From owner-cvs-all Mon Jan 13 12:13: 5 2003 Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A69337B401; Mon, 13 Jan 2003 12:13:03 -0800 (PST) Received: from harmony.village.org (rover.bsdimp.com [204.144.255.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5759D43ED8; Mon, 13 Jan 2003 12:13:01 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost [127.0.0.1]) by harmony.village.org (8.12.6/8.12.3) with ESMTP id h0DKCp1e015631; Mon, 13 Jan 2003 13:12:51 -0700 (MST) (envelope-from imp@harmony.village.org) Message-Id: <200301132012.h0DKCp1e015631@harmony.village.org> To: Matthew Dillon Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c Cc: Maxime Henrion , Pawel Jakub Dawidek , Bruce Evans , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, luigi@FreeBSD.org In-reply-to: Your message of "Mon, 13 Jan 2003 11:16:40 PST." <200301131916.h0DJGe7p004746@apollo.backplane.com> References: <200301131916.h0DJGe7p004746@apollo.backplane.com> <20030113082610.GH9430@garage.freebsd.pl> <20030113222917.C12128-100000@gamplex.bde.org> <20030113140700.GP9430@garage.freebsd.pl> <200301131859.h0DIx2pa004540@apollo.backplane.com> <20030113190506.GF16775@elvis.mu.org> Date: Mon, 13 Jan 2003 13:12:51 -0700 From: Warner Losh Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In message <200301131916.h0DJGe7p004746@apollo.backplane.com> Matthew Dillon writes: : Something like this... This change looks good in its surface. It would be more generic to add a few bits to the CTLFLAGS that contain the secure level. Something more like the following would be better for the long term. I've not tested it, so it might have stupid typos in it. Warner P.S. You'd still need your patch to ip_fw2 that I've not included here. Index: sys/sysctl.h =================================================================== RCS file: /home/imp/FreeBSD/CVS/src/sys/sys/sysctl.h,v retrieving revision 1.110 diff -u -r1.110 sysctl.h --- sys/sysctl.h 20 Oct 2002 22:48:08 -0000 1.110 +++ sys/sysctl.h 13 Jan 2003 20:09:58 -0000 @@ -86,6 +86,11 @@ #define CTLFLAG_PRISON 0x04000000 /* Prisoned roots can fiddle */ #define CTLFLAG_DYN 0x02000000 /* Dynamic oid - can be freed */ #define CTLFLAG_SKIP 0x01000000 /* Skip this sysctl when listing */ +#define CTLFLAG_SECLVL_M 0x00f00000 /* security level mask */ +#define CTLFLAG_SECLVL_S 20 +#define CTLFLAG_SECURE1 (CTLFLAG_SECURE | (1 << CTLFLAG_SECLVL_S)) +#define CTLFLAG_SECURE2 (CTLFLAG_SECURE | (2 << CTLFLAG_SECLVL_S)) +#define CTLFLAG_SECURE3 (CTLFLAG_SECURE | (3 << CTLFLAG_SECLVL_S)) /* * USE THIS instead of a hardwired number from the categories below Index: kern/kern_sysctl.c =================================================================== RCS file: /home/imp/FreeBSD/CVS/src/sys/kern/kern_sysctl.c,v retrieving revision 1.135 diff -u -r1.135 kern_sysctl.c --- kern/kern_sysctl.c 27 Oct 2002 07:12:34 -0000 1.135 +++ kern/kern_sysctl.c 13 Jan 2003 20:10:38 -0000 @@ -1098,7 +1098,7 @@ sysctl_root(SYSCTL_HANDLER_ARGS) { struct sysctl_oid *oid; - int error, indx; + int error, indx, lvl; error = sysctl_find_oid(arg1, arg2, &oid, &indx, req); if (error) @@ -1122,7 +1122,8 @@ /* Is this sysctl sensitive to securelevels? */ if (req->newptr && (oid->oid_kind & CTLFLAG_SECURE)) { - error = securelevel_gt(req->td->td_ucred, 0); + lvl = (oid->oid_kind & CTLFLAG_SECLVL_M) >> CTLFLAG_SECLVL_S; + error = securelevel_gt(req->td->td_ucred, lvl); if (error) return (error); } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message