mac_portacl(4) minor bugfix

Robert Watson rwatson at FreeBSD.org
Sat Jan 24 19:47:32 GMT 2004 

On Tue, 20 Jan 2004, Kenny Freeman wrote:

> I'm curious if there exists the functionality to have bind requests that
> are allowed or denied sent to syslog or some such facility? pid and
> other information would be handy. 

Right now, there's little auditing support in FreeBSD.  Not sure if you
follow the trustedbsd-cvs or trustedbsd-audit lists, but I'm currently
experimentally porting some of the audit code found in Darwin 7 to
FreeBSD, and am very interested at looking at issues associated with
integrating it with the MAC Framework.  In particular, how to permit MAC
modules to attach additional audit data onto existing audit records to let
them add information about why they rejected a request.

In the mean time, it would be quite feasible to add a printf to
mac_portacl when a rejection is made, providing information on the
process, a call to log(), or to add a queue of log data that is spat out
of a /dev node. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Senior Research Scientist, McAfee Research


> 
> -Kenny
> 
> On January 20, 2004 01:39 pm, Robert Watson wrote:
> > On Tue, 20 Jan 2004, Simon L. Nielsen wrote:
> > > The last couple of days I have been playing around with the
> > > mac_portacl(4) module.  I made a small test program so I can do
> > > regression tests when I actually start to play around with enhancing the
> > > code.  I made some small tests to make sure I understod exactly how the
> > > module works, and I found a small bug in the existing code.
> > >
> > > The security.mac.portacl.enabled sysctl doesn't do anything.  I would
> > > expect it to disable the modules operation, if set to 0, but the module
> > > never checks the value of the sysctl.  I have attached a patch that
> > > fixes the problem, but I'm not sure if it's "the right way" to handle
> > > it.
> >
> > Merged, thanks!  It looks good to me.
> >
> > > I also found out that the mac_portacl(4) manual page doesn't really
> > > describe everything about the module, so I'm working on updating it.
> > > Stay tuned for a patch :-).
> >
> > Wonderful.  Something that does need to be documented is that
> > mac_portacl(4) can only control the explicit binding of ports, not
> > implicit binding using '0' as a requested port.  This means that the
> > IP_PORTRANGE values documented in ip(4) need to be taken into account (and
> > possibly set) to be in accordance with the policy.
> >
> > Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
> > robert at fledge.watson.org      Senior Research Scientist, McAfee Research
> >
> >
> >
> > To Unsubscribe: send mail to majordomo at trustedbsd.org
> > with "unsubscribe trustedbsd-discuss" in the body of the message
> 


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list