From owner-trustedbsd-discuss@FreeBSD.ORG Wed May 10 09:42:27 2006 Return-Path: X-Original-To: trustedbsd-discuss@FreeBSD.org Delivered-To: trustedbsd-discuss@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1819716A400 for ; Wed, 10 May 2006 09:42:27 +0000 (UTC) (envelope-from zhouyi04@ios.cn) Received: from abyss.iscas.cn (abyss.iscas.cn [159.226.5.55]) by mx1.FreeBSD.org (Postfix) with SMTP id 8E28E43D45 for ; Wed, 10 May 2006 09:42:10 +0000 (GMT) (envelope-from zhouyi04@ios.cn) Received: (qmail 25814 invoked by uid 502); 10 May 2006 09:19:39 -0000 Received: from zhouyi04@ios.cn by abyss.iscas.cn by uid 0 with qmail-scanner-1.22 (hbedv: 6.24.0.7/6.24.0.69. spamassassin: 2.63. Clear:RC:0(159.226.5.225):SA:0(-99.1/9.0):. Processed in 0.123809 secs); 10 May 2006 09:19:39 -0000 Received: from unknown (HELO zzy.H.qngy.gscas) (zhouyi04@159.226.5.225) by abyss.iscas.cn with SMTP; 10 May 2006 09:19:39 -0000 Date: Wed, 10 May 2006 17:41:47 +0800 From: zhouyi zhou To: trustedbsd-discuss@FreeBSD.org,rwatson@FreeBSD.org Message-Id: <20060510174147.254cc82f.zhouyi04@ios.cn> In-Reply-To: <005401c67377$cf93a4e0$1c00a8c0@panxj> References: <000001c6736f$409db800$26024dd2@n610c> <005401c67377$cf93a4e0$1c00a8c0@panxj> Organization: Institute of Software X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on abyss.iscas.cn X-Spam-Status: No, hits=-99.1 required=9.0 tests=FROM_ENDS_IN_NUMS, USER_IN_WHITELIST autolearn=no version=2.63 X-Spam-Level: X-Mailman-Approved-At: Wed, 10 May 2006 11:43:51 +0000 Cc: denglingli@ercist.iscas.ac.cn, jjh_in_2006@ercist.iscas.ac.cn, qinghua02@iscas.cn, jiayong02@iscas.cn, gushaow@ercist.iscas.ac.cn, szg@ercist.iscas.ac.cn, hgu@ercist.iscas.ac.cn, gongwen@ercist.iscas.ac.cn, xuejian03@iscas.cn, liuwei04@iscas.cn, zhangqian04@mails.gucas.ac.cn, bowenzhou04@mails.gucas.ac.cn, fedora@ercist.iscas.ac.cn, zhangqian@ercist.iscas.ac.cn, mayong@ercist.iscas.ac.cn, fengjianru@ercist.iscas.ac.cn, Qinghua02@ios.cn, tjguhao@yahoo.com.cn, chunyang03@ios.cn, wolfheader@ercist.iscas.ac.cn, qmzhou@ercist.iscas.ac.cn, shangjie.li@gmail.com, zenghaitao@itechs.iscas.ac.cn, julian@ercist.iscas.ac.cn, yanjun03@iscas.cn, ldm@ercist.iscas.ac.cn, ccxu@ercist.iscas.ac.cn, qufuping@ercist.iscas.ac.cn, shangjie02@iscas.cn, xinsong03@ios.cn, zhoubowen@itechs.iscas.ac.cn, liuwei@ercist.iscas.ac.cn, joey_try@ercist.iscas.ac.cn Subject: Using modified db_trace_self to show MAC Framework's denial information X-BeenThere: trustedbsd-discuss@FreeBSD.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: TrustedBSD General Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 09:42:27 -0000 Dear Colleques, TrustedBSD's MAC Framework lacks enough denial information in access control. For example, in SEBSD's avc deny information, only inode number was shown for an ordinary file access. This is due to the structure of UFS (which lack d_entry as ext2fs do). I suggest modifying ddb's db_trace_self facility to show vnode's corresponding path name. Take kern_stat for example: db_print_stack_entry_modified_by_ZhouyiZhou(name, narg, argnp, argp, callpc) const char *name; int narg; char **argnp; int *argp; db_addr_t callpc; { if (!strcmp(name,"kern_stat")){ db_printf("%s: ", name); int i = 1; while (narg) { if (i == 1) db_printf("executable = %s ",((struct thread *) db_get_value((int)argp, 4, FALSE))->td_proc->p_comm); if (i == 2) db_printf("path = %s ",((char *) db_get_value((int)argp, 4, FALSE))); argp++; i++; --narg; } db_printf("\n"); return; } return; } You can implement many others such as kern_open to print the pathname of the access denied inode. This may not be the best soluation, but it is indeed a solution. Sincerely yours Zhouyi Zhou