Date: Tue, 12 Jun 2001 11:02:21 +0300 From: Valentin Nechayev <netch@iv.nn.kiev.ua> To: gzjyliu@public.guangzhou.gd.cn Cc: hackers@FreeBSD.ORG Subject: Re: [PATCH] Limited BPF to the specified program Message-ID: <20010612110221.C923@iv.nn.kiev.ua> In-Reply-To: <200106120248.f5C2mcr00360@fatcow.home>; from gzjyliu@public.guangzhou.gd.cn on Tue, Jun 12, 2001 at 10:48:38AM %2B0800 References: <200106120248.f5C2mcr00360@fatcow.home>
next in thread | previous in thread | raw e-mail | index | archive | help
Tue, Jun 12, 2001 at 10:48:38, gzjyliu (gzjyliu@public.guangzhou.gd.cn) wrote about "[PATCH] Limited BPF to the specified program": > So I can add the follow lines to my kernel config file: > options BPF_LIMITED > options BPF_ALLOWED_DEVID=29696 > options BPF_ALLOWED_FILEID=439 Another proposition: (an example) sysctl -w net.bpf.allowed_users=0,29,133 sysctl -w net.bpf.allowed_groups=0,215,216 sysctl -w net.bpf.per_interface.fxp2.allowed_users=0,222 But the best variant IMHO is not to produce strange hacks against mainstream development, but implement (via devfs) interface stream devices and interface control devices. If anyone wants to set access rights to interface, he will set ACL to /dev/fxp0.stream or similar. > The 0~7 bits of BPF_ALLOWED_DEVID is the minor number of the device, > while the 8~15 bits is the major number of the device. Probably I > should make the options like BPF_ALLOWED_DEV_MAJOR and > BPF_ALLOWED_DEV_MINOR. > > Anyone interested? Post URL to a page where anyone can find it and list keywords for it. If anyone try to search for it, he will go to google or freebsd.org->mailing_lists->search and enter proper keywords. "Manuscripts cannot burn" ([M. Bulgakov]) /netch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010612110221.C923>