Add a comment above rip_ctloutput() documenting that the privilege

check for raw IP system management operations is often (although
not always) implicit due to the namespacing of raw IP sockets.  I.e.,
you have to have privilege to get a raw IP socket, so much of the
management code sitting on raw IP sockets assumes that any requests
on the socket should be granted privilege.

Obtained from:	TrustedBSD Project
Product of:	France

1 files changed, 10 insertions, 0 deletions

diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index e4e4eb2..dd40eb0 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -328,6 +328,16 @@ rip_output(m, so, dst)
 
 /*
  * Raw IP socket option processing.
+ *
+ * Note that access to all of the IP administrative functions here is
+ * implicitly protected by suser() as gaining access to a raw socket
+ * requires either that the thread pass a suser() check, or that it be
+ * passed a raw socket by another thread that has passed a suser() check.
+ * If FreeBSD moves to a more fine-grained access control mechanism,
+ * additional checks will need to be placed here if the raw IP attachment
+ * check is not equivilent the the check required for these
+ * administrative operations; in some cases, these checks are already
+ * present.
  */
 int
 rip_ctloutput(so, sopt)