diff options
| author | csjp <csjp@FreeBSD.org> | 2005-08-22 19:35:48 +0000 |
|---|---|---|
| committer | csjp <csjp@FreeBSD.org> | 2005-08-22 19:35:48 +0000 |
| commit | a41f7da35fb244fe048fbcc3b5c1f9bab176fb10 (patch) | |
| tree | 9cbeb56763a05e4d72f4614d25bfc5038a8173c5 /sys/net/bpfdesc.h | |
| parent | 1fafbd1bb50e664ea2bb5c119df2e1779e16744e (diff) | |
| download | FreeBSD-src-a41f7da35fb244fe048fbcc3b5c1f9bab176fb10.zip FreeBSD-src-a41f7da35fb244fe048fbcc3b5c1f9bab176fb10.tar.gz | |
Introduce two new ioctl(2) commands, BIOCLOCK and BIOCSETWF. These commands
enhance the security of bpf(4) by further relinquishing the privilege of
the bpf(4) consumer (assuming the ioctl commands are being implemented).
Once BIOCLOCK is executed, the device becomes locked which prevents the
execution of ioctl(2) commands which can change the underly parameters of the
bpf(4) device. An example might be the setting of bpf(4) filter programs or
attaching to different network interfaces.
BIOCSETWF can be used to set write filters for outgoing packets. Currently if
a bpf(4) consumer is compromised, the bpf(4) descriptor can essentially be used
as a raw socket, regardless of consumer's UID. Write filters give users the
ability to constrain which packets can be sent through the bpf(4) descriptor.
These features are currently implemented by a couple programs which came from
OpenBSD, such as the new dhclient and pflogd.
-Modify bpf_setf(9) to accept a "cmd" parameter. This will be used to specify
whether a read or write filter is to be set.
-Add a bpf(4) filter program as a parameter to bpf_movein(9) as we will run the
filter program on the mbuf data once we move the packet in from user-space.
-Rather than execute two uiomove operations, (one for the link header and the
other for the packet data), execute one and manually copy the linker header
into the sockaddr structure via bcopy.
-Restructure bpf_setf to compensate for write filters, as well as read.
-Adjust bpf(4) stats structures to include a bd_locked member.
It should be noted that the FreeBSD and OpenBSD implementations differ a bit in
the sense that we unconditionally enforce the lock, where OpenBSD enforces it
only if the calling credential is not root.
Idea from: OpenBSD
Reviewed by: mlaier
Diffstat (limited to 'sys/net/bpfdesc.h')
| -rw-r--r-- | sys/net/bpfdesc.h | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/sys/net/bpfdesc.h b/sys/net/bpfdesc.h index 63f8987..39a1340 100644 --- a/sys/net/bpfdesc.h +++ b/sys/net/bpfdesc.h @@ -69,7 +69,8 @@ struct bpf_d { struct bpf_if * bd_bif; /* interface descriptor */ u_long bd_rtout; /* Read timeout in 'ticks' */ - struct bpf_insn *bd_filter; /* filter code */ + struct bpf_insn *bd_rfilter; /* read filter code */ + struct bpf_insn *bd_wfilter; /* write filter code */ u_long bd_rcount; /* number of packets received */ u_long bd_dcount; /* number of packets dropped */ @@ -95,6 +96,7 @@ struct bpf_d { u_long bd_fcount; /* number of packets which matched filter */ pid_t bd_pid; /* PID which created descriptor */ char bd_pcomm[MAXCOMLEN + 1]; + int bd_locked; /* true if descriptor is locked */ }; /* Values for bd_state */ @@ -147,6 +149,7 @@ struct xbpf_d { pid_t bd_pid; char bd_ifname[IFNAMSIZ]; char bd_pcomm[MAXCOMLEN + 1]; + int bd_locked; }; #define BPFIF_LOCK(bif) mtx_lock(&(bif)->bif_mtx) |
