CVS commit: src/sys/netinet6

Mon, 20 Apr 2009 12:57:21 -0700 

Module Name:    src
Committed By:   elad
Date:           Mon Apr 20 19:57:18 UTC 2009

Modified Files:
        src/sys/netinet6: in6_pcb.c

Log Message:
Replace KAUTH_GENERIC_ISSUSER with a better alternative.


To generate a diff of this commit:
cvs rdiff -u -r1.104 -r1.105 src/sys/netinet6/in6_pcb.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netinet6/in6_pcb.c
diff -u src/sys/netinet6/in6_pcb.c:1.104 src/sys/netinet6/in6_pcb.c:1.105
--- src/sys/netinet6/in6_pcb.c:1.104	Mon Apr 20 18:14:30 2009
+++ src/sys/netinet6/in6_pcb.c	Mon Apr 20 19:57:18 2009
@@ -1,4 +1,4 @@
-/*	$NetBSD: in6_pcb.c,v 1.104 2009/04/20 18:14:30 elad Exp $	*/
+/*	$NetBSD: in6_pcb.c,v 1.105 2009/04/20 19:57:18 elad Exp $	*/
 /*	$KAME: in6_pcb.c,v 1.84 2001/02/08 18:02:08 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in6_pcb.c,v 1.104 2009/04/20 18:14:30 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in6_pcb.c,v 1.105 2009/04/20 19:57:18 elad Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -263,25 +263,28 @@
 	struct inpcbtable *table = in6p->in6p_table;
 	struct socket *so = in6p->in6p_socket;
 	int wild = 0, reuseport = (so->so_options & SO_REUSEPORT);
+	int error;
 
 	if ((so->so_options & (SO_REUSEADDR|SO_REUSEPORT)) == 0 &&
 	   ((so->so_proto->pr_flags & PR_CONNREQUIRED) == 0 ||
 	    (so->so_options & SO_ACCEPTCONN) == 0))
 		wild = 1;
 
-#ifndef IPNOPRIVPORTS
-	int priv;
+	if (sin6->sin6_port != 0) {
+		enum kauth_network_req req;
 
-	/*
-	 * NOTE: all operating systems use suser() for
-	 * privilege check!  do not rewrite it into SS_PRIV.
-	 */
-	priv = (l && !kauth_authorize_generic(l->l_cred,
-	    KAUTH_GENERIC_ISSUSER, NULL)) ? 1 : 0;
-	/* GROSS */
-	if (ntohs(sin6->sin6_port) < IPV6PORT_RESERVED && !priv)
-		return (EACCES);
-#endif
+#ifndef IPNOPRIVPORTS
+		if (ntohs(sin6->sin6_port) < IPV6PORT_RESERVED)
+			req = KAUTH_REQ_NETWORK_BIND_PRIVPORT;
+		else
+#endif /* IPNOPRIVPORTS */
+			req = KAUTH_REQ_NETWORK_BIND_PORT;
+
+		error = kauth_authorize_network(l->l_cred, KAUTH_NETWORK_BIND,
+		    req, so, sin6, NULL);
+		if (error)
+			return (error);
+	}
 
 	if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) {
 		/*

Reply via email to