The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=96dbc9a8de105065b6b1e55702aa648319176587
commit 96dbc9a8de105065b6b1e55702aa648319176587 Author: Ed Maste <[email protected]> AuthorDate: 2026-05-29 15:52:03 +0000 Commit: Ed Maste <[email protected]> CommitDate: 2026-05-29 23:11:21 +0000 netlink: Check permissions for interface flag changes Reviewed by: pouria, melifaro Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D57332 --- sys/netlink/route/iface_drivers.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/sys/netlink/route/iface_drivers.c b/sys/netlink/route/iface_drivers.c index d26e92044ff5..79daa4215dba 100644 --- a/sys/netlink/route/iface_drivers.c +++ b/sys/netlink/route/iface_drivers.c @@ -83,6 +83,10 @@ _nl_modify_ifp_generic(struct ifnet *ifp, struct nl_parsed_link *lattrs, if ((lattrs->ifi_change & IFF_UP) != 0 || lattrs->ifi_change == 0) { /* Request to up or down the interface */ + if (!nlp_has_priv(npt->nlp, PRIV_NET_SETIFFLAGS)) { + nlmsg_report_err_msg(npt, "Not enough privileges to set flags"); + return (EPERM); + } if (lattrs->ifi_flags & IFF_UP) if_up(ifp); else @@ -104,7 +108,7 @@ _nl_modify_ifp_generic(struct ifnet *ifp, struct nl_parsed_link *lattrs, } if ((lattrs->ifi_change & IFF_PROMISC) != 0 || - lattrs->ifi_change == 0) + lattrs->ifi_change == 0) { /* * When asking for IFF_PROMISC, set permanent flag instead * (IFF_PPROMISC) as we have no way of doing promiscuity @@ -112,7 +116,12 @@ _nl_modify_ifp_generic(struct ifnet *ifp, struct nl_parsed_link *lattrs, * function either sets or unsets IFF_PROMISC, and ifi_change * is usually set to 0xFFFFFFFF. */ + if (!nlp_has_priv(npt->nlp, PRIV_NET_SETIFFLAGS)) { + nlmsg_report_err_msg(npt, "Not enough privileges to set promisc"); + return (EPERM); + } if_setppromisc(ifp, (lattrs->ifi_flags & IFF_PROMISC) != 0); + } if (lattrs->ifla_address != NULL) { if (!nlp_has_priv(npt->nlp, PRIV_NET_SETIFMAC)) {
