Date: Wed, 18 Apr 2001 20:35:17 +0200 (CEST) From: Luigi Rizzo <luigi@info.iet.unipi.it> To: Luigi Rizzo <luigi@info.iet.unipi.it> Cc: neswold@fnal.gov, freebsd-ipfw@FreeBSD.ORG Subject: Re: Protecting IPFW kernel variables... Message-ID: <200104181835.UAA49757@info.iet.unipi.it> In-Reply-To: <200104181831.UAA49728@info.iet.unipi.it> from Luigi Rizzo at "Apr 18, 2001 08:31:45 pm"
index | next in thread | previous in thread | raw e-mail
> i think it is a bit late for 4.3 also given that CTLFLAG_SECURE
> is not used anywhere. This reminds me that i had some
> patches (which i did not commit) to extend the CTLFLAG_SECURE
> thing so that it would let you specify a level L, so
> the variable could be modified if securelevel<=L and not
> otherwise.
>
> I think i even posted them to the -security mailing list some
> time between dec.2000 and feb.2001
here they are...
cheers
luigi
Index: sys/sysctl.h
===================================================================
RCS file: /home/ncvs/src/sys/sys/sysctl.h,v
retrieving revision 1.81.2.3
diff -u -r1.81.2.3 sysctl.h
--- sys/sysctl.h 2000/09/25 12:09:20 1.81.2.3
+++ sys/sysctl.h 2001/02/09 18:02:40
@@ -79,9 +79,19 @@
#define CTLFLAG_RW (CTLFLAG_RD|CTLFLAG_WR)
#define CTLFLAG_NOLOCK 0x20000000 /* XXX Don't Lock */
#define CTLFLAG_ANYBODY 0x10000000 /* All users can set this var */
-#define CTLFLAG_SECURE 0x08000000 /* Permit set only if securelevel<=0 */
+#define CTLFLAG_SECURE 0x08000000 /* Permit set only if securelevel<0 */
#define CTLFLAG_PRISON 0x04000000 /* Prisoned roots can fiddle */
#define CTLFLAG_DYN 0x02000000 /* Dynamic oid - can be freed */
+
+#define CTLFLAG_NORAISE 0x01000000 /* cannot be raised */
+#define CTLFLAG_NOLOWER 0x00800000 /* cannot be lowered */
+#define CTLFLAG_S_MASK 0x000f0000 /* max securelevel to change */
+#define CTLFLAG_S_MASK_OFS 16 /* rightmost 1 in above */
+/*
+ * cannot modify variable if (securelevel >= i)
+ */
+#define CTLFLAG_SECURELEVEL(i) \
+ ( (((i)<<CTLFLAG_S_MASK_OFS) & CTLFLAG_S_MASK) | CTLFLAG_SECURE )
/*
* USE THIS instead of a hardwired number from the categories below
Index: kern/kern_sysctl.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_sysctl.c,v
retrieving revision 1.92.2.3
diff -u -r1.92.2.3 kern_sysctl.c
--- kern/kern_sysctl.c 2000/09/25 12:09:20 1.92.2.3
+++ kern/kern_sysctl.c 2001/02/09 18:02:52
@@ -1012,9 +1012,15 @@
}
/* If writing isn't allowed */
- if (req->newptr && (!(oid->oid_kind & CTLFLAG_WR) ||
- ((oid->oid_kind & CTLFLAG_SECURE) && securelevel > 0)))
- return (EPERM);
+ if (req->newptr) {
+ if (!(oid->oid_kind & CTLFLAG_WR))
+ return EPERM ;
+ if (oid->oid_kind & CTLFLAG_SECURE) {
+ int i = (oid->oid_kind & CTLFLAG_S_MASK) >> CTLFLAG_S_MASK_OFS;
+ if (securelevel >= i)
+ return (EPERM);
+ }
+ }
/* Most likely only root can write */
if (!(oid->oid_kind & CTLFLAG_ANYBODY) &&
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104181835.UAA49757>