diff options
| author |   deraadt <deraadt@openbsd.org> | 2015-10-08 13:25:04 +0000 |
|---|---|---|
| committer | deraadt <deraadt@openbsd.org> | 2015-10-08 13:25:04 +0000 |
| commit | b8972d52f9e872bd4976ccc80e503b0d1282ec87 (patch) | |
| tree | 71e3abb15bf4468413d0a4fc4d6f1e279aef650f | |
| parent | Only in TAME_ROUTE, allow ioctl SIOCGIFADDR/SIOCGIFFLAGS/SIOCGIFRDOMAIN, (diff) | |
| download | wireguard-openbsd-b8972d52f9e872bd4976ccc80e503b0d1282ec87.tar.xz wireguard-openbsd-b8972d52f9e872bd4976ccc80e503b0d1282ec87.zip | |
setsockopt has a small list of options it can set. If we find ourselves
only in TAME_UNIX, stop trying after servicing SOL_SOCKET.
discussion with claudio
| -rw-r--r-- | sys/kern/kern_tame.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/sys/kern/kern_tame.c b/sys/kern/kern_tame.c index fc36a710d05..cc3e92a7f1f 100644 --- a/sys/kern/kern_tame.c +++ b/sys/kern/kern_tame.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_tame.c,v 1.68 2015/10/08 13:21:06 deraadt Exp $ */ +/* $OpenBSD: kern_tame.c,v 1.69 2015/10/08 13:25:04 deraadt Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org> @@ -1083,6 +1083,7 @@ tame_setsockopt_check(struct proc *p, int level, int optname) if ((p->p_p->ps_flags & PS_TAMED) == 0) return (0); + /* common case for TAME_UNIX and TAME_INET */ switch (level) { case SOL_SOCKET: switch (optname) { @@ -1090,6 +1091,12 @@ tame_setsockopt_check(struct proc *p, int level, int optname) return (EPERM); } return (0); + } + + if ((p->p_p->ps_tame & TAME_INET) == 0) + return (EPERM); + + switch (level) { case IPPROTO_TCP: switch (optname) { case TCP_NODELAY: |