Consistently check IPFW and DUMMYNET privileges in the configuration

routines for those modules, rather than in the raw socket code. This each privilege check to occur in exactly once place and avoids duplicate checks across layers. MFC after: 3 weeks Sponsored by: nCircle Network Security, Inc.
author: rwatson <rwatson@FreeBSD.org> 2008-05-22 08:10:31 +0000
committer: rwatson <rwatson@FreeBSD.org> 2008-05-22 08:10:31 +0000
commit: fcb43193c14228863028d3c578b5170bd69fe2b1 (patch)
tree: b9eca2176d669da65b71653524c7630da25b3848 /sys/netinet/ip_dummynet.c
parent: 8a79fc60dccfc8500086afa4f3cd081c86aec025 (diff)
download: FreeBSD-src-fcb43193c14228863028d3c578b5170bd69fe2b1.zip
FreeBSD-src-fcb43193c14228863028d3c578b5170bd69fe2b1.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/sys/netinet/ip_dummynet.c b/sys/netinet/ip_dummynet.c
index fc10349..a7c0a31 100644
--- a/sys/netinet/ip_dummynet.c
+++ b/sys/netinet/ip_dummynet.c
@@ -63,6 +63,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/mbuf.h>
 #include <sys/kernel.h>
 #include <sys/module.h>
+#include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -2124,6 +2125,10 @@ ip_dn_ctl(struct sockopt *sopt)
     int error = 0 ;
     struct dn_pipe *p, tmp_pipe;
 
+    error = priv_check(sopt->sopt_td, PRIV_NETINET_DUMMYNET);
+    if (error)
+	return (error);
+
     /* Disallow sets in really-really secure mode. */
     if (sopt->sopt_dir == SOPT_SET) {
 #if __FreeBSD_version >= 500034
author	rwatson <rwatson@FreeBSD.org>	2008-05-22 08:10:31 +0000
committer	rwatson <rwatson@FreeBSD.org>	2008-05-22 08:10:31 +0000
commit	fcb43193c14228863028d3c578b5170bd69fe2b1 (patch)
tree	b9eca2176d669da65b71653524c7630da25b3848 /sys/netinet/ip_dummynet.c
parent	8a79fc60dccfc8500086afa4f3cd081c86aec025 (diff)
download	FreeBSD-src-fcb43193c14228863028d3c578b5170bd69fe2b1.zip FreeBSD-src-fcb43193c14228863028d3c578b5170bd69fe2b1.tar.gz