From dd845b5bee5f96dcbfdad93982cd3300670099a9 Mon Sep 17 00:00:00 2001
From: deraadt <deraadt@openbsd.org>
Date: Thu, 8 Oct 2015 17:29:43 +0000
Subject: [PATCH] Expose a small set of multicast join operators under the
 request "mcast". This will be used by a few daemons.  If they lack this
 feature, then they would need to operate without tame. Discussed with renato

---
 sys/kern/kern_tame.c | 20 ++++++++++++++++++--
 sys/sys/tame.h       |  3 ++-
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/sys/kern/kern_tame.c b/sys/kern/kern_tame.c
index cc3e92a7f1f..3e7525f20ab 100644
--- a/sys/kern/kern_tame.c
+++ b/sys/kern/kern_tame.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_tame.c,v 1.69 2015/10/08 13:25:04 deraadt Exp $	*/
+/*	$OpenBSD: kern_tame.c,v 1.70 2015/10/08 17:29:43 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -239,6 +239,7 @@ static const struct {
 	{ "recvfd",		TAME_RW | TAME_RECVFD },
 	{ "ioctl",		TAME_IOCTL },
 	{ "route",		TAME_ROUTE },
+	{ "mcast",		TAME_MCAST },
 	{ "tty",		TAME_TTY },
 	{ "proc",		TAME_PROC },
 	{ "exec",		TAME_EXEC },
@@ -1115,7 +1116,13 @@ tame_setsockopt_check(struct proc *p, int level, int optname)
 		case IP_PORTRANGE:
 		case IP_RECVDSTADDR:
 			return (0);
-		}
+		case IP_MULTICAST_IF:
+		case IP_ADD_MEMBERSHIP:
+		case IP_DROP_MEMBERSHIP:
+			if ((p->p_p->ps_tame & TAME_MCAST) == 0)
+				return (0);
+			break;
+		}		
 		break;
 	case IPPROTO_ICMP:
 		break;
@@ -1125,7 +1132,16 @@ tame_setsockopt_check(struct proc *p, int level, int optname)
 		case IPV6_RECVHOPLIMIT:
 		case IPV6_PORTRANGE:
 		case IPV6_RECVPKTINFO:
+#ifdef notyet
+		case IPV6_V6ONLY:
+#endif
 			return (0);
+		case IPV6_MULTICAST_IF:
+		case IPV6_JOIN_GROUP:
+		case IPV6_LEAVE_GROUP:
+			if ((p->p_p->ps_tame & TAME_MCAST) == 0)
+				return (0);
+			break;
 		}
 		break;
 	case IPPROTO_ICMPV6:
diff --git a/sys/sys/tame.h b/sys/sys/tame.h
index e7591130fd6..abf668a0d25 100644
--- a/sys/sys/tame.h
+++ b/sys/sys/tame.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tame.h,v 1.12 2015/10/07 19:52:54 deraadt Exp $	*/
+/*	$OpenBSD: tame.h,v 1.13 2015/10/08 17:29:43 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
@@ -45,6 +45,7 @@
 #define TAME_RECVFD	0x00040000	/* AF_UNIX CMSG fd receiving */
 #define TAME_EXEC	0x00080000	/* execve, child is free of tame */
 #define TAME_ROUTE	0x00100000	/* routing lookups */
+#define TAME_MCAST	0x00200000	/* multicast joins */
 
 #define TAME_ABORT	0x08000000	/* SIGABRT instead of SIGKILL */
 
-- 
2.20.1