Date: Mon, 13 Jan 2003 13:12:51 -0700 From: Warner Losh <imp@harmony.village.org> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: Maxime Henrion <mux@FreeBSD.org>, Pawel Jakub Dawidek <nick@garage.freebsd.pl>, Bruce Evans <bde@zeta.org.au>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, luigi@FreeBSD.org Subject: Re: cvs commit: src/sbin/ipfw ipfw.8 ipfw2.c Message-ID: <200301132012.h0DKCp1e015631@harmony.village.org> In-Reply-To: Your message of "Mon, 13 Jan 2003 11:16:40 PST." <200301131916.h0DJGe7p004746@apollo.backplane.com> References: <200301131916.h0DJGe7p004746@apollo.backplane.com> <20030113082610.GH9430@garage.freebsd.pl> <20030113222917.C12128-100000@gamplex.bde.org> <20030113140700.GP9430@garage.freebsd.pl> <200301131859.h0DIx2pa004540@apollo.backplane.com> <20030113190506.GF16775@elvis.mu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <200301131916.h0DJGe7p004746@apollo.backplane.com> Matthew Dillon writes:
: Something like this...
This change looks good in its surface. It would be more generic to
add a few bits to the CTLFLAGS that contain the secure level.
Something more like the following would be better for the long term.
I've not tested it, so it might have stupid typos in it.
Warner
P.S. You'd still need your patch to ip_fw2 that I've not included here.
Index: sys/sysctl.h
===================================================================
RCS file: /home/imp/FreeBSD/CVS/src/sys/sys/sysctl.h,v
retrieving revision 1.110
diff -u -r1.110 sysctl.h
--- sys/sysctl.h 20 Oct 2002 22:48:08 -0000 1.110
+++ sys/sysctl.h 13 Jan 2003 20:09:58 -0000
@@ -86,6 +86,11 @@
#define CTLFLAG_PRISON 0x04000000 /* Prisoned roots can fiddle */
#define CTLFLAG_DYN 0x02000000 /* Dynamic oid - can be freed */
#define CTLFLAG_SKIP 0x01000000 /* Skip this sysctl when listing */
+#define CTLFLAG_SECLVL_M 0x00f00000 /* security level mask */
+#define CTLFLAG_SECLVL_S 20
+#define CTLFLAG_SECURE1 (CTLFLAG_SECURE | (1 << CTLFLAG_SECLVL_S))
+#define CTLFLAG_SECURE2 (CTLFLAG_SECURE | (2 << CTLFLAG_SECLVL_S))
+#define CTLFLAG_SECURE3 (CTLFLAG_SECURE | (3 << CTLFLAG_SECLVL_S))
/*
* USE THIS instead of a hardwired number from the categories below
Index: kern/kern_sysctl.c
===================================================================
RCS file: /home/imp/FreeBSD/CVS/src/sys/kern/kern_sysctl.c,v
retrieving revision 1.135
diff -u -r1.135 kern_sysctl.c
--- kern/kern_sysctl.c 27 Oct 2002 07:12:34 -0000 1.135
+++ kern/kern_sysctl.c 13 Jan 2003 20:10:38 -0000
@@ -1098,7 +1098,7 @@
sysctl_root(SYSCTL_HANDLER_ARGS)
{
struct sysctl_oid *oid;
- int error, indx;
+ int error, indx, lvl;
error = sysctl_find_oid(arg1, arg2, &oid, &indx, req);
if (error)
@@ -1122,7 +1122,8 @@
/* Is this sysctl sensitive to securelevels? */
if (req->newptr && (oid->oid_kind & CTLFLAG_SECURE)) {
- error = securelevel_gt(req->td->td_ucred, 0);
+ lvl = (oid->oid_kind & CTLFLAG_SECLVL_M) >> CTLFLAG_SECLVL_S;
+ error = securelevel_gt(req->td->td_ucred, lvl);
if (error)
return (error);
}
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301132012.h0DKCp1e015631>