Module Name: src Committed By: dyoung Date: Fri Oct 28 16:42:52 UTC 2011
Modified Files: src/sys/net: if_gif.c if_gre.c Log Message: Don't kauth-orize SIOCDIFPHYADDR, SIOCSIFFLAGS, SIOCSIFMTU, or SIOCSLIFPHYADDR, in gif_ioctl() or in gre_ioctl(), because those operations are ordinarily kauth-orized already in ifioctl(). Kauth-orizing SIOCSIFFLAGS in gre_ioctl() caused a panic ("panic: bpf_detachd: ifpromisc failed: 1") when tcpdump(8) was interrupted. Somehow bpf(4) enables promiscuous mode using different credentials than it uses to disable promiscuous mode, hence the ifpromisc failure. This may have something to do with privilege-separation in tcpdump(8). I.e., an LWP with SIOCSIFFLAGS privilege opens /dev/bpf, but an LWP without SIOCSIFFLAGS privilege closes it. To generate a diff of this commit: cvs rdiff -u -r1.79 -r1.80 src/sys/net/if_gif.c cvs rdiff -u -r1.147 -r1.148 src/sys/net/if_gre.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/net/if_gif.c diff -u src/sys/net/if_gif.c:1.79 src/sys/net/if_gif.c:1.80 --- src/sys/net/if_gif.c:1.79 Thu Oct 27 20:04:57 2011 +++ src/sys/net/if_gif.c Fri Oct 28 16:42:52 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: if_gif.c,v 1.79 2011/10/27 20:04:57 dyoung Exp $ */ +/* $NetBSD: if_gif.c,v 1.80 2011/10/28 16:42:52 dyoung Exp $ */ /* $KAME: if_gif.c,v 1.76 2001/08/20 02:01:02 kjc Exp $ */ /* @@ -31,7 +31,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: if_gif.c,v 1.79 2011/10/27 20:04:57 dyoung Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_gif.c,v 1.80 2011/10/28 16:42:52 dyoung Exp $"); #include "opt_inet.h" #include "opt_iso.h" @@ -48,7 +48,6 @@ __KERNEL_RCSID(0, "$NetBSD: if_gif.c,v 1 #include <sys/syslog.h> #include <sys/proc.h> #include <sys/protosw.h> -#include <sys/kauth.h> #include <sys/cpu.h> #include <sys/intr.h> @@ -470,29 +469,12 @@ gif_input(struct mbuf *m, int af, struct int gif_ioctl(struct ifnet *ifp, u_long cmd, void *data) { - struct lwp *l = curlwp; /* XXX */ struct gif_softc *sc = ifp->if_softc; struct ifreq *ifr = (struct ifreq*)data; int error = 0, size; struct sockaddr *dst, *src; switch (cmd) { - case SIOCSIFMTU: - case SIOCSLIFPHYADDR: -#ifdef SIOCDIFPHYADDR - case SIOCDIFPHYADDR: -#endif - if ((error = kauth_authorize_network(l->l_cred, - KAUTH_NETWORK_INTERFACE, - KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd, - NULL)) != 0) - return (error); - /* FALLTHROUGH */ - default: - break; - } - - switch (cmd) { case SIOCINITIFADDR: ifp->if_flags |= IFF_UP; break; Index: src/sys/net/if_gre.c diff -u src/sys/net/if_gre.c:1.147 src/sys/net/if_gre.c:1.148 --- src/sys/net/if_gre.c:1.147 Thu Oct 27 20:04:57 2011 +++ src/sys/net/if_gre.c Fri Oct 28 16:42:52 2011 @@ -1,4 +1,4 @@ -/* $NetBSD: if_gre.c,v 1.147 2011/10/27 20:04:57 dyoung Exp $ */ +/* $NetBSD: if_gre.c,v 1.148 2011/10/28 16:42:52 dyoung Exp $ */ /* * Copyright (c) 1998, 2008 The NetBSD Foundation, Inc. @@ -45,7 +45,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: if_gre.c,v 1.147 2011/10/27 20:04:57 dyoung Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_gre.c,v 1.148 2011/10/28 16:42:52 dyoung Exp $"); #include "opt_atalk.h" #include "opt_gre.h" @@ -1234,15 +1234,11 @@ gre_ioctl(struct ifnet *ifp, const u_lon GRE_DPRINTF(sc, "cmd %lu\n", cmd); switch (cmd) { - case SIOCSIFFLAGS: - case SIOCSIFMTU: case GRESPROTO: case GRESADDRD: case GRESADDRS: case GRESSOCK: case GREDSOCK: - case SIOCSLIFPHYADDR: - case SIOCDIFPHYADDR: if (kauth_authorize_network(curlwp->l_cred, KAUTH_NETWORK_INTERFACE, KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, ifp, (void *)cmd,