From fe41ca530c73e4f1f7b5436e6a6bbc1fa66ea270 Mon Sep 17 00:00:00 2001 From: Matthew Dillon Date: Tue, 14 Jan 2003 19:35:33 +0000 Subject: [PATCH] Introduce the ability to flag a sysctl for operation at secure level 2 or 3 in addition to secure level 1. The mask supports up to a secure level of 8 but only add defines through CTLFLAG_SECURE3 for now. As per the missif in the log entry for 1.11 of ip_fw2.c which added the secure flag to the IPFW sysctl's in the first place, change the secure level requirement from 1 to 3 now that we have support for it. Reviewed by: imp With Design Suggestions by: imp --- sys/kern/kern_sysctl.c | 5 +++-- sys/netinet/ip_fw2.c | 6 +++--- sys/sys/sysctl.h | 11 +++++++++++ 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c index 74cec52da75..08d1f80ec99 100644 --- a/sys/kern/kern_sysctl.c +++ b/sys/kern/kern_sysctl.c @@ -1098,7 +1098,7 @@ static int sysctl_root(SYSCTL_HANDLER_ARGS) { struct sysctl_oid *oid; - int error, indx; + int error, indx, lvl; error = sysctl_find_oid(arg1, arg2, &oid, &indx, req); if (error) @@ -1122,7 +1122,8 @@ sysctl_root(SYSCTL_HANDLER_ARGS) /* Is this sysctl sensitive to securelevels? */ if (req->newptr && (oid->oid_kind & CTLFLAG_SECURE)) { - error = securelevel_gt(req->td->td_ucred, 0); + lvl = (oid->oid_kind & CTLMASK_SECURE) >> CTLSHIFT_SECURE; + error = securelevel_gt(req->td->td_ucred, lvl); if (error) return (error); } diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 57155874973..6759bd09388 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -112,18 +112,18 @@ static int autoinc_step = 100; /* bounded to 1..1000 in add_rule() */ #ifdef SYSCTL_NODE SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, - CTLFLAG_RW | CTLFLAG_SECURE, + CTLFLAG_RW | CTLFLAG_SECURE3, &fw_enable, 0, "Enable ipfw"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step, CTLFLAG_RW, &autoinc_step, 0, "Rule number autincrement step"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, one_pass, - CTLFLAG_RW | CTLFLAG_SECURE, + CTLFLAG_RW | CTLFLAG_SECURE3, &fw_one_pass, 0, "Only do a single pass through ipfw when using dummynet(4)"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug, CTLFLAG_RW, &fw_debug, 0, "Enable printing of debug ip_fw statements"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose, - CTLFLAG_RW | CTLFLAG_SECURE, + CTLFLAG_RW | CTLFLAG_SECURE3, &fw_verbose, 0, "Log matches to ipfw rules"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW, &verbose_limit, 0, "Set upper limit of matches of ipfw rules logged"); diff --git a/sys/sys/sysctl.h b/sys/sys/sysctl.h index 4ee51b79076..ba67fe83628 100644 --- a/sys/sys/sysctl.h +++ b/sys/sys/sysctl.h @@ -86,6 +86,17 @@ struct ctlname { #define CTLFLAG_PRISON 0x04000000 /* Prisoned roots can fiddle */ #define CTLFLAG_DYN 0x02000000 /* Dynamic oid - can be freed */ #define CTLFLAG_SKIP 0x01000000 /* Skip this sysctl when listing */ +#define CTLMASK_SECURE 0x00F00000 /* Secure level */ + +/* + * Secure level. Note that CTLFLAG_SECURE == CTLFLAG_SECURE1. + * + * Secure when the securelevel is raised to at least N. + */ +#define CTLSHIFT_SECURE 20 +#define CTLFLAG_SECURE1 (CTLFLAG_SECURE | (0 << CTLSHIFT_SECURE)) +#define CTLFLAG_SECURE2 (CTLFLAG_SECURE | (1 << CTLSHIFT_SECURE)) +#define CTLFLAG_SECURE3 (CTLFLAG_SECURE | (2 << CTLSHIFT_SECURE)) /* * USE THIS instead of a hardwired number from the categories below