From owner-freebsd-hackers Sun Sep 15 4:40:10 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 290FC37B400 for ; Sun, 15 Sep 2002 04:40:08 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id A100B43E3B for ; Sun, 15 Sep 2002 04:40:07 -0700 (PDT) (envelope-from julian@elischer.org) Received: from InterJet.elischer.org ([12.232.206.8]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020915114007.LNXF23613.sccrmhc02.attbi.com@InterJet.elischer.org>; Sun, 15 Sep 2002 11:40:07 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id EAA88175; Sun, 15 Sep 2002 04:32:22 -0700 (PDT) Date: Sun, 15 Sep 2002 04:32:21 -0700 (PDT) From: Julian Elischer To: Pawel Jakub Dawidek Cc: freebsd-hackers@freebsd.org Subject: Re: Changing process informations. In-Reply-To: <20020915105815.GT68652@garage.freebsd.pl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, 15 Sep 2002, Pawel Jakub Dawidek wrote: > On Sat, Sep 14, 2002 at 11:05:11PM -0600, M. Warner Losh wrote: > +> In message: <20020915030157.GP68652@garage.freebsd.pl> > +> Pawel Jakub Dawidek writes: > +> : Hello hackers... > +> : > +> : When I want change process real or effective uid in kld module > +> : I got functions change_ruid() and change_euid(). > +> : I need change many others informations about process. > +> > +> Why do you want to cahnge the process real or effective id from a kld > +> module? That seems to me to be violating the normal policy > +> proceedures that the kernel should be enforcing. Ah I tink I found the name for the OpenBSD versin.. I think it's systrace.. It intercepts and validates all syscalls made by a process. including open() where it compares the names being upenned against a regexp. > > This is for security reasons:) > I'm writing module that will be complete security solution. > Where You could define policies per process. > Old version of this stuff works like systrace, new one is > much more functional and You can specify capabilities > per process. > Here You got some example configuration files: > > http://garage.freebsd.pl/cerb-ng/start.cb > http://garage.freebsd.pl/cerb-ng/ping.cb > http://garage.freebsd.pl/cerb-ng/passwd.cb > http://garage.freebsd.pl/cerb-ng/openssh.cb > http://garage.freebsd.pl/cerb-ng/end.cb > > Most of code is done already, but I have to be sure that I don't > do any ugly/evil things that's why I'm asking. > > Any comments/ideas/solutions are welcome. > > -- > Pawel Jakub Dawidek > UNIX Systems Administrator > http://garage.freebsd.pl > Am I Evil? Yes, I Am. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message