diff options
author | rwatson <rwatson@FreeBSD.org> | 2008-05-22 08:10:31 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2008-05-22 08:10:31 +0000 |
commit | fcb43193c14228863028d3c578b5170bd69fe2b1 (patch) | |
tree | b9eca2176d669da65b71653524c7630da25b3848 /sys/netinet/ip_dummynet.c | |
parent | 8a79fc60dccfc8500086afa4f3cd081c86aec025 (diff) | |
download | FreeBSD-src-fcb43193c14228863028d3c578b5170bd69fe2b1.zip FreeBSD-src-fcb43193c14228863028d3c578b5170bd69fe2b1.tar.gz |
Consistently check IPFW and DUMMYNET privileges in the configuration
routines for those modules, rather than in the raw socket code. This
each privilege check to occur in exactly once place and avoids
duplicate checks across layers.
MFC after: 3 weeks
Sponsored by: nCircle Network Security, Inc.
Diffstat (limited to 'sys/netinet/ip_dummynet.c')
-rw-r--r-- | sys/netinet/ip_dummynet.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/sys/netinet/ip_dummynet.c b/sys/netinet/ip_dummynet.c index fc10349..a7c0a31 100644 --- a/sys/netinet/ip_dummynet.c +++ b/sys/netinet/ip_dummynet.c @@ -63,6 +63,7 @@ __FBSDID("$FreeBSD$"); #include <sys/mbuf.h> #include <sys/kernel.h> #include <sys/module.h> +#include <sys/priv.h> #include <sys/proc.h> #include <sys/socket.h> #include <sys/socketvar.h> @@ -2124,6 +2125,10 @@ ip_dn_ctl(struct sockopt *sopt) int error = 0 ; struct dn_pipe *p, tmp_pipe; + error = priv_check(sopt->sopt_td, PRIV_NETINET_DUMMYNET); + if (error) + return (error); + /* Disallow sets in really-really secure mode. */ if (sopt->sopt_dir == SOPT_SET) { #if __FreeBSD_version >= 500034 |