On Tue, 12 Jun 2001, Mike Silbersack wrote:
> On Tue, 12 Jun 2001, Robert Watson wrote:
>
> > One of the things I actually played with implementing in the past was in
> > effect an "ACL" of allowed BPF programs by-uid. When a BPF program was
> > bound to an interface, the bpfilter code would hash by uid, then do a
> > rather expensive walk down a list of "acceptable filters" and see if the
> > program matched. This meant that you could, for example, allow specific
> > users to monitor specific types of packets (such as a specific port).
> > Since there isn't really a canonical form other than the de facto form
> > libpcap generates bpf code in, there are some limits to this, but it
> > worked fairly well. I didn't attempt to deal with the "which interfaces
> > can they bind" issue, however. I can see if I can dig up the code, or
> > it's fairly easy to replicate if not.
>
> That'd be an excellent feature, perhaps it could be used to make
> dhclient / others non-root in the future. It's probably overkill for
> the issue at hand, though. I get the impression that the patch in
> question was meant to insure that a rooted box couldn't be used for
> sniffing (without a new kernel.)
Actually, it was so that I could allow non-root uid's to perform certain
kinds of packet sniffing operations, but not others. It occurs to me, in
retrospect, that I didn't need to perform a program comparison, all I
really needed to do was determine that for every packet matched by a uid's
bpf filter, it was also accepted by the ACL filter. This gets around the
canonical representation issue by intersecting the two acceptance sets.
Go figure.
> Of course, if you have the appropriate filter already sitting around,
> maybe you could wrap it in an #ifdef and put out the patch for testing.
> :)
This was against a fairly old tree (maybe 3.0-CURRENT?), but I'll see if I
can dig it up this weekend.
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
[EMAIL PROTECTED] NAI Labs, Safeport Network Services
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
