Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 10 May 2006 17:41:47 +0800
From:      zhouyi zhou <zhouyi04@ios.cn>
To:        trustedbsd-discuss@FreeBSD.org,rwatson@FreeBSD.org
Cc:        denglingli@ercist.iscas.ac.cn, jjh_in_2006@ercist.iscas.ac.cn, qinghua02@iscas.cn, jiayong02@iscas.cn, gushaow@ercist.iscas.ac.cn, szg@ercist.iscas.ac.cn, hgu@ercist.iscas.ac.cn, gongwen@ercist.iscas.ac.cn, xuejian03@iscas.cn, liuwei04@iscas.cn, zhangqian04@mails.gucas.ac.cn, bowenzhou04@mails.gucas.ac.cn, fedora@ercist.iscas.ac.cn, zhangqian@ercist.iscas.ac.cn, mayong@ercist.iscas.ac.cn, fengjianru@ercist.iscas.ac.cn, Qinghua02@ios.cn, tjguhao@yahoo.com.cn, chunyang03@ios.cn, wolfheader@ercist.iscas.ac.cn, qmzhou@ercist.iscas.ac.cn, shangjie.li@gmail.com, zenghaitao@itechs.iscas.ac.cn, julian@ercist.iscas.ac.cn, yanjun03@iscas.cn, ldm@ercist.iscas.ac.cn, ccxu@ercist.iscas.ac.cn, qufuping@ercist.iscas.ac.cn, shangjie02@iscas.cn, xinsong03@ios.cn, zhoubowen@itechs.iscas.ac.cn, liuwei@ercist.iscas.ac.cn, joey_try@ercist.iscas.ac.cn
Subject:   Using modified db_trace_self to show MAC Framework's denial information
Message-ID:  <20060510174147.254cc82f.zhouyi04@ios.cn>
In-Reply-To: <005401c67377$cf93a4e0$1c00a8c0@panxj>
References:  <000001c6736f$409db800$26024dd2@n610c> <005401c67377$cf93a4e0$1c00a8c0@panxj>
next in thread | previous in thread | raw e-mail | index | archive | help 
Dear Colleques,
   TrustedBSD's MAC Framework lacks enough denial information in access control.
For example, in SEBSD's avc deny information, only inode number was shown for an 
ordinary file access. This is due to the structure of UFS (which lack d_entry as 
ext2fs do).
   I suggest modifying ddb's db_trace_self facility to show vnode's corresponding 
path name.
   Take kern_stat for example:
db_print_stack_entry_modified_by_ZhouyiZhou(name, narg, argnp, argp, callpc)
        const char *name;
        int narg;
        char **argnp;
        int *argp;
        db_addr_t callpc;
{
  if (!strcmp(name,"kern_stat")){
    db_printf("%s: ", name);
    int i = 1;
    while (narg) {
      if (i == 1)
        db_printf("executable = %s ",((struct thread *) db_get_value((int)argp, 4, FALSE))->td_proc->p_comm);
      if (i == 2)
        db_printf("path = %s ",((char *) db_get_value((int)argp, 4, FALSE)));
      argp++;
      i++;
      --narg;

    }
    db_printf("\n");
    return;
  }
    return;
}
   You can implement many others such as kern_open to print the pathname of the access denied inode.

   This may not be the best soluation, but it is indeed a solution.

Sincerely yours
Zhouyi Zhou

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060510174147.254cc82f.zhouyi04>