diff options
author | mdodd <mdodd@FreeBSD.org> | 2005-04-13 00:30:19 +0000 |
---|---|---|
committer | mdodd <mdodd@FreeBSD.org> | 2005-04-13 00:30:19 +0000 |
commit | 6f55c85dec1eb335caa95ef07d9644fb0d921e7f (patch) | |
tree | 7ac18311de6a6c0737fba69f89947b682bfb6aa8 | |
parent | bdcac6ad82d9d15d367abad3a4d81e966455070b (diff) | |
download | FreeBSD-src-6f55c85dec1eb335caa95ef07d9644fb0d921e7f.zip FreeBSD-src-6f55c85dec1eb335caa95ef07d9644fb0d921e7f.tar.gz |
Provide a sysctl (net.link.tap.user_open) to allow unpriviliged
acces to tap(4) device nodes based on file system permission.
Duplicate the 'debug.if_tap_debug' sysctl under the
'net.link.tap' hierarchy.
-rw-r--r-- | share/man/man4/tap.4 | 6 | ||||
-rw-r--r-- | sys/net/if_tap.c | 15 |
2 files changed, 17 insertions, 4 deletions
diff --git a/share/man/man4/tap.4 b/share/man/man4/tap.4 index 6932b79..c82220b 100644 --- a/share/man/man4/tap.4 +++ b/share/man/man4/tap.4 @@ -85,7 +85,11 @@ The Ethernet tunnel device, normally .Pa /dev/tap Ns Sy N , is exclusive-open (it cannot be opened if it is already open) -and is restricted to the super-user. +and is restricted to the super-user, unless the +.Xr sysctl 8 +variable +.Va net.link.tap.user_open +is non-zero. A .Fn read call will return an error diff --git a/sys/net/if_tap.c b/sys/net/if_tap.c index 601b95d..cc07baf 100644 --- a/sys/net/if_tap.c +++ b/sys/net/if_tap.c @@ -116,12 +116,21 @@ static struct cdevsw tap_cdevsw = { */ static struct mtx tapmtx; static int tapdebug = 0; /* debug flag */ +static int tapuopen = 0; /* allow user open() */ static SLIST_HEAD(, tap_softc) taphead; /* first device */ static struct clonedevs *tapclones; MALLOC_DECLARE(M_TAP); MALLOC_DEFINE(M_TAP, CDEV_NAME, "Ethernet tunnel interface"); SYSCTL_INT(_debug, OID_AUTO, if_tap_debug, CTLFLAG_RW, &tapdebug, 0, ""); + +SYSCTL_DECL(_net_link); +SYSCTL_NODE(_net_link, OID_AUTO, tap, CTLFLAG_RW, 0, + "Ethernet tunnel software network interface"); +SYSCTL_INT(_net_link_tap, OID_AUTO, user_open, CTLFLAG_RW, &tapuopen, 0, + "Allow user to open /dev/tap (based on node permissions)"); +SYSCTL_INT(_net_link_tap, OID_AUTO, debug, CTLFLAG_RW, &tapdebug, 0, ""); + DEV_MODULE(if_tap, tapmodevent, NULL); /* @@ -345,10 +354,10 @@ tapopen(dev, flag, mode, td) { struct tap_softc *tp = NULL; struct ifnet *ifp = NULL; - int error, s; + int s; - if ((error = suser(td)) != 0) - return (error); + if (tapuopen == 0 && suser(td) != 0) + return (EPERM); if ((dev2unit(dev) & CLONE_UNITMASK) > TAPMAXUNIT) return (ENXIO); |