Using modified db_trace_self to show MAC Framework's denial information

zhouyi zhou zhouyi04 at
Wed May 10 09:42:27 UTC 2006

Dear Colleques,
   TrustedBSD's MAC Framework lacks enough denial information in access control.
For example, in SEBSD's avc deny information, only inode number was shown for an 
ordinary file access. This is due to the structure of UFS (which lack d_entry as 
ext2fs do).
   I suggest modifying ddb's db_trace_self facility to show vnode's corresponding 
path name.
   Take kern_stat for example:
db_print_stack_entry_modified_by_ZhouyiZhou(name, narg, argnp, argp, callpc)
        const char *name;
        int narg;
        char **argnp;
        int *argp;
        db_addr_t callpc;
  if (!strcmp(name,"kern_stat")){
    db_printf("%s: ", name);
    int i = 1;
    while (narg) {
      if (i == 1)
        db_printf("executable = %s ",((struct thread *) db_get_value((int)argp, 4, FALSE))->td_proc->p_comm);
      if (i == 2)
        db_printf("path = %s ",((char *) db_get_value((int)argp, 4, FALSE)));

   You can implement many others such as kern_open to print the pathname of the access denied inode.

   This may not be the best soluation, but it is indeed a solution.

Sincerely yours
Zhouyi Zhou

More information about the trustedbsd-discuss mailing list