Date: Tue, 12 Jun 2001 10:48:38 +0800 (CST) From: gzjyliu@public.guangzhou.gd.cn To: hackers@FreeBSD.org Subject: [PATCH] Limited BPF to the specified program Message-ID: <200106120248.f5C2mcr00360@fatcow.home>
next in thread | raw e-mail | index | archive | help
<#/part> From: Jiangyi Liu <gzjyliu@public.guangzhou.gd.cn> Date: 12 Jun 2001 10:48:38 +0800 Message-ID: <87ae3epg55.fsf@fatcow.home> Lines: 35 User-Agent: Gnus/5.090001 (Oort Gnus v0.01) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Hi, Seems I can't contact the coordinator(eivind@FreeBSD.org) of this task. So I think maybe I should send the patch to this list. Here is the patch for limiting bpf access to the specified program. For example, if I wanna specify only /sbin/dhclient can use bpf, I can: $ ls -i /sbin/dhclient 439 /sbin/dhclient $ df Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/ad0s3a 63503 37795 20628 65% / /dev/ad0s3f 5834156 2997583 2369841 56% /usr /dev/ad0s3e 63503 9866 48557 17% /var procfs 4 4 0 100% /proc $ ls -al /dev/ad0s3a crw-r----- 2 root operator 116, 0x00040000 Dec 17 01:40 /dev/ad0s3a So I can add the follow lines to my kernel config file: options BPF_LIMITED options BPF_ALLOWED_DEVID=29696 options BPF_ALLOWED_FILEID=439 The 0~7 bits of BPF_ALLOWED_DEVID is the minor number of the device, while the 8~15 bits is the major number of the device. Probably I should make the options like BPF_ALLOWED_DEV_MAJOR and BPF_ALLOWED_DEV_MINOR. Anyone interested? Best wishes, Jiangyi Liu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106120248.f5C2mcr00360>