Adapt FAST_IPSEC to recent KPI changes.

Pointed out by dyoung@ on tech-kern@, thanks!
2009-05-10 02:13:07 +00:00 · 2009-05-10 02:13:07 +00:00 · efeb620e44
commit efeb620e44
parent 12ec766ad8
3 changed files with 20 additions and 14 deletions
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.c,v 1.43 2009/04/18 14:58:06 tsutsui Exp $	*/
+/*	$NetBSD: ipsec.c,v 1.44 2009/05/10 02:13:07 elad Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $	*/
 /*	$KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $	*/

@ -32,7 +32,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.43 2009/04/18 14:58:06 tsutsui Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.44 2009/05/10 02:13:07 elad Exp $");

 /*
 * IPsec controller part.
@ -58,6 +58,7 @@ __KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.43 2009/04/18 14:58:06 tsutsui Exp $");
 #include <sys/syslog.h>
 #include <sys/sysctl.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>

 #include <net/if.h>
 #include <net/route.h>
@ -241,7 +242,8 @@ static int ipsec6_setspidx_ipaddr (struct mbuf *, struct secpolicyindex *);
 #endif
 static void ipsec_delpcbpolicy (struct inpcbpolicy *);
 static struct secpolicy *ipsec_deepcopy_policy (struct secpolicy *);
-static int ipsec_set_policy (struct secpolicy **,int , void *, size_t , int );
+static int ipsec_set_policy (struct secpolicy **,int , void *, size_t ,
+    kauth_cred_t );
 static int ipsec_get_policy (struct secpolicy *, struct mbuf **);
 static void vshiftl (unsigned char *, int, int);
 static size_t ipsec_hdrsiz (struct secpolicy *);
@ -1284,7 +1286,7 @@ ipsec_set_policy(
 	int optname,
 	void *request,
 	size_t len,
-	int priv
+	kauth_cred_t cred
 )
 {
 	struct sadb_x_policy *xpl;
@ -1309,8 +1311,12 @@ ipsec_set_policy(
 		return EINVAL;

 	/* check privileged socket */
-	if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
-		return EACCES;
+	if (xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) {
+		error = kauth_authorize_generic(cred, KAUTH_GENERIC_ISSUSER,
+		    NULL);
+		if (error)
+			return (error);
+	}

 	/* allocation new SP entry */
 	if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
@ -1352,7 +1358,7 @@ ipsec_get_policy(struct secpolicy *pcb_sp, struct mbuf **mp)

 int
 ipsec4_set_policy(struct inpcb *inp, int optname ,void *request,
-		  size_t len, int priv)
+		  size_t len, kauth_cred_t cred)
 {
 	struct sadb_x_policy *xpl;
 	struct secpolicy **pcb_sp;
@ -1381,7 +1387,7 @@ ipsec4_set_policy(struct inpcb *inp, int optname ,void *request,
 		return EINVAL;
 	}

-	return ipsec_set_policy(pcb_sp, optname, request, len, priv);
+	return ipsec_set_policy(pcb_sp, optname, request, len, cred);
 }

 int
@ -1440,7 +1446,7 @@ ipsec4_delete_pcbpolicy(struct inpcb *inp)
 #ifdef INET6
 int
 ipsec6_set_policy(struct in6pcb *in6p, int optname, void *request,
-		  size_t len, int priv)
+		  size_t len, kauth_cred_t cred)
 {
 	struct sadb_x_policy *xpl;
 	struct secpolicy **pcb_sp;
@ -1466,7 +1472,7 @@ ipsec6_set_policy(struct in6pcb *in6p, int optname, void *request,
 		return EINVAL;
 	}

-	return ipsec_set_policy(pcb_sp, optname, request, len, priv);
+	return ipsec_set_policy(pcb_sp, optname, request, len, cred);
 }

 int
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.h,v 1.23 2008/11/12 12:36:28 ad Exp $	*/
+/*	$NetBSD: ipsec.h,v 1.24 2009/05/10 02:13:07 elad Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $	*/

@ -286,7 +286,7 @@ int ipsec_copy_policy
 u_int ipsec_get_reqlevel (struct ipsecrequest *);
 int ipsec_in_reject (struct secpolicy *, struct mbuf *);

-int ipsec4_set_policy (struct inpcb *, int, void *, size_t, int);
+int ipsec4_set_policy (struct inpcb *, int, void *, size_t, kauth_cred_t);
 int ipsec4_get_policy (struct inpcb *, void *, size_t, struct mbuf **);
 int ipsec4_delete_pcbpolicy (struct inpcb *);
 int ipsec4_in_reject (struct mbuf *, struct inpcb *);
--- a/sys/netipsec/ipsec6.h
+++ b/sys/netipsec/ipsec6.h
@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec6.h,v 1.11 2008/04/27 12:58:48 degroote Exp $	*/
+/*	$NetBSD: ipsec6.h,v 1.12 2009/05/10 02:13:07 elad Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/ipsec6.h,v 1.1.4.1 2003/01/24 05:11:35 sam Exp $	*/
 /*	$KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $	*/

@ -62,7 +62,7 @@ struct in6pcb;
 #define	key_freesp(_x)		KEY_FREESP(&_x)

 int ipsec6_delete_pcbpolicy (struct in6pcb *);
-int ipsec6_set_policy (struct in6pcb *, int, void *, size_t, int);
+int ipsec6_set_policy (struct in6pcb *, int, void *, size_t, kauth_cred_t);
 int ipsec6_get_policy (struct in6pcb *, void *, size_t, struct mbuf **);
 struct secpolicy *ipsec6_checkpolicy (struct mbuf *, u_int, 
    u_int, int *, struct in6pcb *);