Prevent changing interface loopback flag from userland.

IFF_LOOPBACK is telling userland the behaviour of a specific driver,
it is supposed to be static and permanent.  Clearing the loopback
flag on lo0 could lead to a kernel crash due to inconsistent multicast
igmp group.

Reported-by: syzbot+2f24ed6c8ddb2d6bb22c@syzkaller.appspotmail.com
OK claudio@ deraadt@

diff --git a/sys/net/if.h b/sys/net/if.h
index c32a15e..ae50958 100644 (file)
--- a/sys/net/if.h
+++ b/sys/net/if.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: if.h,v 1.215 2023/11/11 14:24:03 bluhm Exp $  */
+/*     $OpenBSD: if.h,v 1.216 2024/04/11 15:08:18 bluhm Exp $  */
 /*     $NetBSD: if.h,v 1.23 1996/05/07 02:40:27 thorpej Exp $  */
 
 /*
@@ -219,7 +219,7 @@ struct if_status_description {
 
 /* flags set internally only: */
 #define        IFF_CANTCHANGE \
-       (IFF_BROADCAST|IFF_POINTOPOINT|IFF_RUNNING|IFF_OACTIVE|\
+       (IFF_BROADCAST|IFF_LOOPBACK|IFF_POINTOPOINT|IFF_RUNNING|IFF_OACTIVE|\
            IFF_SIMPLEX|IFF_MULTICAST|IFF_ALLMULTI)
 
 #define        IFXF_MPSAFE             0x1     /* [I] if_start is mpsafe */