The branch main has been updated by oshogbo: URL: https://cgit.FreeBSD.org/src/commit/?id=d705a519525f2acae3c1efba11436ec6ee8aea0a
commit d705a519525f2acae3c1efba11436ec6ee8aea0a Author: Mariusz Zaborski <[email protected]> AuthorDate: 2026-05-12 08:33:41 +0000 Commit: Mariusz Zaborski <[email protected]> CommitDate: 2026-05-18 15:18:43 +0000 cap_net: do not allow new limits to drop keys from the old ones If the old limit had family/hosts/sockaddr set, the new limit must have them too. Before, a missing key in the new limit was treated as "allow any", which let a caller silently extend their limits. Reported by: Joshua Rogers of AISLE Research Team Reviewed by: markj MFC after: 1 day Differential Revision: https://reviews.freebsd.org/D56991 --- lib/libcasper/services/cap_net/cap_net.c | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/lib/libcasper/services/cap_net/cap_net.c b/lib/libcasper/services/cap_net/cap_net.c index 59124e3cb54f..e04cad1d834c 100644 --- a/lib/libcasper/services/cap_net/cap_net.c +++ b/lib/libcasper/services/cap_net/cap_net.c @@ -1122,12 +1122,37 @@ net_connect(const nvlist_t *limits, nvlist_t *nvlin, nvlist_t *nvlout) return (0); } +/* + * If the old sublimit restricted a subkey, the new one must too; + * a missing subkey means "allow any" at request time. + */ +static bool +verify_subkeys_present(const nvlist_t *oldfunclimits, + const nvlist_t *newfunclimit) +{ + void *cookie; + const char *name; + + if (oldfunclimits == NULL) + return (true); + + cookie = NULL; + while ((name = nvlist_next(oldfunclimits, NULL, &cookie)) != NULL) { + if (!nvlist_exists(newfunclimit, name)) + return (false); + } + return (true); +} + static bool verify_only_sa_newlimts(const nvlist_t *oldfunclimits, const nvlist_t *newfunclimit) { void *cookie; + if (!verify_subkeys_present(oldfunclimits, newfunclimit)) + return (false); + cookie = NULL; while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) { void *sacookie; @@ -1200,6 +1225,9 @@ verify_addr2name_newlimits(const nvlist_t *oldlimits, LIMIT_NV_ADDR2NAME, NULL); } + if (!verify_subkeys_present(oldfunclimits, newfunclimit)) + return (false); + cookie = NULL; while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) { if (strcmp(cnvlist_name(cookie), "sockaddr") == 0) { @@ -1258,6 +1286,9 @@ verify_name2addr_newlimits(const nvlist_t *oldlimits, LIMIT_NV_NAME2ADDR, NULL); } + if (!verify_subkeys_present(oldfunclimits, newfunclimit)) + return (false); + cookie = NULL; while (nvlist_next(newfunclimit, NULL, &cookie) != NULL) { if (strcmp(cnvlist_name(cookie), "hosts") == 0) {
