on Sat, Oct 12, 2002 at 01:16:55AM -0700, Simon J. Gerraty wrote:
> >Using systrace, ping can run without any privileges and a policy
> >like
> 
> > netbsd-socket: sockdom eq "AF_INET" and socktype eq "SOCK_RAW" then \
> > permit as root
> 
> I'm not familiar with systrace, but I _hope_ the policy can be more 
> specific than that? 
>
> The above looks like it would allow any program to open raw sockets
> "as root".  Just what I'd need if wanting to run rawpkt or whatever to
> spew fordged packets into the net ;-)

Each policy is per-process, so the rule would be included in a policy
for just ping.

This rule does differ from what ping could do before. ping drops its
privileges after it has created a raw socket. But with such a policy,
it can keep opening raw sockets because systrace policies are
stateless.

It seems that something similar to filter->match_count may help here.

 netbsd-socket: sockdom eq "AF_INET" and socktype eq "SOCK_RAW" then \
    permit as root for count = 1