Date: Fri, 29 Jul 2011 12:22:12 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: s <s@samu.pl> Cc: freebsd-hackers@freebsd.org Subject: Re: MAC Framework, Socket information Message-ID: <alpine.BSF.2.00.1107291219190.99726@fledge.watson.org> In-Reply-To: <86304693fe3634eeb038db14bdee8779@samu.pl> References: <86304693fe3634eeb038db14bdee8779@samu.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--621616949-1332473671-1311938532=:99726
Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8BIT
On Thu, 28 Jul 2011, s wrote:
> I need to get some info about the socket being created by the user. What I
> want to do is log all TCP/UDP outgoing connections that are being made. I
> *need* to get the local and remote address, as well as the local and remote
> port. I managed to get all of the remote data, but this is useless to me, if
> I haven't got the local port. Here is what I have already written:
Most MAC Framework entry points are invoked before operations of interest,
rather than after, because they are intended to perform access control on
operations. I think the closest you may be able to get given current entry
points is logging when the first operation is performed on the connected
socket: i.e., read, write, sendfile, etc, since it will be established at that
point (some caution required: you can invoke system calls on sockets before
and during connect()).
However, I can't help but wonder: would you be better-served by using the
kernel's audit facilities to track events like socket connection? Are you
blending access control and logging in your module, or is this really just
about logging?
Robert
>
> static int slog_socket_check_connect(struct ucred *cred,
> struct socket *socket, struct label *socketlabel,
> struct sockaddr *sockaddr)
> {
> if(sockaddr->sa_family == AF_INET) {
> struct sockaddr_in sa;
> log(LOG_SECURITY | LOG_DEBUG, "Somebody made a socket: %d:%d
> (%d)\n",
> cred->cr_ruid,
> ntohs(((struct sockaddr_in*)sockaddr)->sin_port),
> ntohs(((struct in_endpoints*)sockaddr)->ie_lport)
> );
> }
> return 0;
> }
>
> --
> Pozdrawiam,
> Jakub 'samu' SzafraĆski
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
>
--621616949-1332473671-1311938532=:99726--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1107291219190.99726>