From owner-freebsd-hackers  Tue Jun 12  2: 8:47 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from public.guangzhou.gd.cn (mail2-smtp.guangzhou.gd.cn [202.105.65.222])
	by hub.freebsd.org (Postfix) with SMTP id 98B2E37B401
	for <hackers@FreeBSD.org>; Tue, 12 Jun 2001 02:08:42 -0700 (PDT)
	(envelope-from gzjyliu@public.guangzhou.gd.cn)
Received: from fatcow.home([203.93.59.244]) by public.guangzhou.gd.cn(JetMail 2.5.3.0)
	with SMTP id jm3c3b2614b1; Tue, 12 Jun 2001 09:06:42 -0000
Received: (from jyliu@localhost)
	by fatcow.home (8.11.3/8.11.3) id f5C98cQ71884;
	Tue, 12 Jun 2001 17:08:38 +0800 (CST)
	(envelope-from gzjyliu@public.guangzhou.gd.cn)
X-Authentication-Warning: fatcow.home: jyliu set sender to gzjyliu@public.guangzhou.gd.cn using -f
To: hackers@FreeBSD.org
Subject: Re: [PATCH] Limited BPF to the specified program
References: <200106120248.f5C2mcr00360@fatcow.home>
	<20010612110221.C923@iv.nn.kiev.ua>
From: Jiangyi Liu <gzjyliu@public.guangzhou.gd.cn>
Date: 12 Jun 2001 17:08:38 +0800
In-Reply-To: <20010612110221.C923@iv.nn.kiev.ua>
Message-ID: <87k82ioyjt.fsf@fatcow.home>
Lines: 28
User-Agent: Gnus/5.090001 (Oort Gnus v0.01) Emacs/20.7
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG


Alexander Langer <alex@big.endian.de> writes:

> The options should be a sysctl, since dhclient might move from inode to
> inode and I don't want to recompile a kernel everytime.

Had to wait till I figure out how to add a new sysctl. :-)

> Also, that should be a list of filesystem:inode pairs, imho, for
> multiple programs.
>

Oh, this one should be easy. If anyone wants this feature, I think I
can implement it. However, I'm told by Valentin Nechayev that I should follow the
mainstream development, so I think maybe I should cvsup to -current
and reimplement.

> OTOH, I don't know if that makes sense, since superuser still can
> compile a new kernel or set the sysctl.
>

Nothing can be saved if one can recompile the new kernel and reboot
with the new kernel. I think the point is the secure level. Once the
secure level is promoted, sysctl is disabled so that nobody can change
the program list, of course except rebooting.


Jiangyi

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message