how to deny reading of several sysctls (for a set of uids, f.e.)
Max Laier
max at love2party.net
Tue Jan 23 13:10:40 UTC 2007
On Tuesday 23 January 2007 12:44, Andrew N. Below wrote:
> System - RELENG_6.
>
> Easiest way I found is to patch libc.
> But in this case we still can get an original library and use
> LD_PRELOAD.
>
> Is there any way to obtain uid of calling process (thread?)
> within the kernel?
>
> We have following extern in src/lib/libc/gen/sysctl.c:
> [..]
> extern int __sysctl(int *name, u_int namelen, void *oldp, size_t
> *oldlenp, void *newp, size_t newlen);
> [..]
>
> And there is __sysctl (src/sys/kern/kern_sysctl.c):
>
> [..]
> /*
> * MPSAFE
> */
> int
> __sysctl(struct thread *td, struct sysctl_args *uap)
> [..]
>
> 1. Whether this function is called from libc sysctl() ?
>
> 2. What can we get from td here? My knowledge about FreeBSD kernel
> and kernel threads is not yet enough for understanding this.
td->td_proc->p_ucred has the user credentials. You probably want to do
your checks in userland_sysctl() according to the comment just above.
> I also thought about passing control variable from libc
> to kernel, but it seems to be bad idea.
>
> Any other ways?
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20070123/197793e1/attachment.pgp
More information about the freebsd-hackers
mailing list