inpcb: provide policy cr_canexport_ktlskeys() and the privilege PRIV_NETINET_KTLSKEYS

The policy defines the visibility of the ktls session keys to a thread.

Reviewed by:	markj
Sponsored by:	NVidia networking
Differential revision:	https://reviews.freebsd.org/D50653
This commit is contained in:
Konstantin Belousov
2025-06-07 16:49:11 +03:00
parent 0d5b6fb6ae
commit e17485c2bd
3 changed files with 17 additions and 0 deletions
+14
View File
@@ -38,6 +38,7 @@
#include <sys/kernel.h>
#include <sys/lock.h>
#include <sys/mutex.h>
#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/socket.h>
#include <sys/jail.h>
@@ -72,3 +73,16 @@ cr_canseeinpcb(struct ucred *cred, struct inpcb *inp)
return (0);
}
bool
cr_canexport_ktlskeys(struct thread *td, struct inpcb *inp)
{
int error;
if (cr_canseeinpcb(td->td_ucred, inp) == 0 &&
cr_xids_subset(td->td_ucred, inp->inp_cred))
return (true);
error = priv_check(td, PRIV_NETINET_KTLSKEYS);
return (error == 0);
}
+2
View File
@@ -58,8 +58,10 @@ typedef u_int32_t n_time; /* ms since 00:00 UTC, byte rev */
#ifdef _KERNEL
struct inpcb;
struct ucred;
struct thread;
int cr_canseeinpcb(struct ucred *cred, struct inpcb *inp);
bool cr_canexport_ktlskeys(struct thread *td, struct inpcb *inp);
uint32_t iptime(void);
#endif
+1
View File
@@ -406,6 +406,7 @@
#define PRIV_NETINET_SETHDROPTS 505 /* Set certain IPv4/6 header options. */
#define PRIV_NETINET_BINDANY 506 /* Allow bind to any address. */
#define PRIV_NETINET_HASHKEY 507 /* Get and set hash keys for IPv4/6. */
#define PRIV_NETINET_KTLSKEYS 508 /* Read ktls session keys. */
/*
* Placeholders for IPX/SPX privileges, not supported any more.