Attachment 207504 Details for Bug 200185 – git(1) diff

[patch] git(1) diff

tappriv.diff (text/plain), 2.77 KB, created by Kyle Evans on 2019-09-15 02:18:22 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Kyle Evans

Created: 2019-09-15 02:18:22 UTC

Size: 2.77 KB

patch

obsolete

>diff --git a/sys/amd64/conf/NOTES b/sys/amd64/conf/NOTES
>index 86308526749..2411cab04f8 100644
>--- a/sys/amd64/conf/NOTES
>+++ b/sys/amd64/conf/NOTES
>@@ -113,6 +113,11 @@ options 	IPOIB
> options 	IPOIB_DEBUG
> options 	IPOIB_CM
> 
>+# Opening tap devices is a privilege; requires PRIV_NET_TAP/super-user.
>+# The alternative (default) behavior is to leave control to user/group node
>+# permissions.
>+options 	TAP_OPEN_PRIVILEGED
>+
> 
> #####################################################################
> # CLOCK OPTIONS
>diff --git a/sys/conf/options b/sys/conf/options
>index 6957a2d236e..63193288b51 100644
>--- a/sys/conf/options
>+++ b/sys/conf/options
>@@ -449,6 +449,7 @@ RADIX_MPATH		opt_mpath.h
> ROUTETABLES		opt_route.h
> RSS			opt_rss.h
> SLIP_IFF_OPTS		opt_slip.h
>+TAP_OPEN_PRIVILEGED	opt_global.h
> TCPDEBUG
> TCPPCAP		opt_global.h
> SIFTR
>diff --git a/sys/net/if_tuntap.c b/sys/net/if_tuntap.c
>index 54694240897..869d922a86c 100644
>--- a/sys/net/if_tuntap.c
>+++ b/sys/net/if_tuntap.c
>@@ -154,7 +154,6 @@ static const char vmnetname[] = "vmnet";
> static MALLOC_DEFINE(M_TUN, tunname, "Tunnel Interface");
> static int tundebug = 0;
> static int tundclone = 1;
>-static int tap_allow_uopen = 0;	/* allow user open() */
> static int tapuponopen = 0;	/* IFF_UP on open() */
> static int tapdclone = 1;	/* enable devfs cloning */
> 
>@@ -174,8 +173,6 @@ SYSCTL_INT(_net_link_tun, OID_AUTO, devfs_cloning, CTLFLAG_RWTUN, &tundclone, 0,
> /* tap */
> static SYSCTL_NODE(_net_link, OID_AUTO, tap, CTLFLAG_RW, 0,
>     "Ethernet tunnel software network interface");
>-SYSCTL_INT(_net_link_tap, OID_AUTO, user_open, CTLFLAG_RW, &tap_allow_uopen, 0,
>-    "Allow user to open /dev/tap (based on node permissions)");
> SYSCTL_INT(_net_link_tap, OID_AUTO, up_on_open, CTLFLAG_RW, &tapuponopen, 0,
>     "Bring interface up when /dev/tap is opened");
> SYSCTL_INT(_net_link_tap, OID_AUTO, devfs_cloning, CTLFLAG_RWTUN, &tapdclone, 0,
>@@ -486,7 +483,7 @@ tunclone(void *arg, struct ucred *cred, char *name, int namelen,
> 	mayclone = priv_check_cred(cred, PRIV_NET_IFCREATE) == 0;
> 	if ((tunflags & TUN_L2) != 0) {
> 		/* tap/vmnet allow user open with a sysctl */
>-		mayclone = (mayclone || tap_allow_uopen) && tapdclone;
>+		mayclone = mayclone && tapdclone;
> 	} else {
> 		mayclone = mayclone && tundclone;
> 	}
>@@ -852,16 +849,16 @@ tunopen(struct cdev *dev, int flag, int mode, struct thread *td)
> 		return (error);	/* Shouldn't happen */
> 	}
> 
>+#ifdef TAP_OPEN_PRIVILEGED
> 	if ((tunflags & TUN_L2) != 0) {
> 		/* Restrict? */
>-		if (tap_allow_uopen == 0) {
>-			error = priv_check(td, PRIV_NET_TAP);
>-			if (error != 0) {
>-				CURVNET_RESTORE();
>-				return (error);
>-			}
>+		error = priv_check(td, PRIV_NET_TAP);
>+		if (error != 0) {
>+			CURVNET_RESTORE();
>+			return (error);
> 		}
> 	}
>+#endif
> 
> 	/*
> 	 * XXXRW: Non-atomic test and set of dev->si_drv1 requires

Actions: View | Diff

Attachments on bug 200185: 156767 | 207504