Date: Mon, 13 Jan 2003 11:16:40 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Maxime Henrion <mux@freebsd.org> Cc: Pawel Jakub Dawidek <nick@garage.freebsd.pl>, Bruce Evans <bde@zeta.org.au>, cvs-committers@freebsd.org, cvs-all@freebsd.org, luigi@freebsd.org Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c Message-ID: <200301131916.h0DJGe7p004746@apollo.backplane.com> References: <20030113082610.GH9430@garage.freebsd.pl> <20030113222917.C12128-100000@gamplex.bde.org> <20030113140700.GP9430@garage.freebsd.pl> <200301131859.h0DIx2pa004540@apollo.backplane.com> <20030113190506.GF16775@elvis.mu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Something like this...
-Matt
Index: sys/sysctl.h
===================================================================
RCS file: /home/ncvs/src/sys/sys/sysctl.h,v
retrieving revision 1.111
diff -u -r1.111 sysctl.h
--- sys/sysctl.h 4 Jan 2003 08:50:43 -0000 1.111
+++ sys/sysctl.h 13 Jan 2003 19:13:19 -0000
@@ -86,6 +86,7 @@
#define CTLFLAG_PRISON 0x04000000 /* Prisoned roots can fiddle */
#define CTLFLAG_DYN 0x02000000 /* Dynamic oid - can be freed */
#define CTLFLAG_SKIP 0x01000000 /* Skip this sysctl when listing */
+#define CTLFLAG_SECURE3 0x00800000 /* Permit set only if securelevel < 3 */
/*
* USE THIS instead of a hardwired number from the categories below
Index: kern/kern_sysctl.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_sysctl.c,v
retrieving revision 1.136
diff -u -r1.136 kern_sysctl.c
--- kern/kern_sysctl.c 11 Jan 2003 12:39:45 -0000 1.136
+++ kern/kern_sysctl.c 13 Jan 2003 19:14:52 -0000
@@ -1126,6 +1126,11 @@
if (error)
return (error);
}
+ if (req->newptr && (oid->oid_kind & CTLFLAG_SECURE3)) {
+ error = securelevel_gt(req->td->td_ucred, 2);
+ if (error)
+ return (error);
+ }
/* Is this sysctl writable by only privileged users? */
if (req->newptr && !(oid->oid_kind & CTLFLAG_ANYBODY)) {
Index: netinet/ip_fw2.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v
retrieving revision 1.22
diff -u -r1.22 ip_fw2.c
--- netinet/ip_fw2.c 27 Dec 2002 17:43:25 -0000 1.22
+++ netinet/ip_fw2.c 13 Jan 2003 19:15:17 -0000
@@ -112,7 +112,7 @@
#ifdef SYSCTL_NODE
SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable,
- CTLFLAG_RW | CTLFLAG_SECURE,
+ CTLFLAG_RW | CTLFLAG_SECURE3,
&fw_enable, 0, "Enable ipfw");
SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step, CTLFLAG_RW,
&autoinc_step, 0, "Rule number autincrement step");
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301131916.h0DJGe7p004746>