Getting full binary path in MAC Framework
Gleb Kurtsou
gleb.kurtsou at gmail.com
Tue Dec 28 13:40:07 UTC 2010
On (28/12/2010 14:03), Jakub Szafrański wrote:
> Hi,
> At first sory for my bad english and for my behaviour - english is not my
> native language, and I am new to mail lists.
>
> I'm trying to get the *FULL* path to a binary launched by the user, so
> that I could use it later. I've managed to get just the binary name, OR get
> the binary name from /proc, but I'd like it to be better (and don't require
> /proc).
Due to VFS design there is no reliable way of getting full path to
vnode. In some cases getting full path is impossible, e.g. file may be
deleted but still open.
It looks like you are working on a security policy to verify executable
before running it, I'd suggest you attach signature to executable itself
or use extended attributes. Among other issues path-based security
solutions are inherently race-prone and thus generally not as secure as
advertised.
>
> This is what I've already written:
>
> #include <sys/types.h>
> #include <sys/param.h>
> #include <sys/extattr.h>
> #include <sys/kernel.h>
> #include <sys/mount.h>
> #include <sys/systm.h>
> #include <sys/sysctl.h>
> #include <sys/sysproto.h>
> #include <sys/syslog.h>
> #include <sys/imgact.h>
> #include <sys/proc.h>
>
> #include <security/mac/mac_policy.h>
>
>
> SYSCTL_DECL(_security_mac);
>
> SYSCTL_NODE(_security_mac, OID_AUTO, veriexec, CTLFLAG_RW, 0,
> "MAC veriexec implementation");
>
>
> static int veriexec_enabled = 0;
> SYSCTL_INT(_security_mac_veriexec, OID_AUTO, enabled, CTLFLAG_RW,
> &veriexec_enabled, 0, "Enforce mac_veriexec policy");
>
> static int veriexec_level = 0;
> SYSCTL_INT(_security_mac_veriexec, OID_AUTO, level, CTLFLAG_RW,
> &veriexec_level, 0, "Veriexec security level");
>
> static int veriexec_vnode_check_exec(struct ucred *cred, struct vnode *vp,
> struct label *vplabel, struct image_params *imgp,
> struct label *execlabel)
> {
> if (veriexec_enabled) {
> if (cred && imgp && imgp->execpath) {
> log(LOG_NOTICE, "UID %d launched PID %d, veriexec_level: %d %s\n",
> cred->cr_uid, imgp->proc->p_pid, veriexec_level, imgp->execpath);
> }
> }
> return 0;
> }
>
> static struct mac_policy_ops veriexec_ops =
> {
> .mpo_vnode_check_exec = veriexec_vnode_check_exec,
> };
>
> MAC_POLICY_SET(&veriexec_ops, mac_veriexec, "MAC veriexec implementation",
> MPC_LOADTIME_FLAG_UNLOADOK, NULL);
>
> I'll be glad for any help
>
> Jakub 'samu' Szafrański
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
More information about the freebsd-hackers
mailing list