diff options
author | csjp <csjp@FreeBSD.org> | 2004-05-25 15:02:12 +0000 |
---|---|---|
committer | csjp <csjp@FreeBSD.org> | 2004-05-25 15:02:12 +0000 |
commit | 3006bc70da5b3015f4097e9102837d74565796bb (patch) | |
tree | 83b7698189e686857861870bed86efee35ecc31e /sys/netinet | |
parent | b9afd62a76cd169a61b5a7f64a87d54193678755 (diff) | |
download | FreeBSD-src-3006bc70da5b3015f4097e9102837d74565796bb.zip FreeBSD-src-3006bc70da5b3015f4097e9102837d74565796bb.tar.gz |
Add a super-user check to ipfw_ctl() to make sure that the calling
process is a non-prison root. The security.jail.allow_raw_sockets
sysctl variable is disabled by default, however if the user enables
raw sockets in prisons, prison-root should not be able to interact
with firewall rule sets.
Approved by: rwatson, bmilekic (mentor)
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/ip_fw2.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index e440f01..924347b 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -2778,6 +2778,10 @@ ipfw_ctl(struct sockopt *sopt) struct ip_fw *buf, *rule; u_int32_t rulenum[2]; + error = suser(sopt->sopt_td); + if (error) + return (error); + /* * Disallow modifications in really-really secure mode, but still allow * the logging counters to be reset. |