summaryrefslogtreecommitdiff
path: root/sys/kern/kern_tame.c
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>2015-10-07 19:52:55 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>2015-10-07 19:52:55 +0000
commit8477f3f957d307968d49b31fa138fb1a6e221623 (patch)
treef1d0939eee5cdf82e7a22c8f62df22a5b6b125c6 /sys/kern/kern_tame.c
parent3d8e62749923b01053ebbbb7a469736de03b3dae (diff)
Split out routing sysctl's from tame "inet", and put them into the
new tame "route" request. Now routing daemons and tools (such as arp), can narrowly ask for either feature. One thing remains available in both cases -- support for getifaddr()'s, since libc and programs often use that in close association with socket creation. ok benno sthen beck, some discussion with renato
Diffstat (limited to 'sys/kern/kern_tame.c')
-rw-r--r--sys/kern/kern_tame.c99
1 files changed, 55 insertions, 44 deletions
diff --git a/sys/kern/kern_tame.c b/sys/kern/kern_tame.c
index eda216a81e7..ccd26b1b58e 100644
--- a/sys/kern/kern_tame.c
+++ b/sys/kern/kern_tame.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kern_tame.c,v 1.66 2015/10/07 03:47:43 deraadt Exp $ */
+/* $OpenBSD: kern_tame.c,v 1.67 2015/10/07 19:52:54 deraadt Exp $ */
/*
* Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -238,6 +238,7 @@ static const struct {
{ "sendfd", TAME_RW | TAME_SENDFD },
{ "recvfd", TAME_RW | TAME_RECVFD },
{ "ioctl", TAME_IOCTL },
+ { "route", TAME_ROUTE },
{ "tty", TAME_TTY },
{ "proc", TAME_PROC },
{ "exec", TAME_EXEC },
@@ -810,7 +811,7 @@ tame_cmsg_send(struct proc *p, struct mbuf *control)
}
int
-tame_sysctl_check(struct proc *p, int namelen, int *name, void *new)
+tame_sysctl_check(struct proc *p, int miblen, int *mib, void *new)
{
if ((p->p_p->ps_flags & PS_TAMED) == 0)
return (0);
@@ -818,64 +819,74 @@ tame_sysctl_check(struct proc *p, int namelen, int *name, void *new)
if (new)
return (EFAULT);
- /* setproctitle() */
- if (namelen == 2 &&
- name[0] == CTL_VM &&
- name[1] == VM_PSSTRINGS)
- return (0);
+ /* routing table observation */
+ if ((p->p_p->ps_tame & TAME_ROUTE)) {
+ if (miblen == 7 &&
+ mib[0] == CTL_NET && mib[1] == PF_ROUTE &&
+ mib[2] == 0 &&
+ (mib[3] == 0 || mib[3] == AF_INET6 || mib[3] == AF_INET) &&
+ mib[4] == NET_RT_DUMP)
+ return (0);
- /* getifaddrs() */
- if ((p->p_p->ps_tame & TAME_INET) &&
- namelen == 6 &&
- name[0] == CTL_NET && name[1] == PF_ROUTE &&
- name[2] == 0 && name[3] == 0 &&
- name[4] == NET_RT_IFLIST && name[5] == 0)
- return (0);
+ if (miblen == 6 &&
+ mib[0] == CTL_NET && mib[1] == PF_ROUTE &&
+ mib[2] == 0 &&
+ (mib[3] == 0 || mib[3] == AF_INET6 || mib[3] == AF_INET) &&
+ mib[4] == NET_RT_TABLE)
+ return (0);
- /* used by arp(8). Exposes MAC addresses known on local nets */
- /* XXX Put into a special catagory. */
- if ((p->p_p->ps_tame & TAME_INET) &&
- namelen == 7 &&
- name[0] == CTL_NET && name[1] == PF_ROUTE &&
- name[2] == 0 && name[3] == AF_INET &&
- name[4] == NET_RT_FLAGS && name[5] == RTF_LLINFO)
- return (0);
+ if (miblen == 7 && /* exposes MACs */
+ mib[0] == CTL_NET && mib[1] == PF_ROUTE &&
+ mib[2] == 0 && mib[3] == AF_INET &&
+ mib[4] == NET_RT_FLAGS && mib[5] == RTF_LLINFO)
+ return (0);
+ }
+
+ if ((p->p_p->ps_tame & (TAME_ROUTE | TAME_INET))) {
+ if (miblen == 6 && /* getifaddrs() */
+ mib[0] == CTL_NET && mib[1] == PF_ROUTE &&
+ mib[2] == 0 &&
+ (mib[3] == 0 || mib[3] == AF_INET6 || mib[3] == AF_INET) &&
+ mib[4] == NET_RT_IFLIST)
+ return (0);
+ }
/* used by ntpd(8) to read sensors. */
- /* XXX Put into a special catagory. */
- if (namelen >= 3 &&
- name[0] == CTL_HW && name[1] == HW_SENSORS)
+ if (miblen >= 3 &&
+ mib[0] == CTL_HW && mib[1] == HW_SENSORS)
return (0);
- /* getdomainname(), gethostname(), getpagesize(), uname() */
- if (namelen == 2 &&
- name[0] == CTL_KERN && name[1] == KERN_DOMAINNAME)
+ if (miblen == 2 && /* getdomainname() */
+ mib[0] == CTL_KERN && mib[1] == KERN_DOMAINNAME)
+ return (0);
+ if (miblen == 2 && /* gethostname() */
+ mib[0] == CTL_KERN && mib[1] == KERN_HOSTNAME)
return (0);
- if (namelen == 2 &&
- name[0] == CTL_KERN && name[1] == KERN_HOSTNAME)
+ if (miblen == 2 && /* uname() */
+ mib[0] == CTL_KERN && mib[1] == KERN_OSTYPE)
return (0);
- if (namelen == 2 &&
- name[0] == CTL_KERN && name[1] == KERN_OSTYPE)
+ if (miblen == 2 && /* uname() */
+ mib[0] == CTL_KERN && mib[1] == KERN_OSRELEASE)
return (0);
- if (namelen == 2 &&
- name[0] == CTL_KERN && name[1] == KERN_OSRELEASE)
+ if (miblen == 2 && /* uname() */
+ mib[0] == CTL_KERN && mib[1] == KERN_OSVERSION)
return (0);
- if (namelen == 2 &&
- name[0] == CTL_KERN && name[1] == KERN_OSVERSION)
+ if (miblen == 2 && /* uname() */
+ mib[0] == CTL_KERN && mib[1] == KERN_VERSION)
return (0);
- if (namelen == 2 &&
- name[0] == CTL_KERN && name[1] == KERN_VERSION)
+ if (miblen == 2 && /* uname() */
+ mib[0] == CTL_HW && mib[1] == HW_MACHINE)
return (0);
- if (namelen == 2 &&
- name[0] == CTL_HW && name[1] == HW_MACHINE)
+ if (miblen == 2 && /* getpagesize() */
+ mib[0] == CTL_HW && mib[1] == HW_PAGESIZE)
return (0);
- if (namelen == 2 &&
- name[0] == CTL_HW && name[1] == HW_PAGESIZE)
+ if (miblen == 2 && /* setproctitle() */
+ mib[0] == CTL_VM && mib[1] == VM_PSSTRINGS)
return (0);
printf("%s(%d): sysctl %d: %d %d %d %d %d %d\n",
- p->p_comm, p->p_pid, namelen, name[0], name[1],
- name[2], name[3], name[4], name[5]);
+ p->p_comm, p->p_pid, miblen, mib[0], mib[1],
+ mib[2], mib[3], mib[4], mib[5]);
return (EFAULT);
}