upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-11 01:30:30 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

o Modify IPFW and DUMMYNET administrative setsockopt() calls to use

Browse source 
securelevel_gt() to check the securelevel, rather than direct access
  to the securelevel variable.

Obtained from:	TrustedBSD Project
This commit is contained in:
Robert Watson 2001-09-26 19:58:29 +00:00
parent d501d04b9e
commit 785f9ffca3
2 changed files with 13 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
sys/netinet/ip_dummynet.c
View file

@ -1817,8 +1817,11 @@ ip_dn_ctl(struct sockopt *sopt)
struct dn_pipe *p, tmp_pipe;
/* Disallow sets in really-really secure mode. */
if (sopt->sopt_dir == SOPT_SET && securelevel >= 3)
return (EPERM);
if (sopt->sopt_dir == SOPT_SET) {
error = securelevel_ge(sopt->sopt_td->td_proc->p_ucred, 3);
if (error)
return (error);
}
switch (sopt->sopt_name) {
default :

11
sys/netinet/ip_fw.c
View file

@ -38,6 +38,7 @@
#include <sys/malloc.h>
#include <sys/mbuf.h>
#include <sys/kernel.h>
#include <sys/proc.h>
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/sysctl.h>
@ -1863,9 +1864,13 @@ ip_fw_ctl(struct sockopt *sopt)
* Disallow modifications in really-really secure mode, but still allow
* the logging counters to be reset.
*/
if (securelevel >= 3 && (sopt->sopt_name == IP_FW_ADD ||
(sopt->sopt_dir == SOPT_SET && sopt->sopt_name != IP_FW_RESETLOG)))
return (EPERM);
if (sopt->sopt_name == IP_FW_ADD ||
(sopt->sopt_dir == SOPT_SET && sopt->sopt_name != IP_FW_RESETLOG)) {
error = securelevel_ge(sopt->sopt_td->td_proc->p_ucred, 3);
if (error)
return (error);
}
error = 0;
switch (sopt->sopt_name) {