diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2015-10-07 19:52:55 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2015-10-07 19:52:55 +0000 |
commit | 8477f3f957d307968d49b31fa138fb1a6e221623 (patch) | |
tree | f1d0939eee5cdf82e7a22c8f62df22a5b6b125c6 /sys/kern/kern_tame.c | |
parent | 3d8e62749923b01053ebbbb7a469736de03b3dae (diff) |
Split out routing sysctl's from tame "inet", and put them into the
new tame "route" request. Now routing daemons and tools (such as arp),
can narrowly ask for either feature. One thing remains available in
both cases -- support for getifaddr()'s, since libc and programs often
use that in close association with socket creation.
ok benno sthen beck, some discussion with renato
Diffstat (limited to 'sys/kern/kern_tame.c')
-rw-r--r-- | sys/kern/kern_tame.c | 99 |
1 files changed, 55 insertions, 44 deletions
diff --git a/sys/kern/kern_tame.c b/sys/kern/kern_tame.c index eda216a81e7..ccd26b1b58e 100644 --- a/sys/kern/kern_tame.c +++ b/sys/kern/kern_tame.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_tame.c,v 1.66 2015/10/07 03:47:43 deraadt Exp $ */ +/* $OpenBSD: kern_tame.c,v 1.67 2015/10/07 19:52:54 deraadt Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org> @@ -238,6 +238,7 @@ static const struct { { "sendfd", TAME_RW | TAME_SENDFD }, { "recvfd", TAME_RW | TAME_RECVFD }, { "ioctl", TAME_IOCTL }, + { "route", TAME_ROUTE }, { "tty", TAME_TTY }, { "proc", TAME_PROC }, { "exec", TAME_EXEC }, @@ -810,7 +811,7 @@ tame_cmsg_send(struct proc *p, struct mbuf *control) } int -tame_sysctl_check(struct proc *p, int namelen, int *name, void *new) +tame_sysctl_check(struct proc *p, int miblen, int *mib, void *new) { if ((p->p_p->ps_flags & PS_TAMED) == 0) return (0); @@ -818,64 +819,74 @@ tame_sysctl_check(struct proc *p, int namelen, int *name, void *new) if (new) return (EFAULT); - /* setproctitle() */ - if (namelen == 2 && - name[0] == CTL_VM && - name[1] == VM_PSSTRINGS) - return (0); + /* routing table observation */ + if ((p->p_p->ps_tame & TAME_ROUTE)) { + if (miblen == 7 && + mib[0] == CTL_NET && mib[1] == PF_ROUTE && + mib[2] == 0 && + (mib[3] == 0 || mib[3] == AF_INET6 || mib[3] == AF_INET) && + mib[4] == NET_RT_DUMP) + return (0); - /* getifaddrs() */ - if ((p->p_p->ps_tame & TAME_INET) && - namelen == 6 && - name[0] == CTL_NET && name[1] == PF_ROUTE && - name[2] == 0 && name[3] == 0 && - name[4] == NET_RT_IFLIST && name[5] == 0) - return (0); + if (miblen == 6 && + mib[0] == CTL_NET && mib[1] == PF_ROUTE && + mib[2] == 0 && + (mib[3] == 0 || mib[3] == AF_INET6 || mib[3] == AF_INET) && + mib[4] == NET_RT_TABLE) + return (0); - /* used by arp(8). Exposes MAC addresses known on local nets */ - /* XXX Put into a special catagory. */ - if ((p->p_p->ps_tame & TAME_INET) && - namelen == 7 && - name[0] == CTL_NET && name[1] == PF_ROUTE && - name[2] == 0 && name[3] == AF_INET && - name[4] == NET_RT_FLAGS && name[5] == RTF_LLINFO) - return (0); + if (miblen == 7 && /* exposes MACs */ + mib[0] == CTL_NET && mib[1] == PF_ROUTE && + mib[2] == 0 && mib[3] == AF_INET && + mib[4] == NET_RT_FLAGS && mib[5] == RTF_LLINFO) + return (0); + } + + if ((p->p_p->ps_tame & (TAME_ROUTE | TAME_INET))) { + if (miblen == 6 && /* getifaddrs() */ + mib[0] == CTL_NET && mib[1] == PF_ROUTE && + mib[2] == 0 && + (mib[3] == 0 || mib[3] == AF_INET6 || mib[3] == AF_INET) && + mib[4] == NET_RT_IFLIST) + return (0); + } /* used by ntpd(8) to read sensors. */ - /* XXX Put into a special catagory. */ - if (namelen >= 3 && - name[0] == CTL_HW && name[1] == HW_SENSORS) + if (miblen >= 3 && + mib[0] == CTL_HW && mib[1] == HW_SENSORS) return (0); - /* getdomainname(), gethostname(), getpagesize(), uname() */ - if (namelen == 2 && - name[0] == CTL_KERN && name[1] == KERN_DOMAINNAME) + if (miblen == 2 && /* getdomainname() */ + mib[0] == CTL_KERN && mib[1] == KERN_DOMAINNAME) + return (0); + if (miblen == 2 && /* gethostname() */ + mib[0] == CTL_KERN && mib[1] == KERN_HOSTNAME) return (0); - if (namelen == 2 && - name[0] == CTL_KERN && name[1] == KERN_HOSTNAME) + if (miblen == 2 && /* uname() */ + mib[0] == CTL_KERN && mib[1] == KERN_OSTYPE) return (0); - if (namelen == 2 && - name[0] == CTL_KERN && name[1] == KERN_OSTYPE) + if (miblen == 2 && /* uname() */ + mib[0] == CTL_KERN && mib[1] == KERN_OSRELEASE) return (0); - if (namelen == 2 && - name[0] == CTL_KERN && name[1] == KERN_OSRELEASE) + if (miblen == 2 && /* uname() */ + mib[0] == CTL_KERN && mib[1] == KERN_OSVERSION) return (0); - if (namelen == 2 && - name[0] == CTL_KERN && name[1] == KERN_OSVERSION) + if (miblen == 2 && /* uname() */ + mib[0] == CTL_KERN && mib[1] == KERN_VERSION) return (0); - if (namelen == 2 && - name[0] == CTL_KERN && name[1] == KERN_VERSION) + if (miblen == 2 && /* uname() */ + mib[0] == CTL_HW && mib[1] == HW_MACHINE) return (0); - if (namelen == 2 && - name[0] == CTL_HW && name[1] == HW_MACHINE) + if (miblen == 2 && /* getpagesize() */ + mib[0] == CTL_HW && mib[1] == HW_PAGESIZE) return (0); - if (namelen == 2 && - name[0] == CTL_HW && name[1] == HW_PAGESIZE) + if (miblen == 2 && /* setproctitle() */ + mib[0] == CTL_VM && mib[1] == VM_PSSTRINGS) return (0); printf("%s(%d): sysctl %d: %d %d %d %d %d %d\n", - p->p_comm, p->p_pid, namelen, name[0], name[1], - name[2], name[3], name[4], name[5]); + p->p_comm, p->p_pid, miblen, mib[0], mib[1], + mib[2], mib[3], mib[4], mib[5]); return (EFAULT); } |