In adding per-ioctl privilege checks in dld, I ran into an interesting problem. I thought that requiring PRIV_SYS_NET_CONFIG for DLDIOC_DOORSERVER would be sufficiently safe, but unfortunately dlmgmtd itself (the only thing which uses the ioctl) doesn't even have that privilege when it issues that ioctl. The ioctl is issued after privileges have been dropped and it has changed its uid to dladm.
The question now becomes how to secure DLDIOC_DOORSERVER. Should I keep the PRIV_SYS_NET_CONFIG requirement and yank the code in dlmgmtd that creates the door file and calls DLDIOC_DOORSERVER up to before privileges are dropped, or relax the privilege checks in the kernel to just check to see if the user-id is dladm? Any other ideas? -Seb
