diff options
| author | bz <bz@FreeBSD.org> | 2008-02-02 14:11:31 +0000 |
|---|---|---|
| committer | bz <bz@FreeBSD.org> | 2008-02-02 14:11:31 +0000 |
| commit | cfb85f0c07e631c309f5158c6aeebac935619b92 (patch) | |
| tree | dbf75dec875afa39ded965d6896a91bf2171580d /sys/netinet6/ip6_output.c | |
| parent | ddf9fd25a8b759fac39499e04a7624ae5c938dd0 (diff) | |
| download | FreeBSD-src-cfb85f0c07e631c309f5158c6aeebac935619b92.zip FreeBSD-src-cfb85f0c07e631c309f5158c6aeebac935619b92.tar.gz | |
Rather than passing around a cached 'priv', pass in an ucred to
ipsec*_set_policy and do the privilege check only if needed.
Try to assimilate both ip*_ctloutput code blocks calling ipsec*_set_policy.
Reviewed by: rwatson
Diffstat (limited to 'sys/netinet6/ip6_output.c')
| -rw-r--r-- | sys/netinet6/ip6_output.c | 35 |
1 files changed, 9 insertions, 26 deletions
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 4b6c52e..8f7caa5 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -68,15 +68,16 @@ __FBSDID("$FreeBSD$"); #include "opt_ipsec.h" #include <sys/param.h> +#include <sys/kernel.h> #include <sys/malloc.h> #include <sys/mbuf.h> -#include <sys/proc.h> #include <sys/errno.h> #include <sys/priv.h> +#include <sys/proc.h> #include <sys/protosw.h> #include <sys/socket.h> #include <sys/socketvar.h> -#include <sys/kernel.h> +#include <sys/ucred.h> #include <net/if.h> #include <net/netisr.h> @@ -1767,39 +1768,21 @@ do { \ #ifdef IPSEC case IPV6_IPSEC_POLICY: - { - caddr_t req = NULL; - size_t len = 0; + { + caddr_t req; struct mbuf *m; - int priv = 0; if ((error = soopt_getm(sopt, &m)) != 0) /* XXX */ break; if ((error = soopt_mcopyin(sopt, m)) != 0) /* XXX */ break; - if (m) { - req = mtod(m, caddr_t); - len = m->m_len; - } - if (sopt->sopt_td != NULL) { - /* - * XXXRW/XXX-BZ: Would be more desirable to do - * this one layer down so that we only exercise - * privilege if it is needed. - */ - error = priv_check(sopt->sopt_td, - PRIV_NETINET_IPSEC); - if (error) - priv = 0; - else - priv = 1; - } else - priv = 1; + req = mtod(m, caddr_t); error = ipsec6_set_policy(in6p, optname, req, - len, priv); + m->m_len, (sopt->sopt_td != NULL) ? + sopt->sopt_td->td_ucred : NULL); m_freem(m); - } break; + } #endif /* IPSEC */ default: |
