cap_net: do not allow new limits to drop keys from the old ones

If the old limit had family/hosts/sockaddr set, the new limit must
have them too. Before, a missing key in the new limit was treated as
"allow any", which let a caller silently extend their limits.

Reported by:	Joshua Rogers of AISLE Research Team
Reviewed by:	markj
MFC after:	1 day
Differential Revision:	https://reviews.freebsd.org/D56991
This commit is contained in:
Mariusz Zaborski
2026-05-12 10:33:41 +02:00
parent 78074011ac
commit d705a51952
+31
View File
@@ -1122,12 +1122,37 @@ net_connect(const nvlist_t *limits, nvlist_t *nvlin, nvlist_t *nvlout)
return (0);
}
/*
* If the old sublimit restricted a subkey, the new one must too;
* a missing subkey means "allow any" at request time.
*/
static bool
verify_subkeys_present(const nvlist_t *oldfunclimits,
const nvlist_t *newfunclimit)
{
void *cookie;
const char *name;
if (oldfunclimits == NULL)
return (true);
cookie = NULL;
while ((name = nvlist_next(oldfunclimits, NULL, &cookie)) != NULL) {
if (!nvlist_exists(newfunclimit, name))
return (false);
}
return (true);
}
static bool
verify_only_sa_newlimts(const nvlist_t *oldfunclimits,
const nvlist_t *newfunclimit)
{
void *cookie;
if (!verify_subkeys_present(oldfunclimits, newfunclimit))
return (false);
cookie = NULL;
while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) {
void *sacookie;
@@ -1200,6 +1225,9 @@ verify_addr2name_newlimits(const nvlist_t *oldlimits,
LIMIT_NV_ADDR2NAME, NULL);
}
if (!verify_subkeys_present(oldfunclimits, newfunclimit))
return (false);
cookie = NULL;
while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) {
if (strcmp(cnvlist_name(cookie), "sockaddr") == 0) {
@@ -1258,6 +1286,9 @@ verify_name2addr_newlimits(const nvlist_t *oldlimits,
LIMIT_NV_NAME2ADDR, NULL);
}
if (!verify_subkeys_present(oldfunclimits, newfunclimit))
return (false);
cookie = NULL;
while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) {
if (strcmp(cnvlist_name(cookie), "hosts") == 0) {