inpcb: provide policy cr_canexport_ktlskeys() and the privilege PRIV_NETINET_KTLSKEYS
The policy defines the visibility of the ktls session keys to a thread. Reviewed by: markj Sponsored by: NVidia networking Differential revision: https://reviews.freebsd.org/D50653
This commit is contained in:
@@ -38,6 +38,7 @@
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/lock.h>
|
||||
#include <sys/mutex.h>
|
||||
#include <sys/priv.h>
|
||||
#include <sys/proc.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/jail.h>
|
||||
@@ -72,3 +73,16 @@ cr_canseeinpcb(struct ucred *cred, struct inpcb *inp)
|
||||
|
||||
return (0);
|
||||
}
|
||||
|
||||
bool
|
||||
cr_canexport_ktlskeys(struct thread *td, struct inpcb *inp)
|
||||
{
|
||||
int error;
|
||||
|
||||
if (cr_canseeinpcb(td->td_ucred, inp) == 0 &&
|
||||
cr_xids_subset(td->td_ucred, inp->inp_cred))
|
||||
return (true);
|
||||
error = priv_check(td, PRIV_NETINET_KTLSKEYS);
|
||||
return (error == 0);
|
||||
|
||||
}
|
||||
|
||||
@@ -58,8 +58,10 @@ typedef u_int32_t n_time; /* ms since 00:00 UTC, byte rev */
|
||||
#ifdef _KERNEL
|
||||
struct inpcb;
|
||||
struct ucred;
|
||||
struct thread;
|
||||
|
||||
int cr_canseeinpcb(struct ucred *cred, struct inpcb *inp);
|
||||
bool cr_canexport_ktlskeys(struct thread *td, struct inpcb *inp);
|
||||
|
||||
uint32_t iptime(void);
|
||||
#endif
|
||||
|
||||
@@ -406,6 +406,7 @@
|
||||
#define PRIV_NETINET_SETHDROPTS 505 /* Set certain IPv4/6 header options. */
|
||||
#define PRIV_NETINET_BINDANY 506 /* Allow bind to any address. */
|
||||
#define PRIV_NETINET_HASHKEY 507 /* Get and set hash keys for IPv4/6. */
|
||||
#define PRIV_NETINET_KTLSKEYS 508 /* Read ktls session keys. */
|
||||
|
||||
/*
|
||||
* Placeholders for IPX/SPX privileges, not supported any more.
|
||||
|
||||
Reference in New Issue
Block a user