mac_portacl(4) minor bugfix
Robert Watson
rwatson at FreeBSD.org
Tue Jan 20 18:39:17 GMT 2004
On Tue, 20 Jan 2004, Simon L. Nielsen wrote:
> The last couple of days I have been playing around with the
> mac_portacl(4) module. I made a small test program so I can do
> regression tests when I actually start to play around with enhancing the
> code. I made some small tests to make sure I understod exactly how the
> module works, and I found a small bug in the existing code.
>
> The security.mac.portacl.enabled sysctl doesn't do anything. I would
> expect it to disable the modules operation, if set to 0, but the module
> never checks the value of the sysctl. I have attached a patch that
> fixes the problem, but I'm not sure if it's "the right way" to handle
> it.
Merged, thanks! It looks good to me.
> I also found out that the mac_portacl(4) manual page doesn't really
> describe everything about the module, so I'm working on updating it.
> Stay tuned for a patch :-).
Wonderful. Something that does need to be documented is that
mac_portacl(4) can only control the explicit binding of ports, not
implicit binding using '0' as a requested port. This means that the
IP_PORTRANGE values documented in ip(4) need to be taken into account (and
possibly set) to be in accordance with the policy.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Senior Research Scientist, McAfee Research
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list