Using modified db_trace_self to show MAC Framework's denial
information
zhouyi zhou
zhouyi04 at ios.cn
Wed May 10 09:44:30 UTC 2006
Dear Colleques,
TrustedBSD's MAC Framework lacks enough denial information in access control.
For example, in SEBSD's avc deny information, only inode number was shown for an
ordinary file access. This is due to the structure of UFS (which lack d_entry as
ext2fs do).
I suggest modifying ddb's db_trace_self facility to show vnode's corresponding
path name.
Take kern_stat for example:
db_print_stack_entry_modified_by_ZhouyiZhou(name, narg, argnp, argp, callpc)
const char *name;
int narg;
char **argnp;
int *argp;
db_addr_t callpc;
{
if (!strcmp(name,"kern_stat")){
db_printf("%s: ", name);
int i = 1;
while (narg) {
if (i == 1)
db_printf("executable = %s ",((struct thread *) db_get_value((int)argp, 4, FALSE))->td_proc->p_comm);
if (i == 2)
db_printf("path = %s ",((char *) db_get_value((int)argp, 4, FALSE)));
argp++;
i++;
--narg;
}
db_printf("\n");
return;
}
return;
}
You can implement many others such as kern_open to print the pathname of the access denied inode.
This may not be the best soluation, but it is indeed a solution.
Sincerely yours
Zhouyi Zhou
More information about the trustedbsd-discuss
mailing list