Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 31 Jul 1999 17:33:55 -0600
From:      Warner Losh <imp@village.org>
To:        Christopher Masto <chris@netmonger.net>
Cc:        "Brian F. Feldman" <green@FreeBSD.ORG>, "Jordan K. Hubbard" <jkh@zippy.cdrom.com>, hackers@FreeBSD.ORG
Subject:   Re: So, back on the topic of enabling bpf in GENERIC... 
Message-ID:  <199907312333.RAA94671@harmony.village.org>
In-Reply-To: Your message of "Sat, 31 Jul 1999 15:44:58 EDT." <19990731154458.A2068@netmonger.net> 
References:  <19990731154458.A2068@netmonger.net>  <Pine.BSF.4.10.9907301619280.6951-100000@janus.syracuse.net> <199907302342.RAA85088@harmony.village.org> 

next in thread | previous in thread | raw e-mail | index | archive | help
In message <19990731154458.A2068@netmonger.net> Christopher Masto writes:
: I hope you mean "> 1".  I often diagnose problems using tcpdump etc.,
: and I don't think bpf should be broken just because someone wants the
: minor "flags can't be turned off" feature of level 1.

Flags can't be turned off at level 1, and raw devices cannot be
accessed:
     1     Secure mode - the system immutable and system append-only flags may
           not be turned off; disks for mounted filesystems, /dev/mem, and
           /dev/kmem may not be opened for writing.

Notice that raw devices cannot be opened...

: It seems to be that disabling bpf is more appropriate for security
: level 2 and up, if such a thing is desirable.  I'm not sure it is.

     2     Highly secure mode - same as secure mode, plus disks may not be
           opened for writing (except by mount(2))  whether mounted or not.
           This level precludes tampering with filesystems by unmounting them,
           but also inhibits running newfs(8) while the system is multi-user.
and

     3     Network secure mode - same as highly secure mode, plus IP packet
           filter rules (see ipfw(8) and ipfirewall(4))  cannot be changed and
           dummynet(4) configuration cannot be adjusted.

I could see arguments for both levels....

Warner


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907312333.RAA94671>