summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorderaadt <deraadt@openbsd.org>2015-10-08 17:29:43 +0000
committerderaadt <deraadt@openbsd.org>2015-10-08 17:29:43 +0000
commitdd845b5bee5f96dcbfdad93982cd3300670099a9 (patch)
tree1866ca73339acb44aec863b2643c0413c189d4d5
parentadd some tame calls. we may need a bunch of permissions to create files (diff)
downloadwireguard-openbsd-dd845b5bee5f96dcbfdad93982cd3300670099a9.tar.xz
wireguard-openbsd-dd845b5bee5f96dcbfdad93982cd3300670099a9.zip
Expose a small set of multicast join operators under the request "mcast".
This will be used by a few daemons. If they lack this feature, then they would need to operate without tame. Discussed with renato
-rw-r--r--sys/kern/kern_tame.c20
-rw-r--r--sys/sys/tame.h3
2 files changed, 20 insertions, 3 deletions
diff --git a/sys/kern/kern_tame.c b/sys/kern/kern_tame.c
index cc3e92a7f1f..3e7525f20ab 100644
--- a/sys/kern/kern_tame.c
+++ b/sys/kern/kern_tame.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kern_tame.c,v 1.69 2015/10/08 13:25:04 deraadt Exp $ */
+/* $OpenBSD: kern_tame.c,v 1.70 2015/10/08 17:29:43 deraadt Exp $ */
/*
* Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -239,6 +239,7 @@ static const struct {
{ "recvfd", TAME_RW | TAME_RECVFD },
{ "ioctl", TAME_IOCTL },
{ "route", TAME_ROUTE },
+ { "mcast", TAME_MCAST },
{ "tty", TAME_TTY },
{ "proc", TAME_PROC },
{ "exec", TAME_EXEC },
@@ -1115,7 +1116,13 @@ tame_setsockopt_check(struct proc *p, int level, int optname)
case IP_PORTRANGE:
case IP_RECVDSTADDR:
return (0);
- }
+ case IP_MULTICAST_IF:
+ case IP_ADD_MEMBERSHIP:
+ case IP_DROP_MEMBERSHIP:
+ if ((p->p_p->ps_tame & TAME_MCAST) == 0)
+ return (0);
+ break;
+ }
break;
case IPPROTO_ICMP:
break;
@@ -1125,7 +1132,16 @@ tame_setsockopt_check(struct proc *p, int level, int optname)
case IPV6_RECVHOPLIMIT:
case IPV6_PORTRANGE:
case IPV6_RECVPKTINFO:
+#ifdef notyet
+ case IPV6_V6ONLY:
+#endif
return (0);
+ case IPV6_MULTICAST_IF:
+ case IPV6_JOIN_GROUP:
+ case IPV6_LEAVE_GROUP:
+ if ((p->p_p->ps_tame & TAME_MCAST) == 0)
+ return (0);
+ break;
}
break;
case IPPROTO_ICMPV6:
diff --git a/sys/sys/tame.h b/sys/sys/tame.h
index e7591130fd6..abf668a0d25 100644
--- a/sys/sys/tame.h
+++ b/sys/sys/tame.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tame.h,v 1.12 2015/10/07 19:52:54 deraadt Exp $ */
+/* $OpenBSD: tame.h,v 1.13 2015/10/08 17:29:43 deraadt Exp $ */
/*
* Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -45,6 +45,7 @@
#define TAME_RECVFD 0x00040000 /* AF_UNIX CMSG fd receiving */
#define TAME_EXEC 0x00080000 /* execve, child is free of tame */
#define TAME_ROUTE 0x00100000 /* routing lookups */
+#define TAME_MCAST 0x00200000 /* multicast joins */
#define TAME_ABORT 0x08000000 /* SIGABRT instead of SIGKILL */