3 files changed, 17 insertions, 0 deletions

diff --git a/sys/netinet/in_prot.c b/sys/netinet/in_prot.c
index 204f4f60456e..d81f24d6c040 100644
--- a/sys/netinet/in_prot.c
+++ b/sys/netinet/in_prot.c
@@ -38,6 +38,7 @@
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/mutex.h>
+#include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/socket.h>
 #include <sys/jail.h>
@@ -72,3 +73,16 @@ cr_canseeinpcb(struct ucred *cred, struct inpcb *inp)
 
 	return (0);
 }
+
+bool
+cr_canexport_ktlskeys(struct thread *td, struct inpcb *inp)
+{
+	int error;
+
+	if (cr_canseeinpcb(td->td_ucred, inp) == 0 &&
+	    cr_xids_subset(td->td_ucred, inp->inp_cred))
+		return (true);
+	error = priv_check(td, PRIV_NETINET_KTLSKEYS);
+	return (error == 0);
+
+}
diff --git a/sys/netinet/in_systm.h b/sys/netinet/in_systm.h
index 2f057b962d79..e2f553ec461c 100644
--- a/sys/netinet/in_systm.h
+++ b/sys/netinet/in_systm.h
@@ -58,8 +58,10 @@ typedef	u_int32_t n_time;		/* ms since 00:00 UTC, byte rev */
 #ifdef _KERNEL
 struct inpcb;
 struct ucred;
+struct thread;
 
 int	cr_canseeinpcb(struct ucred *cred, struct inpcb *inp);
+bool	cr_canexport_ktlskeys(struct thread *td, struct inpcb *inp);
 
 uint32_t	 iptime(void);
 #endif
diff --git a/sys/sys/priv.h b/sys/sys/priv.h
index 9a1886454d86..1f73877ab450 100644
--- a/sys/sys/priv.h
+++ b/sys/sys/priv.h
@@ -406,6 +406,7 @@
 #define	PRIV_NETINET_SETHDROPTS	505	/* Set certain IPv4/6 header options. */
 #define	PRIV_NETINET_BINDANY	506	/* Allow bind to any address. */
 #define	PRIV_NETINET_HASHKEY	507	/* Get and set hash keys for IPv4/6. */
+#define	PRIV_NETINET_KTLSKEYS	508	/* Read ktls session keys. */
 
 /*
  * Placeholders for IPX/SPX privileges, not supported any more.