Date: 12 Jun 2001 10:50:29 +0800 From: Jiangyi Liu <gzjyliu@public.guangzhou.gd.cn> To: hackers@FreeBSD.org Subject: [PATCH] Limited BPF to specified program Message-ID: <8766e2pg22.fsf@fatcow.home>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
*** i386/conf/LINT.orig Sat Jun 2 12:32:27 2001
--- i386/conf/LINT Mon Jun 11 15:04:23 2001
***************
*** 494,499 ****
--- 494,508 ----
pseudo-device sppp #Generic Synchronous PPP
pseudo-device loop #Network loopback device
pseudo-device bpf #Berkeley packet filter
+
+ # The BPF_LIMITED options limits only the specified program can
+ # use bpf, BPF_ALLOWED_DEVID is the deviceid [major|minor] of the
+ # device where specified program resides, BPF_ALLOWED_FILEID is the
+ # inode of the specified program.
+ options BPF_LIMITED
+ options BPF_ALLOWED_DEVID
+ options BPF_ALLOWED_FILEID
+
pseudo-device disc #Discard device (ds0, ds1, etc)
pseudo-device tun #Tunnel driver (ppp(8), nos-tun(8))
pseudo-device sl 2 #Serial Line IP
*** net/bpf.c.orig Tue Jun 5 19:54:01 2001
--- net/bpf.c Mon Jun 11 14:47:11 2001
***************
*** 41,46 ****
--- 41,47 ----
*/
#include "bpf.h"
+ #include "opt_bpf.h"
#ifndef __GNUC__
#define inline
***************
*** 60,65 ****
--- 61,67 ----
#include <sys/sockio.h>
#include <sys/ttycom.h>
#include <sys/filedesc.h>
+ #include <sys/syslog.h>
#if defined(sparc) && BSD < 199103
#include <sys/stream.h>
***************
*** 346,353 ****
struct proc *p;
{
register struct bpf_d *d;
!
! if (p->p_prison)
return (EPERM);
d = dev->si_drv1;
--- 348,373 ----
struct proc *p;
{
register struct bpf_d *d;
! struct vattr attr;
!
! #ifdef BPF_LIMITED
! int error;
!
! /* Get file attributes */
! error = VOP_GETATTR(p->p_textvp, &attr, p->p_ucred, p);
! if (error)
! return (error);
!
! if (BPF_ALLOWED_DEVID != (attr.va_fsid & 0xffff) ||
! BPF_ALLOWED_FILEID != attr.va_fileid) {
! log(LOG_ERR, "Attempt to use BPF: device %d,%d fileid %ld\n",
! (int)((attr.va_fsid>>8) & 0xff), (int)(attr.va_fsid & 0xff),
! (long)attr.va_fileid);
! return (EPERM);
! }
! #endif
!
! if (p->p_prison)
return (EPERM);
d = dev->si_drv1;
*** conf/options.i386.orig Sat Jun 2 12:32:08 2001
--- conf/options.i386 Mon Jun 11 14:17:17 2001
***************
*** 203,208 ****
--- 203,213 ----
# SMB/CIFS filesystem
SMBFS
+ # Limited BPF options
+ BPF_LIMITED opt_bpf.h
+ BPF_ALLOWED_DEVID opt_bpf.h
+ BPF_ALLOWED_FILEID opt_bpf.h
+
# -------------------------------
# EOF
# -------------------------------
[-- Attachment #2 --]
Seems I can't contact the coordinator(eivind@FreeBSD.org) of this
task. So I think maybe I should send the patch to this list. Here is
the patch for limiting bpf access to the specified program.
For example, if I wanna specify only /sbin/dhclient can use bpf, I
can:
$ ls -i /sbin/dhclient
439 /sbin/dhclient
$ df
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/ad0s3a 63503 37795 20628 65% /
/dev/ad0s3f 5834156 2997583 2369841 56% /usr
/dev/ad0s3e 63503 9866 48557 17% /var
procfs 4 4 0 100% /proc
$ ls -al /dev/ad0s3a
crw-r----- 2 root operator 116, 0x00040000 Dec 17 01:40 /dev/ad0s3a
So I can add the follow lines to my kernel config file:
options BPF_LIMITED
options BPF_ALLOWED_DEVID=29696
options BPF_ALLOWED_FILEID=439
The 0~7 bits of BPF_ALLOWED_DEVID is the minor number of the device,
while the 8~15 bits is the major number of the device. Probably I
should make the options like BPF_ALLOWED_DEV_MAJOR and
BPF_ALLOWED_DEV_MINOR.
Anyone interested?
Best wishes,
Jiangyi Liu
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8766e2pg22.fsf>