diff options
author | Can Erkin Acar <canacar@cvs.openbsd.org> | 2003-10-22 18:42:41 +0000 |
---|---|---|
committer | Can Erkin Acar <canacar@cvs.openbsd.org> | 2003-10-22 18:42:41 +0000 |
commit | 6693f734d4d99c32579a9cef43ff0f9a39e4dc62 (patch) | |
tree | edbf003bbcf42419432abe8645aca40cac4fcdd9 /share | |
parent | 2e46b2f39d9833b32544b6e61959e55ae2d0700d (diff) |
Add locking and write filtering to bpf descriptors.
Locking prevents dangerous ioctls such as changing the
interface and sending signals to be executed by an
unprivileged process. A filter can also be applied
to packets injected through a bpf descriptor.
These features allow programs using bpf descriptors to
safely drop/seperate privileges.
ok frantzen@ henning@ mcbride@
Diffstat (limited to 'share')
-rw-r--r-- | share/man/man4/bpf.4 | 88 |
1 files changed, 82 insertions, 6 deletions
diff --git a/share/man/man4/bpf.4 b/share/man/man4/bpf.4 index 70070224b47..e251d2ea9e9 100644 --- a/share/man/man4/bpf.4 +++ b/share/man/man4/bpf.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: bpf.4,v 1.18 2003/07/09 11:45:44 jmc Exp $ +.\" $OpenBSD: bpf.4,v 1.19 2003/10/22 18:42:40 canacar Exp $ .\" $NetBSD: bpf.4,v 1.7 1995/09/27 18:31:50 thorpej Exp $ .\" .\" Copyright (c) 1990 The Regents of the University of California. @@ -43,7 +43,7 @@ The packet filter appears as a character special device, etc. After opening the device, the file descriptor must be bound to a specific network interface with the -.Dv BIOSETIF +.Dv BIOCSETIF ioctl. A given interface can be shared between multiple listeners, and the filter underlying each descriptor will see an identical packet stream. @@ -90,8 +90,15 @@ macros to extract multi-byte values. A packet can be sent out on the network by writing to a .Nm file descriptor. +Each descriptor can also have a user-settable filter +for controlling the writes. +Only packets matching the filter are sent out of the interface. The writes are unbuffered, meaning only one packet can be processed per write. -Currently, only writes to Ethernets and SLIP links are supported. +.Pp +Once a descriptor is configured, further changes to the configuration +can be prevented using the +.Dv BIOCLOCK +ioctl. .Ss Ioctls The ioctl command codes below are defined in .Aq Pa net/bpf.h . @@ -108,6 +115,8 @@ Additionally, and .Dv BIOCSETIF require +.Aq Pa sys/socket.h +and .Aq Pa net/if.h . .Pp The (third) argument to the @@ -150,6 +159,55 @@ promiscuously are closed. Flushes the buffer of incoming packets and resets the statistics that are returned by .Dv BIOCGSTATS . +.It Dv BIOCLOCK +This ioctl is designed to prevent the security issues associated +with an open +.Nm +descriptor in unprivileged programs. +Even with dropped privileges, an open +.Nm +descriptor can be abused by a rogue program to listen on any interface +on the system, send packets on these interfaces if the descriptor was +opened read-write and send signals to arbitrary processes using the +signaling mechanism of +.Nm bpf . +By allowing only +.Dq known safe +ioctls, the +.DV BIOCLOCK +ioctl prevents this abuse. +The allowable ioctls are +.Dv BIOCGBLEN , +.Dv BIOCFLUSH , +.Dv BIOCGDLT , +.Dv BIOCGETIF , +.Dv BIOCGRTIMEOUT , +.Dv BIOCSRTIMEOUT , +.Dv BIOCIMMEDIATE , +.Dv BIOCGSTATS , +.Dv BIOCVERSION , +.Dv BIOCGRSIG , +.Dv BIOCGHDRCMPLT , +.Dv TIOCGPGRP , +and +.Dv FIONREAD . +Use of any other ioctl is denied with error +.Er EPERM . +Once a descriptor is locked, it is not possible to unlock it. +A process with root privileges is not affected by the lock. +.Pp +A privileged program can open a +.Nm +device, drop privileges, set the interface, filters and modes on the +descriptor, and lock it. +Once the descriptor is locked, the system is safe +from further abuse through the descriptor. +Locking a descriptor does not prevent writes. +If the application does not need to send packets through +.Nm bpf , +it can open the device read-only to prevent writing. +If sending packets is necessary, a write-filter can be set before locking the +descriptor to prevent arbitrary packets from being sent out. .It Dv BIOCGETIF ( Li "struct ifreq" ) Returns the name of the hardware interface that the file is listening on. The name is returned in the @@ -229,6 +287,21 @@ are performed. See section .Sx FILTER MACHINE for an explanation of the filter language. +.It Dv BIOCSETWF ( Li "struct bpf_program" ) +Sets the filter program used by the kernel to filter the packets +written to the descriptor before the packets are sent out on the +network. +See +.Dv BIOCSETF +for a description of the filter program. +This ioctl also acts as +.Dv BIOCFLUSH . +.Pp +Note that the filter operates on the packet data written to the descriptor. +If the +.Dq header complete +flag is not set, the kernel sets the link-layer source address +of the packet after filtering. .It Dv BIOCVERSION ( Li "struct bpf_version" ) Returns the major and minor version numbers of the filter language currently recognized by the kernel. @@ -756,9 +829,12 @@ pc += (A == X) ? jt : jf pc += (A & X) ? jt : jf .El .It Dv BPF_RET -The return instructions terminate the filter program and specify the amount -of packet to accept (i.e., they return the truncation amount). -A return value of zero indicates that the packet should be ignored. +The return instructions terminate the filter program and specify the +amount of packet to accept (i.e., they return the truncation amount) +or, for the write filter, the maximum acceptable size for the packet +(i.e., the packet is dropped if it is larger than the returned +amount). +A return value of zero indicates that the packet should be ignored/dropped. The return value is either a constant .Pf ( Dv BPF_K ) or the accumulator |