Page MenuHomeFreeBSD
Differential D54982

ip_mroute: Make privilege checking more consistent
ClosedPublic
Actions

Authored by markj on Jan 30 2026, 8:47 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Mar 2, 2:21 PM
Unknown Object (File)
Tue, Feb 24, 12:22 AM
Unknown Object (File)
Tue, Feb 17, 10:44 PM
Unknown Object (File)
Sat, Feb 14, 11:43 PM
Unknown Object (File)
Sat, Feb 14, 1:06 AM
Unknown Object (File)
Thu, Feb 12, 7:15 AM
Unknown Object (File)
Feb 2 2026, 2:08 AM
Unknown Object (File)
Feb 1 2026, 1:15 PM
View All 12 Files
Subscribers
ae
glebius
imp
melifaro

Details

Reviewers
glebius
Group Reviewers
network
Commits
rG2e8f0a46d391: ip_mroute: Make privilege checking more consistent
rGbba9e2072966: ip_mroute: Make privilege checking more consistent
rG74839871be36: ip_mroute: Make privilege checking more consistent
Summary
  • The v6 socket option and ioctl handlers had no privilege checks at all. The socket options, I believe, can only be reached via a raw socket, but a jailed root user with a raw socket shouldn't be able to configure multicast routing in a non-VNET jail. The ioctls can only be used to fetch stats.
  • Delete a bogus comment in X_mrt_ioctl(), one can issue multicast routing ioctls against any socket. Note that the call path is soo_ioctl()->rtioctl_fib()->mrt_ioctl().

I think all of the mroute privilege checks should be done within the
ip(6)_mroute code, but let's first make the v4 and v6 modules
consistent.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.Jan 30 2026, 8:47 PM
Herald added subscribers: glebius, melifaro, ae, imp. · View Herald TranscriptJan 30 2026, 8:47 PM
markj requested review of this revision.Jan 30 2026, 8:47 PM
Harbormaster completed remote builds in B70252: Diff 170809.Jan 30 2026, 8:47 PM
markj added a child revision: D54983: ip6_mroute: Make MF6CFIND a regular function.Jan 30 2026, 8:51 PM
glebius accepted this revision as: glebius.Jan 30 2026, 9:41 PM
glebius added inline comments.
sys/netinet6/ip6_mroute.c
467–481

More lapidary version

This revision is now accepted and ready to land.Jan 30 2026, 9:41 PM
markj added inline comments.Jan 30 2026, 9:53 PM
sys/netinet6/ip6_mroute.c
467–481

Yeah, but I also want to keep the style consistent between the v4 and v6 code.

I have some further changes to these files coming (FIB-aware multicast routing tables) and will make this change in a later patch.

Closed by commit rG74839871be36: ip_mroute: Make privilege checking more consistent (authored by markj). · Explain WhyFeb 2 2026, 4:56 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rG74839871be36: ip_mroute: Make privilege checking more consistent.
markj added a commit: rGbba9e2072966: ip_mroute: Make privilege checking more consistent.Mon, Feb 16, 3:45 PM
markj added a commit: rG2e8f0a46d391: ip_mroute: Make privilege checking more consistent.Mon, Feb 16, 7:48 PM

Revision Contents
Changeset List

PathSize
sys/
netinet/
5 lines
netinet6/
15 lines
6 lines

Diff 170995

View Options

sys/netinet/ip_mroute.c

Loading...
View Options

sys/netinet6/ip6_mroute.c

Loading...
View Options

sys/netinet6/raw_ip6.c

Loading...