Date: Mon, 13 Jan 2003 12:20:09 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Warner Losh <imp@harmony.village.org> Cc: Maxime Henrion <mux@FreeBSD.ORG>, Pawel Jakub Dawidek <nick@garage.freebsd.pl>, Bruce Evans <bde@zeta.org.au>, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, luigi@FreeBSD.ORG Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c Message-ID: <200301132020.h0DKK9k3038226@apollo.backplane.com> References: <200301131916.h0DJGe7p004746@apollo.backplane.com> <20030113082610.GH9430@garage.freebsd.pl> <20030113222917.C12128-100000@gamplex.bde.org> <20030113140700.GP9430@garage.freebsd.pl> <200301131859.h0DIx2pa004540@apollo.backplane.com> <20030113190506.GF16775@elvis.mu.org> <200301132012.h0DKCp1e015631@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I like it. It isn't any more or less complex then having two conditionals
and it is more flexible. If nothing else comes up I will incorporate
this and commit it tonight.
-Matt
Matthew Dillon
<dillon@backplane.com>
:This change looks good in its surface. It would be more generic to
:add a few bits to the CTLFLAGS that contain the secure level.
:Something more like the following would be better for the long term.
:I've not tested it, so it might have stupid typos in it.
:
:Warner
:
:P.S. You'd still need your patch to ip_fw2 that I've not included here.
:
:Index: sys/sysctl.h
:===================================================================
:RCS file: /home/imp/FreeBSD/CVS/src/sys/sys/sysctl.h,v
:retrieving revision 1.110
:diff -u -r1.110 sysctl.h
:--- sys/sysctl.h 20 Oct 2002 22:48:08 -0000 1.110
:+++ sys/sysctl.h 13 Jan 2003 20:09:58 -0000
:@@ -86,6 +86,11 @@
: #define CTLFLAG_PRISON 0x04000000 /* Prisoned roots can fiddle */
: #define CTLFLAG_DYN 0x02000000 /* Dynamic oid - can be freed */
: #define CTLFLAG_SKIP 0x01000000 /* Skip this sysctl when listing */
:+#define CTLFLAG_SECLVL_M 0x00f00000 /* security level mask */
:+#define CTLFLAG_SECLVL_S 20
:+#define CTLFLAG_SECURE1 (CTLFLAG_SECURE | (1 << CTLFLAG_SECLVL_S))
:+#define CTLFLAG_SECURE2 (CTLFLAG_SECURE | (2 << CTLFLAG_SECLVL_S))
:+#define CTLFLAG_SECURE3 (CTLFLAG_SECURE | (3 << CTLFLAG_SECLVL_S))
:
: /*
: * USE THIS instead of a hardwired number from the categories below
:Index: kern/kern_sysctl.c
:===================================================================
:RCS file: /home/imp/FreeBSD/CVS/src/sys/kern/kern_sysctl.c,v
:retrieving revision 1.135
:diff -u -r1.135 kern_sysctl.c
:--- kern/kern_sysctl.c 27 Oct 2002 07:12:34 -0000 1.135
:+++ kern/kern_sysctl.c 13 Jan 2003 20:10:38 -0000
:@@ -1098,7 +1098,7 @@
: sysctl_root(SYSCTL_HANDLER_ARGS)
: {
: struct sysctl_oid *oid;
:- int error, indx;
:+ int error, indx, lvl;
:
: error = sysctl_find_oid(arg1, arg2, &oid, &indx, req);
: if (error)
:@@ -1122,7 +1122,8 @@
:
: /* Is this sysctl sensitive to securelevels? */
: if (req->newptr && (oid->oid_kind & CTLFLAG_SECURE)) {
:- error = securelevel_gt(req->td->td_ucred, 0);
:+ lvl = (oid->oid_kind & CTLFLAG_SECLVL_M) >> CTLFLAG_SECLVL_S;
:+ error = securelevel_gt(req->td->td_ucred, lvl);
: if (error)
: return (error);
: }
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301132020.h0DKK9k3038226>