From cfb85f0c07e631c309f5158c6aeebac935619b92 Mon Sep 17 00:00:00 2001 From: bz Date: Sat, 2 Feb 2008 14:11:31 +0000 Subject: Rather than passing around a cached 'priv', pass in an ucred to ipsec*_set_policy and do the privilege check only if needed. Try to assimilate both ip*_ctloutput code blocks calling ipsec*_set_policy. Reviewed by: rwatson --- sys/netinet6/ip6_output.c | 35 +++++++++-------------------------- 1 file changed, 9 insertions(+), 26 deletions(-) (limited to 'sys/netinet6') diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 4b6c52e..8f7caa5 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -68,15 +68,16 @@ __FBSDID("$FreeBSD$"); #include "opt_ipsec.h" #include +#include #include #include -#include #include #include +#include #include #include #include -#include +#include #include #include @@ -1767,39 +1768,21 @@ do { \ #ifdef IPSEC case IPV6_IPSEC_POLICY: - { - caddr_t req = NULL; - size_t len = 0; + { + caddr_t req; struct mbuf *m; - int priv = 0; if ((error = soopt_getm(sopt, &m)) != 0) /* XXX */ break; if ((error = soopt_mcopyin(sopt, m)) != 0) /* XXX */ break; - if (m) { - req = mtod(m, caddr_t); - len = m->m_len; - } - if (sopt->sopt_td != NULL) { - /* - * XXXRW/XXX-BZ: Would be more desirable to do - * this one layer down so that we only exercise - * privilege if it is needed. - */ - error = priv_check(sopt->sopt_td, - PRIV_NETINET_IPSEC); - if (error) - priv = 0; - else - priv = 1; - } else - priv = 1; + req = mtod(m, caddr_t); error = ipsec6_set_policy(in6p, optname, req, - len, priv); + m->m_len, (sopt->sopt_td != NULL) ? + sopt->sopt_td->td_ucred : NULL); m_freem(m); - } break; + } #endif /* IPSEC */ default: -- cgit v1.1