From owner-freebsd-hackers  Tue Jun 12 11:49:37 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id E009A37B405
	for <hackers@FreeBSD.ORG>; Tue, 12 Jun 2001 11:49:19 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.3/8.11.3) with SMTP id f5CImgf76114;
	Tue, 12 Jun 2001 14:48:47 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Tue, 12 Jun 2001 14:48:42 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.ORG>
X-Sender: robert@fledge.watson.org
To: Valentin Nechayev <netch@iv.nn.kiev.ua>
Cc: gzjyliu@public.guangzhou.gd.cn, hackers@FreeBSD.ORG
Subject: Re: [PATCH] Limited BPF to the specified program
In-Reply-To: <20010612110221.C923@iv.nn.kiev.ua>
Message-ID: <Pine.NEB.3.96L.1010612144800.75080D-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG


On Tue, 12 Jun 2001, Valentin Nechayev wrote:

>  Tue, Jun 12, 2001 at 10:48:38, gzjyliu (gzjyliu@public.guangzhou.gd.cn) wrote about "[PATCH] Limited BPF to the specified program": 
> 
> > So I can add the follow lines to my kernel config file:
> > options         BPF_LIMITED
> > options         BPF_ALLOWED_DEVID=29696
> > options         BPF_ALLOWED_FILEID=439
> 
> Another proposition:
> 
> (an example)
> sysctl -w net.bpf.allowed_users=0,29,133
> sysctl -w net.bpf.allowed_groups=0,215,216
> sysctl -w net.bpf.per_interface.fxp2.allowed_users=0,222
> 
> But the best variant IMHO is not to produce strange hacks against
> mainstream development, but implement (via devfs) interface stream
> devices and interface control devices. If anyone wants to set access
> rights to interface, he will set ACL to /dev/fxp0.stream or similar.

Or we just add ACL support to devfs, and solve the devd/initial ACL
problem :-).  (Ooo, don't I make that sound simple? :-)

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message