# HG changeset patch
# User Roy Marples <roy@marples.name>
# Date 1589994878 -3600
# Node ID 52a4070231c68e3ef732fefc7f18fe041544855a
# Parent  05b76a4875e097fd7a17577d9c3aac1e1c8653a6
privsep: Filter ioctls to a known list.

In-case the master process is broken into.

diff -r 05b76a4875e0 -r 52a4070231c6 src/privsep-bsd.c
--- a/src/privsep-bsd.c	Wed May 20 17:37:21 2020 +0100
+++ b/src/privsep-bsd.c	Wed May 20 18:14:38 2020 +0100
@@ -28,6 +28,12 @@
 
 #include <sys/ioctl.h>
 
+/* Need these for filtering the ioctls */
+#include <net/if.h>
+#include <netinet/in.h>
+#include <netinet6/in6_var.h>
+#include <netinet6/nd6.h>
+
 #include <errno.h>
 #include <string.h>
 #include <unistd.h>
@@ -41,6 +47,38 @@
 {
 	int s, err;
 
+	/* Only allow these ioctls */
+	switch(req) {
+#ifdef SIOCIFAFATTACH
+	case SIOCIFAFATTACH:	/* FALLTHROUGH */
+#endif
+#ifdef SIOCSIFXFLAGS
+	case SIOCSIFXFLAGS:	/* FALLTHROUGH */
+#endif
+#ifdef SIOCSIFINFO_FLAGS
+	case SIOCSIFINFO_FLAGS:	/* FALLTHROUGH */
+#endif
+#ifdef SIOCSRTRFLUSH_IN6
+	case SIOCSRTRFLUSH_IN6:	/* FALLTHROUGH */
+	case SIOCSPFXFLUSH_IN6: /* FALLTHROUGH */
+#endif
+#if defined(SIOCALIFADDR) && defined(IFLR_ACTIVE)
+	case SIOCALIFADDR:	/* FALLTHROUGH */
+	case SIOCDLIFADDR:	/* FALLTHROUGH */
+#else
+	case SIOCSIFLLADDR:	/* FALLTHROUGH */
+#endif
+#ifdef SIOCSIFINFO_IN6
+	case SIOCSIFINFO_IN6:	/* FALLTHROUGH */
+#endif
+	case SIOCAIFADDR_IN6:	/* FALLTHROUGH */
+	case SIOCDIFADDR_IN6:	/* FALLTHROUGH */
+		break;
+	default:
+		errno = EPERM;
+		return -1;
+	}
+
 	s = socket(domain, SOCK_DGRAM, 0);
 	if (s == -1)
 		return -1;
@@ -73,6 +111,15 @@
 	struct ifreq ifr = { .ifr_flags = 0 };
 	ssize_t err;
 
+	switch(req) {
+	case SIOCG80211NWID:	/* FALLTHROUGH */
+	case SIOCGETVLAN:
+		break;
+	default:
+		errno =	EPERM;
+		return -1;
+	}
+
 	if (len < IFNAMSIZ) {
 		errno = EINVAL;
 		return -1;
diff -r 05b76a4875e0 -r 52a4070231c6 src/privsep-root.c
--- a/src/privsep-root.c	Wed May 20 17:37:21 2020 +0100
+++ b/src/privsep-root.c	Wed May 20 18:14:38 2020 +0100
@@ -215,6 +215,27 @@
 {
 	int s, err;
 
+	/* Only allow these ioctls */
+	switch(req) {
+#ifdef SIOCAIFADDR
+	case SIOCAIFADDR:	/* FALLTHROUGH */
+	case SIOCDIFADDR:	/* FALLTHROUGH */
+#endif
+#ifdef SIOCSIFHWADDR
+	case SIOCSIFHWADDR:	/* FALLTHROUGH */
+#endif
+#ifdef SIOCGIFPRIORITY
+	case SIOCGIFPRIORITY:	/* FALLTHROUGH */
+#endif
+	case SIOCSIFFLAGS:	/* FALLTHROUGH */
+	case SIOCGIFMTU:	/* FALLTHROUGH */
+	case SIOCSIFMTU:
+		break;
+	default:
+		errno = EPERM;
+		return -1;
+	}
+
 	s = socket(PF_INET, SOCK_DGRAM, 0);
 	if (s != -1)
 #ifdef IOCTL_REQUEST_TYPE