MAC Framework, Socket information
Robert Watson
rwatson at FreeBSD.org
Fri Jul 29 11:22:13 UTC 2011
On Thu, 28 Jul 2011, s wrote:
> I need to get some info about the socket being created by the user. What I
> want to do is log all TCP/UDP outgoing connections that are being made. I
> *need* to get the local and remote address, as well as the local and remote
> port. I managed to get all of the remote data, but this is useless to me, if
> I haven't got the local port. Here is what I have already written:
Most MAC Framework entry points are invoked before operations of interest,
rather than after, because they are intended to perform access control on
operations. I think the closest you may be able to get given current entry
points is logging when the first operation is performed on the connected
socket: i.e., read, write, sendfile, etc, since it will be established at that
point (some caution required: you can invoke system calls on sockets before
and during connect()).
However, I can't help but wonder: would you be better-served by using the
kernel's audit facilities to track events like socket connection? Are you
blending access control and logging in your module, or is this really just
about logging?
Robert
>
> static int slog_socket_check_connect(struct ucred *cred,
> struct socket *socket, struct label *socketlabel,
> struct sockaddr *sockaddr)
> {
> if(sockaddr->sa_family == AF_INET) {
> struct sockaddr_in sa;
> log(LOG_SECURITY | LOG_DEBUG, "Somebody made a socket: %d:%d
> (%d)\n",
> cred->cr_ruid,
> ntohs(((struct sockaddr_in*)sockaddr)->sin_port),
> ntohs(((struct in_endpoints*)sockaddr)->ie_lport)
> );
> }
> return 0;
> }
>
> --
> Pozdrawiam,
> Jakub 'samu' Szafrański
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>
More information about the freebsd-hackers
mailing list