From owner-cvs-all Mon Jan 13 12:20:17 2003 Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94FD237B401; Mon, 13 Jan 2003 12:20:15 -0800 (PST) Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0263743F13; Mon, 13 Jan 2003 12:20:15 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (localhost [127.0.0.1]) by apollo.backplane.com (8.12.6/8.12.6) with ESMTP id h0DKK9Yp038227; Mon, 13 Jan 2003 12:20:09 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.12.6/8.12.6/Submit) id h0DKK9k3038226; Mon, 13 Jan 2003 12:20:09 -0800 (PST) Date: Mon, 13 Jan 2003 12:20:09 -0800 (PST) From: Matthew Dillon Message-Id: <200301132020.h0DKK9k3038226@apollo.backplane.com> To: Warner Losh Cc: Maxime Henrion , Pawel Jakub Dawidek , Bruce Evans , cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, luigi@FreeBSD.ORG Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c References: <200301131916.h0DJGe7p004746@apollo.backplane.com> <20030113082610.GH9430@garage.freebsd.pl> <20030113222917.C12128-100000@gamplex.bde.org> <20030113140700.GP9430@garage.freebsd.pl> <200301131859.h0DIx2pa004540@apollo.backplane.com> <20030113190506.GF16775@elvis.mu.org> <200301132012.h0DKCp1e015631@harmony.village.org> Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I like it. It isn't any more or less complex then having two conditionals and it is more flexible. If nothing else comes up I will incorporate this and commit it tonight. -Matt Matthew Dillon :This change looks good in its surface. It would be more generic to :add a few bits to the CTLFLAGS that contain the secure level. :Something more like the following would be better for the long term. :I've not tested it, so it might have stupid typos in it. : :Warner : :P.S. You'd still need your patch to ip_fw2 that I've not included here. : :Index: sys/sysctl.h :=================================================================== :RCS file: /home/imp/FreeBSD/CVS/src/sys/sys/sysctl.h,v :retrieving revision 1.110 :diff -u -r1.110 sysctl.h :--- sys/sysctl.h 20 Oct 2002 22:48:08 -0000 1.110 :+++ sys/sysctl.h 13 Jan 2003 20:09:58 -0000 :@@ -86,6 +86,11 @@ : #define CTLFLAG_PRISON 0x04000000 /* Prisoned roots can fiddle */ : #define CTLFLAG_DYN 0x02000000 /* Dynamic oid - can be freed */ : #define CTLFLAG_SKIP 0x01000000 /* Skip this sysctl when listing */ :+#define CTLFLAG_SECLVL_M 0x00f00000 /* security level mask */ :+#define CTLFLAG_SECLVL_S 20 :+#define CTLFLAG_SECURE1 (CTLFLAG_SECURE | (1 << CTLFLAG_SECLVL_S)) :+#define CTLFLAG_SECURE2 (CTLFLAG_SECURE | (2 << CTLFLAG_SECLVL_S)) :+#define CTLFLAG_SECURE3 (CTLFLAG_SECURE | (3 << CTLFLAG_SECLVL_S)) : : /* : * USE THIS instead of a hardwired number from the categories below :Index: kern/kern_sysctl.c :=================================================================== :RCS file: /home/imp/FreeBSD/CVS/src/sys/kern/kern_sysctl.c,v :retrieving revision 1.135 :diff -u -r1.135 kern_sysctl.c :--- kern/kern_sysctl.c 27 Oct 2002 07:12:34 -0000 1.135 :+++ kern/kern_sysctl.c 13 Jan 2003 20:10:38 -0000 :@@ -1098,7 +1098,7 @@ : sysctl_root(SYSCTL_HANDLER_ARGS) : { : struct sysctl_oid *oid; :- int error, indx; :+ int error, indx, lvl; : : error = sysctl_find_oid(arg1, arg2, &oid, &indx, req); : if (error) :@@ -1122,7 +1122,8 @@ : : /* Is this sysctl sensitive to securelevels? */ : if (req->newptr && (oid->oid_kind & CTLFLAG_SECURE)) { :- error = securelevel_gt(req->td->td_ucred, 0); :+ lvl = (oid->oid_kind & CTLFLAG_SECLVL_M) >> CTLFLAG_SECLVL_S; :+ error = securelevel_gt(req->td->td_ucred, lvl); : if (error) : return (error); : } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message