freebsd-skq/sys
csjp a41f7da35f Introduce two new ioctl(2) commands, BIOCLOCK and BIOCSETWF. These commands
enhance the security of bpf(4) by further relinquishing the privilege of
the bpf(4) consumer (assuming the ioctl commands are being implemented).

Once BIOCLOCK is executed, the device becomes locked which prevents the
execution of ioctl(2) commands which can change the underly parameters of the
bpf(4) device. An example might be the setting of bpf(4) filter programs or
attaching to different network interfaces.

BIOCSETWF can be used to set write filters for outgoing packets. Currently if
a bpf(4) consumer is compromised, the bpf(4) descriptor can essentially be used
as a raw socket, regardless of consumer's UID. Write filters give users the
ability to constrain which packets can be sent through the bpf(4) descriptor.

These features are currently implemented by a couple programs which came from
OpenBSD, such as the new dhclient and pflogd.

-Modify bpf_setf(9) to accept a "cmd" parameter. This will be used to specify
 whether a read or write filter is to be set.
-Add a bpf(4) filter program as a parameter to bpf_movein(9) as we will run the
 filter program on the mbuf data once we move the packet in from user-space.
-Rather than execute two uiomove operations, (one for the link header and the
 other for the packet data), execute one and manually copy the linker header
 into the sockaddr structure via bcopy.
-Restructure bpf_setf to compensate for write filters, as well as read.
-Adjust bpf(4) stats structures to include a bd_locked member.

It should be noted that the FreeBSD and OpenBSD implementations differ a bit in
the sense that we unconditionally enforce the lock, where OpenBSD enforces it
only if the calling credential is not root.

Idea from:	OpenBSD
Reviewed by:	mlaier
2005-08-22 19:35:48 +00:00
..
alpha Move MINSIGSTKSZ from <machine/signal.h> to <machine/_limits.h> and rename 2005-08-20 16:44:41 +00:00
amd64 Change pmap_extract() and pmap_extract_and_hold() to use PG_FRAME rather 2005-08-22 07:23:51 +00:00
arm Move MINSIGSTKSZ from <machine/signal.h> to <machine/_limits.h> and rename 2005-08-20 16:44:41 +00:00
boot Add a "comconsole_speed" loader variable that can be used to change 2005-08-18 01:39:43 +00:00
bsm For consistency with more system include files, add a trailing '_' to 2005-05-29 16:11:34 +00:00
cam Merge the dev_clone and dev_clone_cred event handlers into a single 2005-08-08 19:55:32 +00:00
coda Merge the dev_clone and dev_clone_cred event handlers into a single 2005-08-08 19:55:32 +00:00
compat Propagate rename of IFF_OACTIVE and IFF_RUNNING to IFF_DRV_OACTIVE and 2005-08-09 10:20:02 +00:00
conf Pad the strings sccs[], version[], and osrelease[] up to a minimum of 2005-08-19 01:49:15 +00:00
contrib Wrap the new world order in __FreeBSD__ to ease future imports. 2005-08-09 11:59:02 +00:00
crypto Add VIA/ACE "PadLock" support as a crypto(9) driver. 2005-08-18 00:30:22 +00:00
ddb Remove the need to forward declare statics by moving them around. 2005-08-10 07:08:14 +00:00
dev On x86 processors, turn off any 'INTERRUPT' capabilities on PMCs 2005-08-22 18:20:41 +00:00
doc
fs Handle device drivers with D_NEEDGIANT in a way which does not 2005-08-17 08:19:52 +00:00
gdb check return value of gdb_rx_varhex 2005-03-28 18:31:18 +00:00
geom By default, when doing crypto work in software, start as many threads 2005-08-21 18:12:51 +00:00
gnu Repair this: 2005-07-09 18:30:31 +00:00
i4b Propagate rename of IFF_OACTIVE and IFF_RUNNING to IFF_DRV_OACTIVE and 2005-08-09 10:20:02 +00:00
i386 Move MINSIGSTKSZ from <machine/signal.h> to <machine/_limits.h> and rename 2005-08-20 16:44:41 +00:00
ia64 Move MINSIGSTKSZ from <machine/signal.h> to <machine/_limits.h> and rename 2005-08-20 16:44:41 +00:00
isa Add pnp and location info for the ISA bus. The pnp info is the 2005-08-01 07:03:10 +00:00
isofs/cd9660 - restore the ability to mount cd9660 filesystems as root by inverting 2005-08-14 04:19:36 +00:00
kern mp_ncpus is always (properly) initialized, even on UP kernels, so just use it. 2005-08-21 18:03:31 +00:00
libkern Ha! This is a very interesting bug. 2005-08-08 19:38:00 +00:00
modules Define the target for opt_compat.h only if KERNBUILDDIR 2005-08-18 14:50:08 +00:00
net Introduce two new ioctl(2) commands, BIOCLOCK and BIOCSETWF. These commands 2005-08-22 19:35:48 +00:00
net80211 revert 1.64: we cannot use the channel characteristics to decide when to 2005-08-13 17:50:21 +00:00
netatalk Eliminate MAC entry point mac_create_mbuf_from_mbuf(), which is 2005-07-05 23:39:51 +00:00
netatm Propagate rename of IFF_OACTIVE and IFF_RUNNING to IFF_DRV_OACTIVE and 2005-08-09 10:20:02 +00:00
netgraph In ng_callout() assert that supplied arguments are non-NULL. 2005-08-21 19:48:51 +00:00
netinet Add socketoption IP_MINTTL. May be used to set the minimum acceptable 2005-08-22 16:13:08 +00:00
netinet6 added a missing unlock (just do the same thing as in netinet/raw_ip.c) 2005-08-18 11:11:27 +00:00
netipsec Correct typo in a comment describing vshiftl(). 2005-06-02 23:56:10 +00:00
netipx Stop embedding struct ifnet at the top of driver softcs. Instead the 2005-06-10 16:49:24 +00:00
netkey SADB_UPDATE did not return an error when key length is invalid. 2005-08-22 07:05:14 +00:00
netnatm Propagate rename of IFF_OACTIVE and IFF_RUNNING to IFF_DRV_OACTIVE and 2005-08-09 10:20:02 +00:00
netncp Change API of mb_copy_t in libmchain so that netsmb can handle 2005-07-29 13:22:37 +00:00
netsmb Merge the dev_clone and dev_clone_cred event handlers into a single 2005-08-08 19:55:32 +00:00
nfs Fixes for NFS crashes on architectures that require strict alignment. 2005-07-14 20:08:27 +00:00
nfs4client - We want if (mrep != NULL) not if (m_freem != NULL). m_freem will never 2005-04-25 05:11:19 +00:00
nfsclient FIx for a bug in the change that made nfs_timer() MPSAFE. We need to 2005-07-27 15:06:26 +00:00
nfsserver NFS write gathering defers execution of NFS server write requests to wait 2005-04-17 16:25:36 +00:00
opencrypto Fix bogus check. It was possible to panic the kernel by giving 0 length. 2005-08-18 11:58:03 +00:00
pc98 MFi386: revision 1.1204. 2005-07-21 11:13:12 +00:00
pccard Change a directory layout for pc98. 2005-05-10 12:02:18 +00:00
pci Various fixups to locking: 2005-08-18 19:24:30 +00:00
posix4 Introduce MAC Framework and MAC Policy entry points to label and control 2005-05-04 10:39:15 +00:00
powerpc Move MINSIGSTKSZ from <machine/signal.h> to <machine/_limits.h> and rename 2005-08-20 16:44:41 +00:00
rpc - Don't call rpcclnt_realign() if we don't have any mbufs to realign. 2005-03-19 01:16:25 +00:00
security Insert a series of place-holder function pointers in mac_policy.h for 2005-08-08 16:09:33 +00:00
sparc64 Move MINSIGSTKSZ from <machine/signal.h> to <machine/_limits.h> and rename 2005-08-20 16:44:41 +00:00
sys Move MINSIGSTKSZ from <machine/signal.h> to <machine/_limits.h> and rename 2005-08-20 16:44:41 +00:00
tools Allow EVFILT_VNODE events to work on every filesystem type, not just 2005-06-09 20:20:31 +00:00
ufs Set the mountpoint path in the superblock (fs_fsmnt) at mount-time 2005-08-21 22:06:41 +00:00
vm Do not use vm_pager_init() to initialize vnode_pbuf_freecnt variable. 2005-08-13 20:21:33 +00:00
Makefile When building cscopnamefile, default architecture to ${MACHINE}, not i386. 2005-03-08 00:09:41 +00:00