diff options
| author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2015-10-07 19:52:55 +0000 |
|---|---|---|
| committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2015-10-07 19:52:55 +0000 |
| commit | 8477f3f957d307968d49b31fa138fb1a6e221623 (patch) | |
| tree | f1d0939eee5cdf82e7a22c8f62df22a5b6b125c6 | |
| parent | 3d8e62749923b01053ebbbb7a469736de03b3dae (diff) | |
Split out routing sysctl's from tame "inet", and put them into the
new tame "route" request. Now routing daemons and tools (such as arp),
can narrowly ask for either feature. One thing remains available in
both cases -- support for getifaddr()'s, since libc and programs often
use that in close association with socket creation.
ok benno sthen beck, some discussion with renato
| -rw-r--r-- | sys/kern/kern_tame.c | 99 | ||||
| -rw-r--r-- | sys/sys/tame.h | 3 |
2 files changed, 57 insertions, 45 deletions
diff --git a/sys/kern/kern_tame.c b/sys/kern/kern_tame.c index eda216a81e7..ccd26b1b58e 100644 --- a/sys/kern/kern_tame.c +++ b/sys/kern/kern_tame.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_tame.c,v 1.66 2015/10/07 03:47:43 deraadt Exp $ */ +/* $OpenBSD: kern_tame.c,v 1.67 2015/10/07 19:52:54 deraadt Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org> @@ -238,6 +238,7 @@ static const struct { { "sendfd", TAME_RW | TAME_SENDFD }, { "recvfd", TAME_RW | TAME_RECVFD }, { "ioctl", TAME_IOCTL }, + { "route", TAME_ROUTE }, { "tty", TAME_TTY }, { "proc", TAME_PROC }, { "exec", TAME_EXEC }, @@ -810,7 +811,7 @@ tame_cmsg_send(struct proc *p, struct mbuf *control) } int -tame_sysctl_check(struct proc *p, int namelen, int *name, void *new) +tame_sysctl_check(struct proc *p, int miblen, int *mib, void *new) { if ((p->p_p->ps_flags & PS_TAMED) == 0) return (0); @@ -818,64 +819,74 @@ tame_sysctl_check(struct proc *p, int namelen, int *name, void *new) if (new) return (EFAULT); - /* setproctitle() */ - if (namelen == 2 && - name[0] == CTL_VM && - name[1] == VM_PSSTRINGS) - return (0); + /* routing table observation */ + if ((p->p_p->ps_tame & TAME_ROUTE)) { + if (miblen == 7 && + mib[0] == CTL_NET && mib[1] == PF_ROUTE && + mib[2] == 0 && + (mib[3] == 0 || mib[3] == AF_INET6 || mib[3] == AF_INET) && + mib[4] == NET_RT_DUMP) + return (0); - /* getifaddrs() */ - if ((p->p_p->ps_tame & TAME_INET) && - namelen == 6 && - name[0] == CTL_NET && name[1] == PF_ROUTE && - name[2] == 0 && name[3] == 0 && - name[4] == NET_RT_IFLIST && name[5] == 0) - return (0); + if (miblen == 6 && + mib[0] == CTL_NET && mib[1] == PF_ROUTE && + mib[2] == 0 && + (mib[3] == 0 || mib[3] == AF_INET6 || mib[3] == AF_INET) && + mib[4] == NET_RT_TABLE) + return (0); - /* used by arp(8). Exposes MAC addresses known on local nets */ - /* XXX Put into a special catagory. */ - if ((p->p_p->ps_tame & TAME_INET) && - namelen == 7 && - name[0] == CTL_NET && name[1] == PF_ROUTE && - name[2] == 0 && name[3] == AF_INET && - name[4] == NET_RT_FLAGS && name[5] == RTF_LLINFO) - return (0); + if (miblen == 7 && /* exposes MACs */ + mib[0] == CTL_NET && mib[1] == PF_ROUTE && + mib[2] == 0 && mib[3] == AF_INET && + mib[4] == NET_RT_FLAGS && mib[5] == RTF_LLINFO) + return (0); + } + + if ((p->p_p->ps_tame & (TAME_ROUTE | TAME_INET))) { + if (miblen == 6 && /* getifaddrs() */ + mib[0] == CTL_NET && mib[1] == PF_ROUTE && + mib[2] == 0 && + (mib[3] == 0 || mib[3] == AF_INET6 || mib[3] == AF_INET) && + mib[4] == NET_RT_IFLIST) + return (0); + } /* used by ntpd(8) to read sensors. */ - /* XXX Put into a special catagory. */ - if (namelen >= 3 && - name[0] == CTL_HW && name[1] == HW_SENSORS) + if (miblen >= 3 && + mib[0] == CTL_HW && mib[1] == HW_SENSORS) return (0); - /* getdomainname(), gethostname(), getpagesize(), uname() */ - if (namelen == 2 && - name[0] == CTL_KERN && name[1] == KERN_DOMAINNAME) + if (miblen == 2 && /* getdomainname() */ + mib[0] == CTL_KERN && mib[1] == KERN_DOMAINNAME) + return (0); + if (miblen == 2 && /* gethostname() */ + mib[0] == CTL_KERN && mib[1] == KERN_HOSTNAME) return (0); - if (namelen == 2 && - name[0] == CTL_KERN && name[1] == KERN_HOSTNAME) + if (miblen == 2 && /* uname() */ + mib[0] == CTL_KERN && mib[1] == KERN_OSTYPE) return (0); - if (namelen == 2 && - name[0] == CTL_KERN && name[1] == KERN_OSTYPE) + if (miblen == 2 && /* uname() */ + mib[0] == CTL_KERN && mib[1] == KERN_OSRELEASE) return (0); - if (namelen == 2 && - name[0] == CTL_KERN && name[1] == KERN_OSRELEASE) + if (miblen == 2 && /* uname() */ + mib[0] == CTL_KERN && mib[1] == KERN_OSVERSION) return (0); - if (namelen == 2 && - name[0] == CTL_KERN && name[1] == KERN_OSVERSION) + if (miblen == 2 && /* uname() */ + mib[0] == CTL_KERN && mib[1] == KERN_VERSION) return (0); - if (namelen == 2 && - name[0] == CTL_KERN && name[1] == KERN_VERSION) + if (miblen == 2 && /* uname() */ + mib[0] == CTL_HW && mib[1] == HW_MACHINE) return (0); - if (namelen == 2 && - name[0] == CTL_HW && name[1] == HW_MACHINE) + if (miblen == 2 && /* getpagesize() */ + mib[0] == CTL_HW && mib[1] == HW_PAGESIZE) return (0); - if (namelen == 2 && - name[0] == CTL_HW && name[1] == HW_PAGESIZE) + if (miblen == 2 && /* setproctitle() */ + mib[0] == CTL_VM && mib[1] == VM_PSSTRINGS) return (0); printf("%s(%d): sysctl %d: %d %d %d %d %d %d\n", - p->p_comm, p->p_pid, namelen, name[0], name[1], - name[2], name[3], name[4], name[5]); + p->p_comm, p->p_pid, miblen, mib[0], mib[1], + mib[2], mib[3], mib[4], mib[5]); return (EFAULT); } diff --git a/sys/sys/tame.h b/sys/sys/tame.h index 738ebacf319..e7591130fd6 100644 --- a/sys/sys/tame.h +++ b/sys/sys/tame.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tame.h,v 1.11 2015/10/07 03:47:43 deraadt Exp $ */ +/* $OpenBSD: tame.h,v 1.12 2015/10/07 19:52:54 deraadt Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org> @@ -44,6 +44,7 @@ #define TAME_SENDFD 0x00020000 /* AF_UNIX CMSG fd sending */ #define TAME_RECVFD 0x00040000 /* AF_UNIX CMSG fd receiving */ #define TAME_EXEC 0x00080000 /* execve, child is free of tame */ +#define TAME_ROUTE 0x00100000 /* routing lookups */ #define TAME_ABORT 0x08000000 /* SIGABRT instead of SIGKILL */ |