diff options
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/kern/kern_sysctl.c | 5 | ||||
| -rw-r--r-- | sys/netinet/ip_fw2.c | 6 | ||||
| -rw-r--r-- | sys/sys/sysctl.h | 11 |
3 files changed, 17 insertions, 5 deletions
diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c index 74cec52da755..08d1f80ec99d 100644 --- a/sys/kern/kern_sysctl.c +++ b/sys/kern/kern_sysctl.c @@ -1098,7 +1098,7 @@ static int sysctl_root(SYSCTL_HANDLER_ARGS) { struct sysctl_oid *oid; - int error, indx; + int error, indx, lvl; error = sysctl_find_oid(arg1, arg2, &oid, &indx, req); if (error) @@ -1122,7 +1122,8 @@ sysctl_root(SYSCTL_HANDLER_ARGS) /* Is this sysctl sensitive to securelevels? */ if (req->newptr && (oid->oid_kind & CTLFLAG_SECURE)) { - error = securelevel_gt(req->td->td_ucred, 0); + lvl = (oid->oid_kind & CTLMASK_SECURE) >> CTLSHIFT_SECURE; + error = securelevel_gt(req->td->td_ucred, lvl); if (error) return (error); } diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 57155874973b..6759bd093883 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -112,18 +112,18 @@ static int autoinc_step = 100; /* bounded to 1..1000 in add_rule() */ #ifdef SYSCTL_NODE SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, - CTLFLAG_RW | CTLFLAG_SECURE, + CTLFLAG_RW | CTLFLAG_SECURE3, &fw_enable, 0, "Enable ipfw"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, autoinc_step, CTLFLAG_RW, &autoinc_step, 0, "Rule number autincrement step"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, one_pass, - CTLFLAG_RW | CTLFLAG_SECURE, + CTLFLAG_RW | CTLFLAG_SECURE3, &fw_one_pass, 0, "Only do a single pass through ipfw when using dummynet(4)"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug, CTLFLAG_RW, &fw_debug, 0, "Enable printing of debug ip_fw statements"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose, - CTLFLAG_RW | CTLFLAG_SECURE, + CTLFLAG_RW | CTLFLAG_SECURE3, &fw_verbose, 0, "Log matches to ipfw rules"); SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose_limit, CTLFLAG_RW, &verbose_limit, 0, "Set upper limit of matches of ipfw rules logged"); diff --git a/sys/sys/sysctl.h b/sys/sys/sysctl.h index 4ee51b790763..ba67fe836280 100644 --- a/sys/sys/sysctl.h +++ b/sys/sys/sysctl.h @@ -86,6 +86,17 @@ struct ctlname { #define CTLFLAG_PRISON 0x04000000 /* Prisoned roots can fiddle */ #define CTLFLAG_DYN 0x02000000 /* Dynamic oid - can be freed */ #define CTLFLAG_SKIP 0x01000000 /* Skip this sysctl when listing */ +#define CTLMASK_SECURE 0x00F00000 /* Secure level */ + +/* + * Secure level. Note that CTLFLAG_SECURE == CTLFLAG_SECURE1. + * + * Secure when the securelevel is raised to at least N. + */ +#define CTLSHIFT_SECURE 20 +#define CTLFLAG_SECURE1 (CTLFLAG_SECURE | (0 << CTLSHIFT_SECURE)) +#define CTLFLAG_SECURE2 (CTLFLAG_SECURE | (1 << CTLSHIFT_SECURE)) +#define CTLFLAG_SECURE3 (CTLFLAG_SECURE | (2 << CTLSHIFT_SECURE)) /* * USE THIS instead of a hardwired number from the categories below |