Date: Wed, 1 May 2002 17:43:48 -0700 (PDT) From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 10620 for review Message-ID: <200205020043.g420hmh34827@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=10620 Change 10620 by rwatson@rwatson_curry on 2002/05/01 17:42:55 Add a sysctl/tunable to exempt BPF reception from the mac_ifoff policy. This makes it possible to have the module loaded to "silence" the outgoing stack, yet still use BPF to monitor the interface. Some caution should be used when combing this with applications that use BPF, such as dhclient. Affected files ... ... //depot/projects/trustedbsd/mac/sys/security/mac_ifoff/mac_ifoff.c#2 edit Differences ... ==== //depot/projects/trustedbsd/mac/sys/security/mac_ifoff/mac_ifoff.c#2 (text+ko) ==== @@ -89,6 +89,12 @@ &mac_ifoff_other_enabled, 0, "Enable other interfaces"); TUNABLE_INT("security.mac.ifoff.other_enabled", &mac_ifoff_other_enabled); +static int mac_ifoff_bpfrecv_enabled = 0; +SYSCTL_INT(_security_mac_ifoff, OID_AUTO, bpfrecv_enabled, CTLFLAG_RW, + &mac_ifoff_bpfrecv_enabled, 0, "Enable BPF reception even when interface " + "is disabled"); +TUNABLE_INT("security.mac.ifoff.bpfrecv.enabled", &mac_ifoff_bpfrecv_enabled); + int check_ifnet_outgoing(struct ifnet *ifnet) { @@ -106,7 +112,7 @@ } int -check_ifnet_incoming(struct ifnet *ifnet) +check_ifnet_incoming(struct ifnet *ifnet, int viabpf) { if (mac_ifoff_enabled == 0) return (0); @@ -117,6 +123,9 @@ if (mac_ifoff_other_enabled && ifnet->if_type != IFT_LOOP) return (0); + if (isbpf && mac_ifoff_bpfrecv_enabled) + return (0); + return (EPERM); } @@ -132,7 +141,7 @@ struct ifnet *ifnet) { - return (check_ifnet_incoming(ifnet)); + return (check_ifnet_incoming(ifnet, 1)); } mac_ifoff_socket_check_receive_mbuf(struct socket *so, struct mbuf *m) @@ -140,7 +149,7 @@ if (m->m_flags & M_PKTHDR) { if (m->m_pkthdr.rcvif != NULL) - return (check_ifnet_incoming(ifnet)); + return (check_ifnet_incoming(ifnet, 0)); } return (0); To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205020043.g420hmh34827>