View paste 44FQ

New paste Repaste Download

	`/// List of denied setsockopt(2) options.`
	`pub const DENY_SETSOCKOPT: &[(i32, i32)] = &[`
	`// SOL_SOCKET`
	`(libc::SOL_SOCKET, libc::SO_DEBUG),`
	`(libc::SOL_SOCKET, libc::SO_SNDBUFFORCE),`
	`(libc::SOL_SOCKET, libc::SO_RCVBUFFORCE),`
	`// IPv4: iptables / arptables and multicast filters`
	`(libc::IPPROTO_IP, 64), // IPT_SO_SET_REPLACE`
	`(libc::IPPROTO_IP, 65), // IPT_SO_SET_ADD_COUNTERS`
	`(libc::IPPROTO_IP, 96), // ARPT_SO_SET_REPLACE`
	`(libc::IPPROTO_IP, 97), // ARPT_SO_SET_ADD_COUNTERS`
	`(libc::IPPROTO_IP, 41), // IP_MSFILTER`
	`(libc::IPPROTO_IP, 48), // MCAST_MSFILTER`
	`// IPv4 multicast group membership`
	`(libc::IPPROTO_IP, libc::IP_ADD_MEMBERSHIP),`
	`(libc::IPPROTO_IP, libc::IP_DROP_MEMBERSHIP),`
	`(libc::IPPROTO_IP, libc::IP_ADD_SOURCE_MEMBERSHIP),`
	`(libc::IPPROTO_IP, libc::IP_DROP_SOURCE_MEMBERSHIP),`
	`(libc::IPPROTO_IP, libc::IP_BLOCK_SOURCE),`
	`(libc::IPPROTO_IP, libc::IP_UNBLOCK_SOURCE),`
	`// Protocol-independent multicast API (v4/v6) - advanced membership`
	`(libc::IPPROTO_IP, libc::MCAST_JOIN_GROUP),`
	`(libc::IPPROTO_IP, libc::MCAST_LEAVE_GROUP),`
	`(libc::IPPROTO_IP, libc::MCAST_JOIN_SOURCE_GROUP),`
	`(libc::IPPROTO_IP, libc::MCAST_LEAVE_SOURCE_GROUP),`
	`(libc::IPPROTO_IP, libc::MCAST_BLOCK_SOURCE),`
	`(libc::IPPROTO_IP, libc::MCAST_UNBLOCK_SOURCE),`
	`// IPv4 multicast routing (mroute)`
	`(libc::IPPROTO_IP, 200), // MRT_INIT`
	`(libc::IPPROTO_IP, 201), // MRT_DONE`
	`(libc::IPPROTO_IP, 202), // MRT_ADD_VIF`
	`(libc::IPPROTO_IP, 203), // MRT_DEL_VIF`
	`(libc::IPPROTO_IP, 204), // MRT_ADD_MFC`
	`(libc::IPPROTO_IP, 205), // MRT_DEL_MFC`
	`(libc::IPPROTO_IP, 206), // MRT_VERSION`
	`(libc::IPPROTO_IP, 207), // MRT_ASSERT`
	`(libc::IPPROTO_IP, 208), // MRT_PIM`
	`(libc::IPPROTO_IP, 209), // MRT_TABLE`
	`(libc::IPPROTO_IP, 210), // MRT_ADD_MFC_PROXY`
	`(libc::IPPROTO_IP, 211), // MRT_DEL_MFC_PROXY`
	`(libc::IPPROTO_IP, 212), // MRT_FLUSH`
	`// IPv6: ip6tables and header manipulation`
	`(libc::IPPROTO_IPV6, 64), // IP6T_SO_SET_REPLACE`
	`(libc::IPPROTO_IPV6, 65), // IP6T_SO_SET_ADD_COUNTERS`
	`(libc::IPPROTO_IPV6, libc::IPV6_ADDRFORM),`
	`(libc::IPPROTO_IPV6, libc::IPV6_RTHDR),`
	`(libc::IPPROTO_IPV6, libc::IPV6_DSTOPTS),`
	`// Bridging / ebtables (Netfilter, analogous to IPT_SO_* we already deny)`
	`(libc::IPPROTO_IP, 128), // EBT_SO_SET_ENTRIES`
	`(libc::IPPROTO_IP, 129), // EBT_SO_SET_COUNTERS`
	`// IPv6: DCCP / IPV6_RECVPKTINFO (CVE-2017-6074)`
	`(libc::IPPROTO_IPV6, libc::IPV6_RECVPKTINFO),`
	`// IPv6 multicast group membership`
	`(libc::IPPROTO_IPV6, 20 /* IPV6_JOIN_GROUP */),`
	`(libc::IPPROTO_IPV6, 21 /* IPV6_LEAVE_GROUP */),`
	`(libc::IPPROTO_IPV6, 27 /* IPV6_JOIN_ANYCAST */),`
	`(libc::IPPROTO_IPV6, 28 /* IPV6_LEAVE_ANYCAST */),`
	`(libc::IPPROTO_IPV6, libc::MCAST_JOIN_GROUP),`
	`(libc::IPPROTO_IPV6, libc::MCAST_LEAVE_GROUP),`
	`(libc::IPPROTO_IPV6, libc::MCAST_JOIN_SOURCE_GROUP),`
	`(libc::IPPROTO_IPV6, libc::MCAST_LEAVE_SOURCE_GROUP),`
	`(libc::IPPROTO_IPV6, libc::MCAST_BLOCK_SOURCE),`
	`(libc::IPPROTO_IPV6, libc::MCAST_UNBLOCK_SOURCE),`
	`// IPv6 multicast routing (mroute6)`
	`(libc::IPPROTO_IPV6, 200), // MRT6_INIT`
	`(libc::IPPROTO_IPV6, 201), // MRT6_DONE`
	`(libc::IPPROTO_IPV6, 202), // MRT6_ADD_MIF`
	`(libc::IPPROTO_IPV6, 203), // MRT6_DEL_MIF`
	`(libc::IPPROTO_IPV6, 204), // MRT6_ADD_MFC`
	`(libc::IPPROTO_IPV6, 205), // MRT6_DEL_MFC`
	`(libc::IPPROTO_IPV6, 206), // MRT6_VERSION`
	`(libc::IPPROTO_IPV6, 207), // MRT6_ASSERT`
	`(libc::IPPROTO_IPV6, 208), // MRT6_PIM`
	`(libc::IPPROTO_IPV6, 209), // MRT6_TABLE`
	`(libc::IPPROTO_IPV6, 210), // MRT6_ADD_MFC_PROXY`
	`(libc::IPPROTO_IPV6, 211), // MRT6_DEL_MFC_PROXY`
	`(libc::IPPROTO_IPV6, 212), // MRT6_FLUSH`
	`// TCP: repair / ULP`
	`(libc::IPPROTO_TCP, libc::TCP_REPAIR),`
	`(libc::IPPROTO_TCP, libc::TCP_REPAIR_QUEUE),`
	`(libc::IPPROTO_TCP, libc::TCP_QUEUE_SEQ),`
	`(libc::IPPROTO_TCP, libc::TCP_REPAIR_OPTIONS),`
	`(libc::IPPROTO_TCP, libc::TCP_REPAIR_WINDOW),`
	`(libc::IPPROTO_TCP, libc::TCP_ULP),`
	`// TCP: congestion control selection (used in recent mptcp/tcp_setsockopt CVEs)`
	`(libc::IPPROTO_TCP, libc::TCP_CONGESTION),`
	`// UDP: corking (had IPv6/UDP interaction CVEs)`
	`(libc::IPPROTO_UDP, libc::UDP_CORK),`
	`// AF_PACKET: tpacket rings / fanout / bypass`
	`(libc::SOL_PACKET, 5), // PACKET_RX_RING`
	`(libc::SOL_PACKET, 10), // PACKET_VERSION`
	`(libc::SOL_PACKET, 13), // PACKET_TX_RING`
	`(libc::SOL_PACKET, 18), // PACKET_FANOUT`
	`(libc::SOL_PACKET, 19), // PACKET_TX_HAS_OFF`
	`(libc::SOL_PACKET, 20), // PACKET_QDISC_BYPASS`
	`(libc::SOL_PACKET, 21), // PACKET_ROLLOVER_STATS`
	`(libc::SOL_PACKET, 22), // PACKET_FANOUT_DATA`
	`(libc::SOL_PACKET, 23), // PACKET_IGNORE_OUTGOING`
	`// AF_BLUETOOTH: HCI socket options (level SOL_HCI)`
	`(0 /* SOL_HCI /, 1 / HCI_DATA_DIR */),`
	`(0 /* SOL_HCI /, 2 / HCI_FILTER */),`
	`(0 /* SOL_HCI /, 3 / HCI_TIME_STAMP */),`
	`// AF_BLUETOOTH: L2CAP socket options (level SOL_L2CAP)`
	`(6 /* SOL_L2CAP /, 1 / L2CAP_OPTIONS */),`
	`(6 /* SOL_L2CAP /, 2 / L2CAP_CONNINFO */),`
	`(6 /* SOL_L2CAP /, 3 / L2CAP_LM */),`
	`// AF_BLUETOOTH: RFCOMM socket options (level SOL_RFCOMM)`
	`(18 /* SOL_RFCOMM /, 2 / RFCOMM_CONNINFO */),`
	`(18 /* SOL_RFCOMM /, 3 / RFCOMM_LM */),`
	`// AF_BLUETOOTH: SCO socket options (level SOL_SCO)`
	`(17 /* SOL_SCO /, 1 / SCO_OPTIONS */),`
	`(17 /* SOL_SCO /, 2 / SCO_CONNINFO */),`
	`// AF_BLUETOOTH: generic options (level SOL_BLUETOOTH)`
	`(274 /* SOL_BLUETOOTH /, 4 / BT_SECURITY */),`
	`(274 /* SOL_BLUETOOTH /, 7 / BT_DEFER_SETUP */),`
	`(274 /* SOL_BLUETOOTH /, 8 / BT_FLUSHABLE */),`
	`(274 /* SOL_BLUETOOTH /, 9 / BT_POWER */),`
	`(`
	`274, /* SOL_BLUETOOTH */`
	`10, /* BT_CHANNEL_POLICY */`
	`),`
	`(274 /* SOL_BLUETOOTH /, 11 / BT_VOICE */),`
	`(274 /* SOL_BLUETOOTH /, 12 / BT_SNDMTU */),`
	`(274 /* SOL_BLUETOOTH /, 13 / BT_RCVMTU */),`
	`(274 /* SOL_BLUETOOTH /, 14 / BT_PHY */),`
	`(274 /* SOL_BLUETOOTH /, 15 / BT_MODE */),`
	`(274 /* SOL_BLUETOOTH /, 16 / BT_PKT_STATUS */),`
	`(274 /* SOL_BLUETOOTH /, 17 / BT_ISO_QOS */),`
	`(274 /* SOL_BLUETOOTH /, 19 / BT_CODEC */),`
	`(274 /* SOL_BLUETOOTH /, 20 / BT_ISO_BASE */),`
	`// BPF-related SOL_SOCKET options: classic/extended filters & reuseport`
	`(libc::SOL_SOCKET, 26 /* SO_ATTACH_FILTER */),`
	`(`
	`libc::SOL_SOCKET,`
	`27, /* SO_DETACH_FILTER, SO_DETACH_BPF */`
	`),`
	`(libc::SOL_SOCKET, 44 /* SO_LOCK_FILTER */),`
	`(libc::SOL_SOCKET, 48 /* SO_BPF_EXTENSIONS */),`
	`(libc::SOL_SOCKET, 50 /* SO_ATTACH_BPF */),`
	`(libc::SOL_SOCKET, 51 /* SO_ATTACH_REUSEPORT_CBPF */),`
	`(libc::SOL_SOCKET, 52 /* SO_ATTACH_REUSEPORT_EBPF */),`
	`(libc::SOL_SOCKET, 53 /* SO_DETACH_REUSEPORT_BPF */),`
	`// VSOCK: buffer size controls (CVE-2021-26708 in vsock_stream_setsockopt)`
	`(libc::AF_VSOCK, 0), // SO_VM_SOCKETS_BUFFER_SIZE`
	`(libc::AF_VSOCK, 1), // SO_VM_SOCKETS_BUFFER_MIN_SIZE`
	`(libc::AF_VSOCK, 2), // SO_VM_SOCKETS_BUFFER_MAX_SIZE`
	`];`

/// List of denied setsockopt(2) options.
pub const DENY_SETSOCKOPT: &[(i32, i32)] = &[
    // SOL_SOCKET
    (libc::SOL_SOCKET, libc::SO_DEBUG),
    (libc::SOL_SOCKET, libc::SO_SNDBUFFORCE),
    (libc::SOL_SOCKET, libc::SO_RCVBUFFORCE),
    // IPv4: iptables / arptables and multicast filters
    (libc::IPPROTO_IP, 64), // IPT_SO_SET_REPLACE
    (libc::IPPROTO_IP, 65), // IPT_SO_SET_ADD_COUNTERS
    (libc::IPPROTO_IP, 96), // ARPT_SO_SET_REPLACE
    (libc::IPPROTO_IP, 97), // ARPT_SO_SET_ADD_COUNTERS
    (libc::IPPROTO_IP, 41), // IP_MSFILTER
    (libc::IPPROTO_IP, 48), // MCAST_MSFILTER
    // IPv4 multicast group membership
    (libc::IPPROTO_IP, libc::IP_ADD_MEMBERSHIP),
    (libc::IPPROTO_IP, libc::IP_DROP_MEMBERSHIP),
    (libc::IPPROTO_IP, libc::IP_ADD_SOURCE_MEMBERSHIP),
    (libc::IPPROTO_IP, libc::IP_DROP_SOURCE_MEMBERSHIP),
    (libc::IPPROTO_IP, libc::IP_BLOCK_SOURCE),
    (libc::IPPROTO_IP, libc::IP_UNBLOCK_SOURCE),
    // Protocol-independent multicast API (v4/v6) - advanced membership
    (libc::IPPROTO_IP, libc::MCAST_JOIN_GROUP),
    (libc::IPPROTO_IP, libc::MCAST_LEAVE_GROUP),
    (libc::IPPROTO_IP, libc::MCAST_JOIN_SOURCE_GROUP),
    (libc::IPPROTO_IP, libc::MCAST_LEAVE_SOURCE_GROUP),
    (libc::IPPROTO_IP, libc::MCAST_BLOCK_SOURCE),
    (libc::IPPROTO_IP, libc::MCAST_UNBLOCK_SOURCE),
    // IPv4 multicast routing (mroute)
    (libc::IPPROTO_IP, 200), // MRT_INIT
    (libc::IPPROTO_IP, 201), // MRT_DONE
    (libc::IPPROTO_IP, 202), // MRT_ADD_VIF
    (libc::IPPROTO_IP, 203), // MRT_DEL_VIF
    (libc::IPPROTO_IP, 204), // MRT_ADD_MFC
    (libc::IPPROTO_IP, 205), // MRT_DEL_MFC
    (libc::IPPROTO_IP, 206), // MRT_VERSION
    (libc::IPPROTO_IP, 207), // MRT_ASSERT
    (libc::IPPROTO_IP, 208), // MRT_PIM
    (libc::IPPROTO_IP, 209), // MRT_TABLE
    (libc::IPPROTO_IP, 210), // MRT_ADD_MFC_PROXY
    (libc::IPPROTO_IP, 211), // MRT_DEL_MFC_PROXY
    (libc::IPPROTO_IP, 212), // MRT_FLUSH
    // IPv6: ip6tables and header manipulation
    (libc::IPPROTO_IPV6, 64), // IP6T_SO_SET_REPLACE
    (libc::IPPROTO_IPV6, 65), // IP6T_SO_SET_ADD_COUNTERS
    (libc::IPPROTO_IPV6, libc::IPV6_ADDRFORM),
    (libc::IPPROTO_IPV6, libc::IPV6_RTHDR),
    (libc::IPPROTO_IPV6, libc::IPV6_DSTOPTS),
    // Bridging / ebtables (Netfilter, analogous to IPT_SO_* we already deny)
    (libc::IPPROTO_IP, 128), // EBT_SO_SET_ENTRIES
    (libc::IPPROTO_IP, 129), // EBT_SO_SET_COUNTERS
    // IPv6: DCCP / IPV6_RECVPKTINFO (CVE-2017-6074)
    (libc::IPPROTO_IPV6, libc::IPV6_RECVPKTINFO),
    // IPv6 multicast group membership
    (libc::IPPROTO_IPV6, 20 /* IPV6_JOIN_GROUP */),
    (libc::IPPROTO_IPV6, 21 /* IPV6_LEAVE_GROUP */),
    (libc::IPPROTO_IPV6, 27 /* IPV6_JOIN_ANYCAST */),
    (libc::IPPROTO_IPV6, 28 /* IPV6_LEAVE_ANYCAST */),
    (libc::IPPROTO_IPV6, libc::MCAST_JOIN_GROUP),
    (libc::IPPROTO_IPV6, libc::MCAST_LEAVE_GROUP),
    (libc::IPPROTO_IPV6, libc::MCAST_JOIN_SOURCE_GROUP),
    (libc::IPPROTO_IPV6, libc::MCAST_LEAVE_SOURCE_GROUP),
    (libc::IPPROTO_IPV6, libc::MCAST_BLOCK_SOURCE),
    (libc::IPPROTO_IPV6, libc::MCAST_UNBLOCK_SOURCE),
    // IPv6 multicast routing (mroute6)
    (libc::IPPROTO_IPV6, 200), // MRT6_INIT
    (libc::IPPROTO_IPV6, 201), // MRT6_DONE
    (libc::IPPROTO_IPV6, 202), // MRT6_ADD_MIF
    (libc::IPPROTO_IPV6, 203), // MRT6_DEL_MIF
    (libc::IPPROTO_IPV6, 204), // MRT6_ADD_MFC
    (libc::IPPROTO_IPV6, 205), // MRT6_DEL_MFC
    (libc::IPPROTO_IPV6, 206), // MRT6_VERSION
    (libc::IPPROTO_IPV6, 207), // MRT6_ASSERT
    (libc::IPPROTO_IPV6, 208), // MRT6_PIM
    (libc::IPPROTO_IPV6, 209), // MRT6_TABLE
    (libc::IPPROTO_IPV6, 210), // MRT6_ADD_MFC_PROXY
    (libc::IPPROTO_IPV6, 211), // MRT6_DEL_MFC_PROXY
    (libc::IPPROTO_IPV6, 212), // MRT6_FLUSH
    // TCP: repair / ULP
    (libc::IPPROTO_TCP, libc::TCP_REPAIR),
    (libc::IPPROTO_TCP, libc::TCP_REPAIR_QUEUE),
    (libc::IPPROTO_TCP, libc::TCP_QUEUE_SEQ),
    (libc::IPPROTO_TCP, libc::TCP_REPAIR_OPTIONS),
    (libc::IPPROTO_TCP, libc::TCP_REPAIR_WINDOW),
    (libc::IPPROTO_TCP, libc::TCP_ULP),
    // TCP: congestion control selection (used in recent mptcp/tcp_setsockopt CVEs)
    (libc::IPPROTO_TCP, libc::TCP_CONGESTION),
    // UDP: corking (had IPv6/UDP interaction CVEs)
    (libc::IPPROTO_UDP, libc::UDP_CORK),
    // AF_PACKET: tpacket rings / fanout / bypass
    (libc::SOL_PACKET, 5),  // PACKET_RX_RING
    (libc::SOL_PACKET, 10), // PACKET_VERSION
    (libc::SOL_PACKET, 13), // PACKET_TX_RING
    (libc::SOL_PACKET, 18), // PACKET_FANOUT
    (libc::SOL_PACKET, 19), // PACKET_TX_HAS_OFF
    (libc::SOL_PACKET, 20), // PACKET_QDISC_BYPASS
    (libc::SOL_PACKET, 21), // PACKET_ROLLOVER_STATS
    (libc::SOL_PACKET, 22), // PACKET_FANOUT_DATA
    (libc::SOL_PACKET, 23), // PACKET_IGNORE_OUTGOING
    // AF_BLUETOOTH: HCI socket options (level SOL_HCI)
    (0 /* SOL_HCI */, 1 /* HCI_DATA_DIR */),
    (0 /* SOL_HCI */, 2 /* HCI_FILTER */),
    (0 /* SOL_HCI */, 3 /* HCI_TIME_STAMP */),
    // AF_BLUETOOTH: L2CAP socket options (level SOL_L2CAP)
    (6 /* SOL_L2CAP */, 1 /* L2CAP_OPTIONS */),
    (6 /* SOL_L2CAP */, 2 /* L2CAP_CONNINFO */),
    (6 /* SOL_L2CAP */, 3 /* L2CAP_LM */),
    // AF_BLUETOOTH: RFCOMM socket options (level SOL_RFCOMM)
    (18 /* SOL_RFCOMM */, 2 /* RFCOMM_CONNINFO */),
    (18 /* SOL_RFCOMM */, 3 /* RFCOMM_LM */),
    // AF_BLUETOOTH: SCO socket options (level SOL_SCO)
    (17 /* SOL_SCO */, 1 /* SCO_OPTIONS */),
    (17 /* SOL_SCO */, 2 /* SCO_CONNINFO */),
    // AF_BLUETOOTH: generic options (level SOL_BLUETOOTH)
    (274 /* SOL_BLUETOOTH */, 4 /* BT_SECURITY */),
    (274 /* SOL_BLUETOOTH */, 7 /* BT_DEFER_SETUP */),
    (274 /* SOL_BLUETOOTH */, 8 /* BT_FLUSHABLE */),
    (274 /* SOL_BLUETOOTH */, 9 /* BT_POWER */),
    (
        274, /* SOL_BLUETOOTH */
        10,  /* BT_CHANNEL_POLICY */
    ),
    (274 /* SOL_BLUETOOTH */, 11 /* BT_VOICE */),
    (274 /* SOL_BLUETOOTH */, 12 /* BT_SNDMTU */),
    (274 /* SOL_BLUETOOTH */, 13 /* BT_RCVMTU */),
    (274 /* SOL_BLUETOOTH */, 14 /* BT_PHY */),
    (274 /* SOL_BLUETOOTH */, 15 /* BT_MODE */),
    (274 /* SOL_BLUETOOTH */, 16 /* BT_PKT_STATUS */),
    (274 /* SOL_BLUETOOTH */, 17 /* BT_ISO_QOS */),
    (274 /* SOL_BLUETOOTH */, 19 /* BT_CODEC */),
    (274 /* SOL_BLUETOOTH */, 20 /* BT_ISO_BASE */),
    // BPF-related SOL_SOCKET options: classic/extended filters & reuseport
    (libc::SOL_SOCKET, 26 /* SO_ATTACH_FILTER */),
    (
        libc::SOL_SOCKET,
        27, /* SO_DETACH_FILTER, SO_DETACH_BPF */
    ),
    (libc::SOL_SOCKET, 44 /* SO_LOCK_FILTER */),
    (libc::SOL_SOCKET, 48 /* SO_BPF_EXTENSIONS */),
    (libc::SOL_SOCKET, 50 /* SO_ATTACH_BPF */),
    (libc::SOL_SOCKET, 51 /* SO_ATTACH_REUSEPORT_CBPF */),
    (libc::SOL_SOCKET, 52 /* SO_ATTACH_REUSEPORT_EBPF */),
    (libc::SOL_SOCKET, 53 /* SO_DETACH_REUSEPORT_BPF */),
    // VSOCK: buffer size controls (CVE-2021-26708 in vsock_stream_setsockopt)
    (libc::AF_VSOCK, 0), // SO_VM_SOCKETS_BUFFER_SIZE
    (libc::AF_VSOCK, 1), // SO_VM_SOCKETS_BUFFER_MIN_SIZE
    (libc::AF_VSOCK, 2), // SO_VM_SOCKETS_BUFFER_MAX_SIZE
];

Filename: /tmp/clip. Size: 7kb. View raw, , hex, or download this file.

This paste expires on 2025-12-15 01:25:20.969559+00:00. Pasted through v1-api.

Are you sure you'd like to remove this file?