From owner-freebsd-hackers Tue Jun 12 19: 9:59 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 8A88237B401 for ; Tue, 12 Jun 2001 19:09:56 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f5D24xf84317; Tue, 12 Jun 2001 22:04:59 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Tue, 12 Jun 2001 22:04:59 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Mike Silbersack Cc: gzjyliu@public.guangzhou.gd.cn, hackers@FreeBSD.org Subject: Re: [PATCH] Limited BPF to the specified program In-Reply-To: <20010612204504.S18144-100000@achilles.silby.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 12 Jun 2001, Mike Silbersack wrote: > On Tue, 12 Jun 2001, Robert Watson wrote: > > > One of the things I actually played with implementing in the past was in > > effect an "ACL" of allowed BPF programs by-uid. When a BPF program was > > bound to an interface, the bpfilter code would hash by uid, then do a > > rather expensive walk down a list of "acceptable filters" and see if the > > program matched. This meant that you could, for example, allow specific > > users to monitor specific types of packets (such as a specific port). > > Since there isn't really a canonical form other than the de facto form > > libpcap generates bpf code in, there are some limits to this, but it > > worked fairly well. I didn't attempt to deal with the "which interfaces > > can they bind" issue, however. I can see if I can dig up the code, or > > it's fairly easy to replicate if not. > > That'd be an excellent feature, perhaps it could be used to make > dhclient / others non-root in the future. It's probably overkill for > the issue at hand, though. I get the impression that the patch in > question was meant to insure that a rooted box couldn't be used for > sniffing (without a new kernel.) Actually, it was so that I could allow non-root uid's to perform certain kinds of packet sniffing operations, but not others. It occurs to me, in retrospect, that I didn't need to perform a program comparison, all I really needed to do was determine that for every packet matched by a uid's bpf filter, it was also accepted by the ACL filter. This gets around the canonical representation issue by intersecting the two acceptance sets. Go figure. > Of course, if you have the appropriate filter already sitting around, > maybe you could wrap it in an #ifdef and put out the patch for testing. > :) This was against a fairly old tree (maybe 3.0-CURRENT?), but I'll see if I can dig it up this weekend. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message