From owner-cvs-all Mon Jan 13 11:16:43 2003 Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5166F37B401; Mon, 13 Jan 2003 11:16:41 -0800 (PST) Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF97843ED8; Mon, 13 Jan 2003 11:16:40 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (localhost [127.0.0.1]) by apollo.backplane.com (8.12.6/8.12.6) with ESMTP id h0DJGeYp004747; Mon, 13 Jan 2003 11:16:40 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.12.6/8.12.6/Submit) id h0DJGe7p004746; Mon, 13 Jan 2003 11:16:40 -0800 (PST) Date: Mon, 13 Jan 2003 11:16:40 -0800 (PST) From: Matthew Dillon Message-Id: <200301131916.h0DJGe7p004746@apollo.backplane.com> To: Maxime Henrion Cc: Pawel Jakub Dawidek , Bruce Evans , cvs-committers@freebsd.org, cvs-all@freebsd.org, luigi@freebsd.org Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c References: <20030113082610.GH9430@garage.freebsd.pl> <20030113222917.C12128-100000@gamplex.bde.org> <20030113140700.GP9430@garage.freebsd.pl> <200301131859.h0DIx2pa004540@apollo.backplane.com> <20030113190506.GF16775@elvis.mu.org> Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Something like this... -Matt Index: sys/sysctl.h =================================================================== RCS file: /home/ncvs/src/sys/sys/sysctl.h,v retrieving revision 1.111 diff -u -r1.111 sysctl.h --- sys/sysctl.h 4 Jan 2003 08:50:43 -0000 1.111 +++ sys/sysctl.h 13 Jan 2003 19:13:19 -0000 @@ -86,6 +86,7 @@ #define CTLFLAG_PRISON 0x04000000 /* Prisoned roots can fiddle */ #define CTLFLAG_DYN 0x02000000 /* Dynamic oid - can be freed */ #define CTLFLAG_SKIP 0x01000000 /* Skip this sysctl when listing */ +#define CTLFLAG_SECURE3 0x00800000 /* Permit set only if securelevel < 3 */ /* * USE THIS instead of a hardwired number from the categories below Index: kern/kern_sysctl.c =================================================================== RCS file: /home/ncvs/src/sys/kern/kern_sysctl.c,v retrieving revision 1.136 diff -u -r1.136 kern_sysctl.c --- kern/kern_sysctl.c 11 Jan 2003 12:39:45 -0000 1.136 +++ kern/kern_sysctl.c 13 Jan 2003 19:14:52 -0000 @@ -1126,6 +1126,11 @@ if (error) return (error); } + if (req->newptr && (oid->oid_kind & CTLFLAG_SECURE3)) { + error = securelevel_gt(req->td->td_ucred, 2); + if (error) + return (error); + } /* Is this sysctl writable by only privileged users? */ if (req->newptr && !(oid->oid_kind & CTLFLAG_ANYBODY)) { Index: netinet/ip_fw2.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.22 diff -u -r1.22 ip_fw2.c --- netinet/ip_fw2.c 27 Dec 2002 17:43:25 -0000 1.22 +++ netinet/ip_fw2.c 13 Jan 2003 19:15:17 -0000 @@ -112,7 +112,7 @@ #ifdef SYSCTL_NODE SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, - CTLFLAG_RW | CTLFLAG_SECURE, + CTLFLAG_RW | CTLFLAG_SECURE3, &fw_enable, 0, "Enable ipfw"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step, CTLFLAG_RW, &autoinc_step, 0, "Rule number autincrement step"); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message