cap_net: do not allow new limits to drop keys from the old ones
If the old limit had family/hosts/sockaddr set, the new limit must have them too. Before, a missing key in the new limit was treated as "allow any", which let a caller silently extend their limits. Reported by: Joshua Rogers of AISLE Research Team Reviewed by: markj MFC after: 1 day Differential Revision: https://reviews.freebsd.org/D56991
This commit is contained in:
@@ -1122,12 +1122,37 @@ net_connect(const nvlist_t *limits, nvlist_t *nvlin, nvlist_t *nvlout)
|
||||
return (0);
|
||||
}
|
||||
|
||||
/*
|
||||
* If the old sublimit restricted a subkey, the new one must too;
|
||||
* a missing subkey means "allow any" at request time.
|
||||
*/
|
||||
static bool
|
||||
verify_subkeys_present(const nvlist_t *oldfunclimits,
|
||||
const nvlist_t *newfunclimit)
|
||||
{
|
||||
void *cookie;
|
||||
const char *name;
|
||||
|
||||
if (oldfunclimits == NULL)
|
||||
return (true);
|
||||
|
||||
cookie = NULL;
|
||||
while ((name = nvlist_next(oldfunclimits, NULL, &cookie)) != NULL) {
|
||||
if (!nvlist_exists(newfunclimit, name))
|
||||
return (false);
|
||||
}
|
||||
return (true);
|
||||
}
|
||||
|
||||
static bool
|
||||
verify_only_sa_newlimts(const nvlist_t *oldfunclimits,
|
||||
const nvlist_t *newfunclimit)
|
||||
{
|
||||
void *cookie;
|
||||
|
||||
if (!verify_subkeys_present(oldfunclimits, newfunclimit))
|
||||
return (false);
|
||||
|
||||
cookie = NULL;
|
||||
while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) {
|
||||
void *sacookie;
|
||||
@@ -1200,6 +1225,9 @@ verify_addr2name_newlimits(const nvlist_t *oldlimits,
|
||||
LIMIT_NV_ADDR2NAME, NULL);
|
||||
}
|
||||
|
||||
if (!verify_subkeys_present(oldfunclimits, newfunclimit))
|
||||
return (false);
|
||||
|
||||
cookie = NULL;
|
||||
while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) {
|
||||
if (strcmp(cnvlist_name(cookie), "sockaddr") == 0) {
|
||||
@@ -1258,6 +1286,9 @@ verify_name2addr_newlimits(const nvlist_t *oldlimits,
|
||||
LIMIT_NV_NAME2ADDR, NULL);
|
||||
}
|
||||
|
||||
if (!verify_subkeys_present(oldfunclimits, newfunclimit))
|
||||
return (false);
|
||||
|
||||
cookie = NULL;
|
||||
while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) {
|
||||
if (strcmp(cnvlist_name(cookie), "hosts") == 0) {
|
||||
|
||||
Reference in New Issue
Block a user