From owner-freebsd-hackers  Mon Jun 11 19:48:44 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from public.guangzhou.gd.cn (mail1-smtp.guangzhou.gd.cn [202.105.65.221])
	by hub.freebsd.org (Postfix) with SMTP id 7CB8F37B401
	for <hackers@FreeBSD.org>; Mon, 11 Jun 2001 19:48:35 -0700 (PDT)
	(envelope-from gzjyliu@public.guangzhou.gd.cn)
Received: from fatcow.home([203.93.59.244]) by public.guangzhou.gd.cn(JetMail 2.5.3.0)
	with SMTP id jm1a3b25b790; Tue, 12 Jun 2001 02:46:36 -0000
Received: (from jyliu@localhost)
	by fatcow.home (8.11.3/8.11.3) id f5C2mcr00360;
	Tue, 12 Jun 2001 10:48:38 +0800 (CST)
	(envelope-from gzjyliu@public.guangzhou.gd.cn)
Date: Tue, 12 Jun 2001 10:48:38 +0800 (CST)
From: gzjyliu@public.guangzhou.gd.cn
Message-Id: <200106120248.f5C2mcr00360@fatcow.home>
X-Authentication-Warning: fatcow.home: jyliu set sender to gzjyliu@public.guangzhou.gd.cn using -f
To: hackers@FreeBSD.org
Subject: [PATCH] Limited BPF to the specified program
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

<#/part>

From: Jiangyi Liu <gzjyliu@public.guangzhou.gd.cn>
Date: 12 Jun 2001 10:48:38 +0800
Message-ID: <87ae3epg55.fsf@fatcow.home>
Lines: 35
User-Agent: Gnus/5.090001 (Oort Gnus v0.01) Emacs/20.7
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii


Hi,

Seems I can't contact the coordinator(eivind@FreeBSD.org) of this
task. So I think maybe I should send the patch to this list. Here is
the patch for limiting bpf access to the specified program.

For example, if I wanna specify only /sbin/dhclient can use bpf, I
can:

$ ls -i /sbin/dhclient
439 /sbin/dhclient
$ df
Filesystem  1K-blocks     Used    Avail Capacity  Mounted on
/dev/ad0s3a     63503    37795    20628    65%    /
/dev/ad0s3f   5834156  2997583  2369841    56%    /usr
/dev/ad0s3e     63503     9866    48557    17%    /var
procfs              4        4        0   100%    /proc
$ ls -al /dev/ad0s3a
crw-r-----  2 root  operator  116, 0x00040000 Dec 17 01:40 /dev/ad0s3a

So I can add the follow lines to my kernel config file:
options         BPF_LIMITED
options         BPF_ALLOWED_DEVID=29696
options         BPF_ALLOWED_FILEID=439

The 0~7 bits of BPF_ALLOWED_DEVID is the minor number of the device,
while the 8~15 bits is the major number of the device. Probably I
should make the options like BPF_ALLOWED_DEV_MAJOR and
BPF_ALLOWED_DEV_MINOR.

Anyone interested?

Best wishes,
Jiangyi Liu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message