Use PEERCRED to obtain the user id of the vmmctl user. This is used to

restrict write operations (start/stop/terminate/load) to root for now, but allow others to obtain the status. A more sophisticated model will follow later, but this change prevents non-root users, even if in the wheel group, to start vms and thus to open any files read-writable as disks.
author: reyk <reyk@openbsd.org> 2015-12-03 13:08:44 +0000
committer: reyk <reyk@openbsd.org> 2015-12-03 13:08:44 +0000
commit: 091d9ffec32cd4cc119d9e5556e7da10f8655df1 (patch)
tree: d653790ab716af03bffe6ddf85e5798a977805e1 /usr.sbin/vmd/proc.h
parent: accross->across, and tweak wording about interface creation (diff)
download: wireguard-openbsd-091d9ffec32cd4cc119d9e5556e7da10f8655df1.tar.xz
wireguard-openbsd-091d9ffec32cd4cc119d9e5556e7da10f8655df1.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/usr.sbin/vmd/proc.h b/usr.sbin/vmd/proc.h
index b9228afed36..59ac73b1f1d 100644
--- a/usr.sbin/vmd/proc.h
+++ b/usr.sbin/vmd/proc.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: proc.h,v 1.5 2015/12/03 08:42:11 reyk Exp $	*/
+/*	$OpenBSD: proc.h,v 1.6 2015/12/03 13:08:44 reyk Exp $	*/
 
 /*
  * Copyright (c) 2010-2015 Reyk Floeter <reyk@openbsd.org>
@@ -16,6 +16,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+#include <sys/socket.h>
 #include <sys/queue.h>
 #include <sys/uio.h>
 
@@ -76,6 +77,7 @@ struct ctl_conn {
 	unsigned int		 waiting;
 #define CTL_CONN_NOTIFY		 0x01
 	struct imsgev		 iev;
+	struct sockpeercred	 peercred;
 
 };
 TAILQ_HEAD(ctl_connlist, ctl_conn);
author	reyk <reyk@openbsd.org>	2015-12-03 13:08:44 +0000
committer	reyk <reyk@openbsd.org>	2015-12-03 13:08:44 +0000
commit	091d9ffec32cd4cc119d9e5556e7da10f8655df1 (patch)
tree	d653790ab716af03bffe6ddf85e5798a977805e1 /usr.sbin/vmd/proc.h
parent	accross->across, and tweak wording about interface creation (diff)
download	wireguard-openbsd-091d9ffec32cd4cc119d9e5556e7da10f8655df1.tar.xz wireguard-openbsd-091d9ffec32cd4cc119d9e5556e7da10f8655df1.zip