ip_mroute: Make privilege checking more consistent

- The v6 socket option and ioctl handlers had no privilege checks at
  all.  The socket options, I believe, can only be reached via a raw
  socket, but a jailed root user with a raw socket shouldn't be able to
  configure multicast routing in a non-VNET jail.  The ioctls can only
  be used to fetch stats.
- Delete a bogus comment in X_mrt_ioctl(), one can issue multicast
  routing ioctls against any socket.  Note that the call path is
  soo_ioctl()->rtioctl_fib()->mrt_ioctl().

I think all of the mroute privilege checks should be done within the
ip(6)_mroute code, but let's first make the v4 and v6 modules
consistent.

Reviewed by:	glebius
MFC after:	2 weeks
Sponsored by:	Stormshield
Sponsored by:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D54982
This commit is contained in:
Mark Johnston
2026-02-02 14:53:35 +00:00
parent 07940d1d85
commit 74839871be
3 changed files with 15 additions and 11 deletions
-5
View File
@@ -546,11 +546,6 @@ X_mrt_ioctl(u_long cmd, caddr_t data, int fibnum __unused)
{
int error;
/*
* Currently the only function calling this ioctl routine is rtioctl_fib().
* Typically, only root can create the raw socket in order to execute
* this ioctl method, however the request might be coming from a prison
*/
error = priv_check(curthread, PRIV_NETINET_MROUTE);
if (error)
return (error);
+9 -6
View File
@@ -89,6 +89,7 @@
#include <sys/mbuf.h>
#include <sys/module.h>
#include <sys/domain.h>
#include <sys/priv.h>
#include <sys/protosw.h>
#include <sys/sdt.h>
#include <sys/signalvar.h>
@@ -458,24 +459,26 @@ X_ip6_mrouter_get(struct socket *so, struct sockopt *sopt)
static int
X_mrt6_ioctl(u_long cmd, caddr_t data)
{
int ret;
ret = EINVAL;
int error;
error = priv_check(curthread, PRIV_NETINET_MROUTE);
if (error)
return (error);
error = EINVAL;
switch (cmd) {
case SIOCGETSGCNT_IN6:
ret = get_sg_cnt((struct sioc_sg_req6 *)data);
error = get_sg_cnt((struct sioc_sg_req6 *)data);
break;
case SIOCGETMIFCNT_IN6:
ret = get_mif6_cnt((struct sioc_mif_req6 *)data);
error = get_mif6_cnt((struct sioc_mif_req6 *)data);
break;
default:
break;
}
return (ret);
return (error);
}
/*
+6
View File
@@ -604,6 +604,9 @@ rip6_ctloutput(struct socket *so, struct sockopt *sopt)
case MRT6_ADD_MFC:
case MRT6_DEL_MFC:
case MRT6_PIM:
error = priv_check(curthread, PRIV_NETINET_MROUTE);
if (error != 0)
return (error);
if (inp->inp_ip_p != IPPROTO_ICMPV6)
return (EOPNOTSUPP);
error = ip6_mrouter_get ? ip6_mrouter_get(so, sopt) :
@@ -627,6 +630,9 @@ rip6_ctloutput(struct socket *so, struct sockopt *sopt)
case MRT6_ADD_MFC:
case MRT6_DEL_MFC:
case MRT6_PIM:
error = priv_check(curthread, PRIV_NETINET_MROUTE);
if (error != 0)
return (error);
if (inp->inp_ip_p != IPPROTO_ICMPV6)
return (EOPNOTSUPP);
error = ip6_mrouter_set ? ip6_mrouter_set(so, sopt) :