D56390.id175561.diff
No OneTemporary
Actions

Size

12 KB

Referenced Files

None

Subscribers

None

D56390.id175561.diff
View Options

	diff --git a/sys/netlink/netlink_ctl.h b/sys/netlink/netlink_ctl.h
	--- a/sys/netlink/netlink_ctl.h
	+++ b/sys/netlink/netlink_ctl.h
	@@ -89,6 +89,8 @@
	uint32_t cmd_flags;
	uint32_t cmd_priv;
	uint32_t cmd_num;
	+ bool cmd_securelevel_set;
	+ uint32_t cmd_securelevel;
	};

	uint16_t genl_register_family(const char *family_name, size_t hdrsize,
	diff --git a/sys/netlink/netlink_generic.c b/sys/netlink/netlink_generic.c
	--- a/sys/netlink/netlink_generic.c
	+++ b/sys/netlink/netlink_generic.c
	@@ -150,6 +150,13 @@
	return (EPERM);
	}

	+ if (cmd->cmd_securelevel_set &&
	+ securelevel_gt(nlp_get_cred(nlp), cmd->cmd_securelevel)) {
	+ NLP_LOG(LOG_DEBUG, nlp, "family %s: cmd %d securelevel_gt() failed",
	+ gf->family_name, ghdr->cmd);
	+ return (EPERM);
	+ }
	+
	NLP_LOG(LOG_DEBUG2, nlp, "received family %s cmd %s(%d) len %d",
	gf->family_name, cmd->cmd_name, ghdr->cmd, hdr->nlmsg_len);

	diff --git a/sys/netpfil/pf/pf_nl.c b/sys/netpfil/pf/pf_nl.c
	--- a/sys/netpfil/pf/pf_nl.c
	+++ b/sys/netpfil/pf/pf_nl.c
	@@ -2872,6 +2872,8 @@
	.cmd_cb = pf_handle_getstates,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_GETCREATORS,
	@@ -2879,6 +2881,8 @@
	.cmd_cb = pf_handle_getcreators,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_START,
	@@ -2886,6 +2890,7 @@
	.cmd_cb = pf_handle_start,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	},
	{
	.cmd_num = PFNL_CMD_STOP,
	@@ -2893,6 +2898,7 @@
	.cmd_cb = pf_handle_stop,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	},
	{
	.cmd_num = PFNL_CMD_ADDRULE,
	@@ -2900,6 +2906,7 @@
	.cmd_cb = pf_handle_addrule,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	},
	{
	.cmd_num = PFNL_CMD_GETRULES,
	@@ -2907,6 +2914,8 @@
	.cmd_cb = pf_handle_getrules,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_GETRULE,
	@@ -2914,6 +2923,8 @@
	.cmd_cb = pf_handle_getrule,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_CLRSTATES,
	@@ -2921,6 +2932,7 @@
	.cmd_cb = pf_handle_clear_states,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	},
	{
	.cmd_num = PFNL_CMD_KILLSTATES,
	@@ -2928,6 +2940,7 @@
	.cmd_cb = pf_handle_kill_states,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	},
	{
	.cmd_num = PFNL_CMD_SET_STATUSIF,
	@@ -2935,6 +2948,7 @@
	.cmd_cb = pf_handle_set_statusif,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	},
	{
	.cmd_num = PFNL_CMD_GET_STATUS,
	@@ -2942,6 +2956,8 @@
	.cmd_cb = pf_handle_get_status,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_CLEAR_STATUS,
	@@ -2949,6 +2965,7 @@
	.cmd_cb = pf_handle_clear_status,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	},
	{
	.cmd_num = PFNL_CMD_NATLOOK,
	@@ -2956,6 +2973,8 @@
	.cmd_cb = pf_handle_natlook,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_SET_DEBUG,
	@@ -2963,6 +2982,7 @@
	.cmd_cb = pf_handle_set_debug,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	},
	{
	.cmd_num = PFNL_CMD_SET_TIMEOUT,
	@@ -2970,6 +2990,7 @@
	.cmd_cb = pf_handle_set_timeout,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	},
	{
	.cmd_num = PFNL_CMD_GET_TIMEOUT,
	@@ -2977,6 +2998,8 @@
	.cmd_cb = pf_handle_get_timeout,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_SET_LIMIT,
	@@ -2984,6 +3007,7 @@
	.cmd_cb = pf_handle_set_limit,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	},
	{
	.cmd_num = PFNL_CMD_GET_LIMIT,
	@@ -2991,6 +3015,8 @@
	.cmd_cb = pf_handle_get_limit,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_BEGIN_ADDRS,
	@@ -2998,6 +3024,8 @@
	.cmd_cb = pf_handle_begin_addrs,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_ADD_ADDR,
	@@ -3005,6 +3033,8 @@
	.cmd_cb = pf_handle_add_addr,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_GET_ADDRS,
	@@ -3012,6 +3042,8 @@
	.cmd_cb = pf_handle_get_addrs,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_GET_ADDR,
	@@ -3019,6 +3051,8 @@
	.cmd_cb = pf_handle_get_addr,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_GET_RULESETS,
	@@ -3026,6 +3060,8 @@
	.cmd_cb = pf_handle_get_rulesets,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_GET_RULESET,
	@@ -3033,6 +3069,8 @@
	.cmd_cb = pf_handle_get_ruleset,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_GET_SRCNODES,
	@@ -3040,6 +3078,8 @@
	.cmd_cb = pf_handle_get_srcnodes,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_CLEAR_TABLES,
	@@ -3047,6 +3087,7 @@
	.cmd_cb = pf_handle_clear_tables,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	},
	{
	.cmd_num = PFNL_CMD_ADD_TABLE,
	@@ -3054,6 +3095,7 @@
	.cmd_cb = pf_handle_add_table,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	},
	{
	.cmd_num = PFNL_CMD_DEL_TABLE,
	@@ -3061,6 +3103,7 @@
	.cmd_cb = pf_handle_del_table,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	},
	{
	.cmd_num = PFNL_CMD_GET_TSTATS,
	@@ -3068,6 +3111,8 @@
	.cmd_cb = pf_handle_get_tstats,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_CLR_TSTATS,
	@@ -3075,6 +3120,8 @@
	.cmd_cb = pf_handle_clear_tstats,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_CLR_ADDRS,
	@@ -3082,6 +3129,8 @@
	.cmd_cb = pf_handle_clear_addrs,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_TABLE_ADD_ADDR,
	@@ -3089,6 +3138,8 @@
	.cmd_cb = pf_handle_table_add_addrs,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_TABLE_DEL_ADDR,
	@@ -3096,6 +3147,8 @@
	.cmd_cb = pf_handle_table_del_addrs,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_TABLE_SET_ADDR,
	@@ -3103,6 +3156,8 @@
	.cmd_cb = pf_handle_table_set_addrs,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_TABLE_GET_ADDR,
	@@ -3110,6 +3165,8 @@
	.cmd_cb = pf_handle_table_get_addrs,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_TABLE_GET_ASTATS,
	@@ -3117,6 +3174,8 @@
	.cmd_cb = pf_handle_table_get_astats,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_TABLE_CLEAR_ASTATS,
	@@ -3124,6 +3183,8 @@
	.cmd_cb = pf_handle_table_clear_astats,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_STATE_LIMITER_ADD,
	@@ -3131,6 +3192,7 @@
	.cmd_cb = pf_handle_state_limiter_add,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	},
	{
	.cmd_num = PFNL_CMD_STATE_LIMITER_GET,
	@@ -3138,6 +3200,8 @@
	.cmd_cb = pf_handle_state_limiter_get,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_STATE_LIMITER_NGET,
	@@ -3145,6 +3209,8 @@
	.cmd_cb = pf_handle_state_limiter_get,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_SOURCE_LIMITER_ADD,
	@@ -3152,6 +3218,7 @@
	.cmd_cb = pf_handle_source_limiter_add,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	},
	{
	.cmd_num = PFNL_CMD_SOURCE_LIMITER_GET,
	@@ -3159,6 +3226,8 @@
	.cmd_cb = pf_handle_source_limiter_get,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_SOURCE_LIMITER_NGET,
	@@ -3166,6 +3235,8 @@
	.cmd_cb = pf_handle_source_limiter_get,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_SOURCE_GET,
	@@ -3173,6 +3244,8 @@
	.cmd_cb = pf_handle_source_get,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_SOURCE_NGET,
	@@ -3180,6 +3253,8 @@
	.cmd_cb = pf_handle_source_get,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_SOURCE_CLEAR,
	@@ -3187,6 +3262,8 @@
	.cmd_cb = pf_handle_source_clear,
	.cmd_flags = GENL_CMD_CAP_DO \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	{
	.cmd_num = PFNL_CMD_TABLE_TEST_ADDRS,
	@@ -3194,6 +3271,8 @@
	.cmd_cb = pf_handle_table_test_addrs,
	.cmd_flags = GENL_CMD_CAP_DUMP \| GENL_CMD_CAP_HASPOL,
	.cmd_priv = PRIV_NETINET_PF,
	+ .cmd_securelevel_set = true,
	+ .cmd_securelevel = 2,
	},
	};

File Metadata

Mime Type: text/plain
Expires: Wed, Apr 22, 12:55 AM (17 h, 14 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 31943245
Default Alt Text: D56390.id175561.diff (12 KB)

D56390.id175561.diffNo OneTemporaryActions

D56390.id175561.diffView Options

File Metadata

Event Timeline

D56390.id175561.diff
No OneTemporary
Actions

D56390.id175561.diff
View Options