_INT(_net_link_tap, OID_AUTO, devfs_cloning, CTLFLAG_RWTUN, &tapdclone, 0, >@@ -486,7 +483,7 @@ tunclone(void *arg, struct ucred *cred, char *name, int namelen, > mayclone = priv_check_cred(cred, PRIV_NET_IFCREATE) == 0; > if ((tunflags & TUN_L2) != 0) { > /* tap/vmnet allow user open with a sysctl */ >- mayclone = (mayclone || tap_allow_uopen) && tapdclone; >+ mayclone = mayclone && tapdclone; > } else { > mayclone = mayclone && tundclone; > } >@@ -852,16 +849,16 @@ tunopen(struct cdev *dev, int flag, int mode, struct thread *td) > return (error); /* Shouldn't happen */ > } > >+#ifdef TAP_OPEN_PRIVILEGED > if ((tunflags & TUN_L2) != 0) { > /* Restrict? */ >- if (tap_allow_uopen == 0) { >- error = priv_check(td, PRIV_NET_TAP); >- if (error != 0) { >- CURVNET_RESTORE(); >- return (error); >- } >+ error = priv_check(td, PRIV_NET_TAP); >+ if (error != 0) { >+ CURVNET_RESTORE(); >+ return (error); > } > } >+#endif > > /* > * XXXRW: Non-atomic test and set of dev->si_drv1 requires
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 200185
:
156767
| 207504