Date: Tue, 12 Jun 2001 14:48:42 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.ORG> To: Valentin Nechayev <netch@iv.nn.kiev.ua> Cc: gzjyliu@public.guangzhou.gd.cn, hackers@FreeBSD.ORG Subject: Re: [PATCH] Limited BPF to the specified program Message-ID: <Pine.NEB.3.96L.1010612144800.75080D-100000@fledge.watson.org> In-Reply-To: <20010612110221.C923@iv.nn.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 12 Jun 2001, Valentin Nechayev wrote: > Tue, Jun 12, 2001 at 10:48:38, gzjyliu (gzjyliu@public.guangzhou.gd.cn) wrote about "[PATCH] Limited BPF to the specified program": > > > So I can add the follow lines to my kernel config file: > > options BPF_LIMITED > > options BPF_ALLOWED_DEVID=29696 > > options BPF_ALLOWED_FILEID=439 > > Another proposition: > > (an example) > sysctl -w net.bpf.allowed_users=0,29,133 > sysctl -w net.bpf.allowed_groups=0,215,216 > sysctl -w net.bpf.per_interface.fxp2.allowed_users=0,222 > > But the best variant IMHO is not to produce strange hacks against > mainstream development, but implement (via devfs) interface stream > devices and interface control devices. If anyone wants to set access > rights to interface, he will set ACL to /dev/fxp0.stream or similar. Or we just add ACL support to devfs, and solve the devd/initial ACL problem :-). (Ooo, don't I make that sound simple? :-) Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010612144800.75080D-100000>