Date: 12 Jun 2001 17:08:38 +0800 From: Jiangyi Liu <gzjyliu@public.guangzhou.gd.cn> To: hackers@FreeBSD.org Subject: Re: [PATCH] Limited BPF to the specified program Message-ID: <87k82ioyjt.fsf@fatcow.home> In-Reply-To: <20010612110221.C923@iv.nn.kiev.ua> References: <200106120248.f5C2mcr00360@fatcow.home> <20010612110221.C923@iv.nn.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Alexander Langer <alex@big.endian.de> writes: > The options should be a sysctl, since dhclient might move from inode to > inode and I don't want to recompile a kernel everytime. Had to wait till I figure out how to add a new sysctl. :-) > Also, that should be a list of filesystem:inode pairs, imho, for > multiple programs. > Oh, this one should be easy. If anyone wants this feature, I think I can implement it. However, I'm told by Valentin Nechayev that I should follow the mainstream development, so I think maybe I should cvsup to -current and reimplement. > OTOH, I don't know if that makes sense, since superuser still can > compile a new kernel or set the sysctl. > Nothing can be saved if one can recompile the new kernel and reboot with the new kernel. I think the point is the secure level. Once the secure level is promoted, sysctl is disabled so that nobody can change the program list, of course except rebooting. Jiangyi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87k82ioyjt.fsf>