From owner-freebsd-hackers@FreeBSD.ORG  Tue Dec 28 13:03:37 2010
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D603A106566B
	for <freebsd-hackers@freebsd.org>; Tue, 28 Dec 2010 13:03:37 +0000 (UTC)
	(envelope-from s@samu.pl)
Received: from samu.pl (samu.pl [IPv6:2001:41d0:1:f0cf::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 73DCC8FC1D
	for <freebsd-hackers@freebsd.org>; Tue, 28 Dec 2010 13:03:37 +0000 (UTC)
Received: by samu.pl (Postfix, from userid 80)
	id 0101CCD5FC; Tue, 28 Dec 2010 14:03:35 +0100 (CET)
To: <freebsd-hackers@freebsd.org>
MIME-Version: 1.0
Date: Tue, 28 Dec 2010 14:03:35 +0100
From: =?UTF-8?Q?Jakub_Szafra=C5=84ski?= <s@samu.pl>
Organization: PIRC.PL
Message-ID: <610581cbf67aec26205e429adc2c42b1@samu.pl>
X-Sender: s@samu.pl
User-Agent: RoundCube Webmail/0.3.1
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
Subject: Getting full binary path in MAC Framework
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Dec 2010 13:03:37 -0000

Hi,
At first sory for my bad english and for my behaviour - english is not my
native language, and I am new to mail lists.

I'm trying to get the *FULL* path to a binary launched by the user, so
that I could use it later. I've managed to get just the binary name, OR get
the binary name from /proc, but I'd like it to be better (and don't require
/proc).

This is what I've already written:

#include <sys/types.h>
#include <sys/param.h>
#include <sys/extattr.h>
#include <sys/kernel.h>
#include <sys/mount.h>
#include <sys/systm.h>
#include <sys/sysctl.h>
#include <sys/sysproto.h>
#include <sys/syslog.h>
#include <sys/imgact.h>
#include <sys/proc.h>

#include <security/mac/mac_policy.h>


SYSCTL_DECL(_security_mac);

SYSCTL_NODE(_security_mac, OID_AUTO, veriexec, CTLFLAG_RW, 0,
"MAC veriexec implementation");


static int veriexec_enabled = 0;
SYSCTL_INT(_security_mac_veriexec, OID_AUTO, enabled, CTLFLAG_RW,
&veriexec_enabled, 0, "Enforce mac_veriexec policy");

static int veriexec_level = 0;
SYSCTL_INT(_security_mac_veriexec, OID_AUTO, level, CTLFLAG_RW,
&veriexec_level, 0, "Veriexec security level");

static int veriexec_vnode_check_exec(struct ucred *cred, struct vnode *vp,
struct label *vplabel, struct image_params *imgp,
struct label *execlabel)
{
if (veriexec_enabled) {
if (cred && imgp && imgp->execpath) {
log(LOG_NOTICE, "UID %d launched PID %d, veriexec_level: %d %s\n",
cred->cr_uid, imgp->proc->p_pid, veriexec_level, imgp->execpath);
}
}
return 0;
}

static struct mac_policy_ops veriexec_ops =
{
.mpo_vnode_check_exec = veriexec_vnode_check_exec,
};

MAC_POLICY_SET(&veriexec_ops, mac_veriexec, "MAC veriexec implementation",
MPC_LOADTIME_FLAG_UNLOADOK, NULL);

I'll be glad for any help

Jakub 'samu' Szafrański