From b8972d52f9e872bd4976ccc80e503b0d1282ec87 Mon Sep 17 00:00:00 2001 From: deraadt Date: Thu, 8 Oct 2015 13:25:04 +0000 Subject: [PATCH] setsockopt has a small list of options it can set. If we find ourselves only in TAME_UNIX, stop trying after servicing SOL_SOCKET. discussion with claudio --- sys/kern/kern_tame.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/sys/kern/kern_tame.c b/sys/kern/kern_tame.c index fc36a710d05..cc3e92a7f1f 100644 --- a/sys/kern/kern_tame.c +++ b/sys/kern/kern_tame.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_tame.c,v 1.68 2015/10/08 13:21:06 deraadt Exp $ */ +/* $OpenBSD: kern_tame.c,v 1.69 2015/10/08 13:25:04 deraadt Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott @@ -1083,6 +1083,7 @@ tame_setsockopt_check(struct proc *p, int level, int optname) if ((p->p_p->ps_flags & PS_TAMED) == 0) return (0); + /* common case for TAME_UNIX and TAME_INET */ switch (level) { case SOL_SOCKET: switch (optname) { @@ -1090,6 +1091,12 @@ tame_setsockopt_check(struct proc *p, int level, int optname) return (EPERM); } return (0); + } + + if ((p->p_p->ps_tame & TAME_INET) == 0) + return (EPERM); + + switch (level) { case IPPROTO_TCP: switch (optname) { case TCP_NODELAY: -- 2.20.1