diff options
| author | Sebastian Benoit <benno@cvs.openbsd.org> | 2015-11-29 01:15:50 +0000 |
|---|---|---|
| committer | Sebastian Benoit <benno@cvs.openbsd.org> | 2015-11-29 01:15:50 +0000 |
| commit | 9e759d90aa1138c03f70550b3dd408027d995863 (patch) | |
| tree | 12ca1a2658d209c8970461d2427a17ebb6f45c3b /sys/kern/kern_pledge.c | |
| parent | cf3fb13051572cb9fff8f33434dd26fa5845fb08 (diff) | |
Add pledge "pf" which allows ioctls on pf(4). This will be used by
relayd and other programs manipulating the packet filter.
ok deraadt@
Diffstat (limited to 'sys/kern/kern_pledge.c')
| -rw-r--r-- | sys/kern/kern_pledge.c | 29 |
1 files changed, 26 insertions, 3 deletions
diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c index 8a72ea8047a..175378becb2 100644 --- a/sys/kern/kern_pledge.c +++ b/sys/kern/kern_pledge.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_pledge.c,v 1.126 2015/11/28 18:10:12 benno Exp $ */ +/* $OpenBSD: kern_pledge.c,v 1.127 2015/11/29 01:15:49 benno Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org> @@ -48,6 +48,7 @@ #include <netinet6/in6_var.h> #include <netinet6/nd6.h> #include <netinet/tcp.h> +#include <net/pfvar.h> #include <sys/conf.h> #include <sys/specdev.h> @@ -337,6 +338,7 @@ static const struct { { "inet", PLEDGE_INET }, { "ioctl", PLEDGE_IOCTL }, { "mcast", PLEDGE_MCAST }, + { "pf", PLEDGE_PF }, { "proc", PLEDGE_PROC }, { "prot_exec", PLEDGE_PROTEXEC }, { "ps", PLEDGE_PS }, @@ -1198,6 +1200,27 @@ pledge_ioctl(struct proc *p, long com, struct file *fp) } } + if ((p->p_p->ps_pledge & PLEDGE_PF)) { + switch (com) { + case DIOCADDRULE: + case DIOCGETSTATUS: + case DIOCNATLOOK: + case DIOCRADDTABLES: + case DIOCRCLRADDRS: + case DIOCRCLRTABLES: + case DIOCRCLRTSTATS: + case DIOCRGETTSTATS: + case DIOCRSETADDRS: + case DIOCXBEGIN: + case DIOCXCOMMIT: + if ((fp->f_type == DTYPE_VNODE) && + (vp->v_type == VCHR) && + (cdevsw[major(vp->v_rdev)].d_open == pfopen)) + return (0); + break; + } + } + if ((p->p_p->ps_pledge & PLEDGE_TTY)) { switch (com) { #if NPTY > 0 @@ -1283,7 +1306,7 @@ pledge_sockopt(struct proc *p, int set, int level, int optname) } if ((p->p_p->ps_pledge & (PLEDGE_INET|PLEDGE_UNIX|PLEDGE_DNS)) == 0) - return pledge_fail(p, EPERM, PLEDGE_INET); + return pledge_fail(p, EPERM, PLEDGE_INET); /* In use by some service libraries */ switch (level) { case SOL_SOCKET: @@ -1476,7 +1499,7 @@ pledge_protexec(struct proc *p, int prot) { if ((p->p_p->ps_flags & PS_PLEDGE) == 0) return 0; - if (!(p->p_p->ps_pledge & PLEDGE_PROTEXEC) && (prot & PROT_EXEC)) + if (!(p->p_p->ps_pledge & PLEDGE_PROTEXEC) && (prot & PROT_EXEC)) return pledge_fail(p, EPERM, PLEDGE_PROTEXEC); return 0; } |