Warner Losh wrote:
> 
> In message <37a3b701.851df...@softweyr.com> Wes Peters writes:
> : Do we have a list of all services that use bpf?  I'm willing to edit the man
> : pages, given a list.  I guess I could just grep-o-matic here, huh?
> 
> Yes.  I'm also in a holding off pattern until we know the exact impact
> for all daemons that use this...

I think I found a solution that may be better (although more complicated):

Let the sysadmin to define a bpf filter for the packets that are considered
OK (say, DHCP or RARP or RBOOT or whatever else this installation needs for
normal functioning). Provide some typical examples.

After this filter is defined and the system goes to a higher security
level bpf first applies this filter to all the incoming packets, and only
if they pass this filter they are checked for application-specified filters.
If there is no such "master" filter defined then bpf can just deny
new open()s as proposed earlier. This will allow the applications to 
use bpf but only for the purposes defined in the master filter. This 
also resolves the problem of services re-opening bpf after SIGHUP.

And speaking on the issue of bpf enabled in GENERIC, I'm strongly pro it.
Having bpf disabled is a big pain. May be it would be better to provide
a separate prototype configuration file, say, SECURE with all the
dangerous things disabled and explanations why they are disabled,
so that peoples will think twice before re-enabling them.

-SB


To Unsubscribe: send mail to majord...@freebsd.org
with "unsubscribe freebsd-hackers" in the body of the message

Reply via email to