From: "Alexey V. Neyman" <avn@any.ru> To: Ruslan Ermilov <ru@FreeBSD.ORG> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: ipfw rules and securelevel Message-ID: <Pine.BSF.4.33.0105141925020.12545-100000@srv2.any> In-Reply-To: <20010514180928.A52742@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello there! On Mon, 14 May 2001, Ruslan Ermilov wrote: >+ if (req->newptr && securelevel >= 3) >+ return (EPERM); Then, maybe it's worth introducing a sysctl tuneable, which, once set, will prohibit all userland sysctl writing and providing interface for it in /etc/rc.conf, setting it in boot time. This will separate such functionality from kern.securelevel (I may prefer running at securelevel lower than 3, still having sysctls protected). As an improvement of said before, it can be good to be able to lock separate branches of sysctl tree - i.e., setting net.sysctl_readonly to 1 protects the entire net.* branch from writing. # Alexey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.33.0105141925020.12545-100000>