From owner-p4-projects  Wed May  1 17:44:23 2002
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 7B13037B417; Wed,  1 May 2002 17:43:55 -0700 (PDT)
Delivered-To: perforce@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id F2C1737B404
	for <perforce@freebsd.org>; Wed,  1 May 2002 17:43:48 -0700 (PDT)
Received: (from perforce@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g420hmh34827
	for perforce@freebsd.org; Wed, 1 May 2002 17:43:48 -0700 (PDT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Wed, 1 May 2002 17:43:48 -0700 (PDT)
Message-Id: <200205020043.g420hmh34827@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
Subject: PERFORCE change 10620 for review
To: Perforce Change Reviews <perforce@freebsd.org>
Sender: owner-p4-projects@FreeBSD.ORG
Precedence: bulk
List-ID: <p4-projects.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20p4-projects>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20p4-projects>
X-Loop: FreeBSD.ORG

http://people.freebsd.org/~peter/p4db/chv.cgi?CH=10620

Change 10620 by rwatson@rwatson_curry on 2002/05/01 17:42:55

	Add a sysctl/tunable to exempt BPF reception from the mac_ifoff
	policy.  This makes it possible to have the module loaded to
	"silence" the outgoing stack, yet still use BPF to monitor
	the interface.  Some caution should be used when combing this
	with applications that use BPF, such as dhclient.

Affected files ...

... //depot/projects/trustedbsd/mac/sys/security/mac_ifoff/mac_ifoff.c#2 edit

Differences ...

==== //depot/projects/trustedbsd/mac/sys/security/mac_ifoff/mac_ifoff.c#2 (text+ko) ====

@@ -89,6 +89,12 @@
     &mac_ifoff_other_enabled, 0, "Enable other interfaces");
 TUNABLE_INT("security.mac.ifoff.other_enabled", &mac_ifoff_other_enabled);
 
+static int	mac_ifoff_bpfrecv_enabled = 0;
+SYSCTL_INT(_security_mac_ifoff, OID_AUTO, bpfrecv_enabled, CTLFLAG_RW,
+    &mac_ifoff_bpfrecv_enabled, 0, "Enable BPF reception even when interface "
+    "is disabled");
+TUNABLE_INT("security.mac.ifoff.bpfrecv.enabled", &mac_ifoff_bpfrecv_enabled);
+
 int
 check_ifnet_outgoing(struct ifnet *ifnet)
 {
@@ -106,7 +112,7 @@
 }
 
 int
-check_ifnet_incoming(struct ifnet *ifnet)
+check_ifnet_incoming(struct ifnet *ifnet, int viabpf)
 {
 	if (mac_ifoff_enabled == 0)
 		return (0);
@@ -117,6 +123,9 @@
 	if (mac_ifoff_other_enabled && ifnet->if_type != IFT_LOOP)
 		return (0);
 
+	if (isbpf && mac_ifoff_bpfrecv_enabled)
+		return (0);
+
 	return (EPERM);
 }
 
@@ -132,7 +141,7 @@
     struct ifnet *ifnet)
 {
 
-	return (check_ifnet_incoming(ifnet));
+	return (check_ifnet_incoming(ifnet, 1));
 }
 
 mac_ifoff_socket_check_receive_mbuf(struct socket *so, struct mbuf *m)
@@ -140,7 +149,7 @@
 
 	if (m->m_flags & M_PKTHDR) {
 		if (m->m_pkthdr.rcvif != NULL)
-			return (check_ifnet_incoming(ifnet));
+			return (check_ifnet_incoming(ifnet, 0));
 	}
 
 	return (0);

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe p4-projects" in the body of the message