Add a super-user check to ipfw_ctl() to make sure that the calling

process is a non-prison root. The security.jail.allow_raw_sockets sysctl variable is disabled by default, however if the user enables raw sockets in prisons, prison-root should not be able to interact with firewall rule sets. Approved by: rwatson, bmilekic (mentor)
author: csjp <csjp@FreeBSD.org> 2004-05-25 15:02:12 +0000
committer: csjp <csjp@FreeBSD.org> 2004-05-25 15:02:12 +0000
commit: 3006bc70da5b3015f4097e9102837d74565796bb (patch)
tree: 83b7698189e686857861870bed86efee35ecc31e /sys/netinet/ip_fw2.c
parent: b9afd62a76cd169a61b5a7f64a87d54193678755 (diff)
download: FreeBSD-src-3006bc70da5b3015f4097e9102837d74565796bb.zip
FreeBSD-src-3006bc70da5b3015f4097e9102837d74565796bb.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c
index e440f01..924347b 100644
--- a/sys/netinet/ip_fw2.c
+++ b/sys/netinet/ip_fw2.c
@@ -2778,6 +2778,10 @@ ipfw_ctl(struct sockopt *sopt)
 	struct ip_fw *buf, *rule;
 	u_int32_t rulenum[2];
 
+	error = suser(sopt->sopt_td);
+	if (error)
+		return (error);
+
 	/*
 	 * Disallow modifications in really-really secure mode, but still allow
 	 * the logging counters to be reset.
author	csjp <csjp@FreeBSD.org>	2004-05-25 15:02:12 +0000
committer	csjp <csjp@FreeBSD.org>	2004-05-25 15:02:12 +0000
commit	3006bc70da5b3015f4097e9102837d74565796bb (patch)
tree	83b7698189e686857861870bed86efee35ecc31e /sys/netinet/ip_fw2.c
parent	b9afd62a76cd169a61b5a7f64a87d54193678755 (diff)
download	FreeBSD-src-3006bc70da5b3015f4097e9102837d74565796bb.zip FreeBSD-src-3006bc70da5b3015f4097e9102837d74565796bb.tar.gz