From owner-freebsd-security@FreeBSD.ORG  Thu Jun  1 21:44:40 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9C09916BD40
	for <freebsd-security@freebsd.org>;
	Thu,  1 Jun 2006 21:44:40 +0000 (UTC)
	(envelope-from dtangent@defcon.org)
Received: from colossus.datamerica.com (colossus.blackhat.com [216.231.63.50])
	by mx1.FreeBSD.org (Postfix) with SMTP id 2F67B43D48
	for <freebsd-security@freebsd.org>;
	Thu,  1 Jun 2006 21:44:40 +0000 (GMT)
	(envelope-from dtangent@defcon.org)
Received: from mail-1.datamerica.com (mail-1.datamerica.com [10.168.25.25])
	by colossus.datamerica.com with SMTP id k51LiddF013000
	for <freebsd-security@freebsd.org>; Thu, 1 Jun 2006 14:44:39 -0700 (PDT)
Received: (qmail 6325 invoked from network); 1 Jun 2006 21:50:22 -0000
Received: from ispy2.blackhat.com (HELO ispy2.defcon.org) (10.168.1.59)
	by mail-1.datamerica.com with SMTP; 1 Jun 2006 21:50:22 -0000
Message-Id: <7.0.1.0.2.20060601142921.2284c5b0@wheresmymailserver.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0
Date: Thu, 01 Jun 2006 14:40:50 -0700
To: freebsd-security@freebsd.org
From: Jeff <dt@defcon.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Subject: mac_bsdextended log information
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jun 2006 21:44:47 -0000

Hey everyone, 

I'm hoping someone can point me in the right direction. I'm running a 6.1 box with mac_bsdextended compiled. I've created my ugidfw rules, and all seems well in the universe.

I've got rules set up so the web process uid 80 and gid 80 can only read uid 1010 and gid 1010 owned files. When the web server tries to do something else, it throws an error such as:

<authpriv.emerg> www kernel: mac_bsdextended: 80:80 request 256 on 0:0 failed.

So the question is, what file did the www process try to muck with? It is a root owned file, and it is important that it want to act on it. Security problem, or benign problem? Who knows without being able to know what the file is. A look at the source code implies that the "request 256" means that the web process tried to read the vnode numbered 256. Is that accurate?
If it is, how do I go about associating vnode numbers to files, so I have a hope of troubleshooting these errors.

Searching seems to turn up no tool or easy way to get this vnode -> file information. Help!

Jeff