Re: A TrustedBSD "voluntary sandbox" policy.
On Nov 8, 2007 9:23 AM, Pawel Jakub Dawidek <firstname.lastname@example.org> wrote:[color=blue]
> First problem is that it is hard to operate on file paths. MAC passes a
> locked vnode to you and you cannot go from there to a file name easly.
> You could do it by comparsion: call VOP_GETATTR(9) on the given vnode,
> do the same for /etc/passwd and others and compare their inodes and
> file system ids. Performance hit may be significant for complex
> You can register yourself for process_exit, process_fork and
> process_exec in-kernel events and do your cleanups from your event
> handler. Take a look at EVENTHANDLER(9).
> Pawel Jakub Dawidek [url]http://www.wheel.pl[/url]
> [email]pjd@FreeBSD.org[/email] [url]http://www.FreeBSD.org[/url]
> FreeBSD committer Am I Evil? Yes, I Am!
Couldn't you use stat() syscall on the paths from the userland utility
that parses the rules, collect the mount point or mount id and the
inode from the stat struct, then have the MAC policy module
match that data with the file id and mount id available from the
[email]email@example.com[/email] mailing list
To unsubscribe, send any mail to "firstname.lastname@example.org"