Re: [patch] bug fix & TCP networking performance improvements

[Thor Lancelot Simon <tls%panix.com@localhost>]

On Thu, Apr 14, 2011 at 10:44:36PM +0200, Matthias Drochner wrote:
> 
> There is some change about permissions for raw sockets which
> is not explained.

So, I just looked at this harder.

I believe this change is correct, and general, and I do not believe it
requires explanation in the code.  What is going on is that the INET6
stack is missing all the kauth work that was done on the inet stack.  This
change adds the appropriate and analogous kauth check on raw socket open.

It does so because the tree we did this work in happens to have a security
model that allows ping, etc. to not be setuid root.  But it will function
correctly in the standard tree.

I think the other large kauth related hunk of the patch, the one relating
to setting IPv6 interface addresses, is also correct -- or, at least,
better than the situation is right now (again, it is because in our tree
we can run ifconfig not-as-root).

I am not sure what the engineer who added this hunk meant when he
added the comment "I am not going to try and really fix this" above
that hunk of code but I can try to find out.

Obviously a lot of work needs to be done to kauth-ify the v6 stack as the
v4 stack has been but I think these are (very small) steps in the right
direction.