Re: Blocking file access within KAUTH
Re: Blocking file access within KAUTH
- Subject: Re: Blocking file access within KAUTH
- From: Terry Lambert <email@hidden>
- Date: Sat, 24 Nov 2007 18:12:42 -0800
I believe you are looking for the KAUTH_VNODE_ACCESS bit not being set.
For your per vnode data: sorry, you have to maintain your own table.
On the other hand, you could add a MAC label, but be aware that that's
not KPI, you would have to link against the entire kernel each time a
software update happens, and it could change out from under you.
For vn_getpath(), it really depends on why you think you need the file
name. It's best to check which bits are set and just prefilter
requests. If you can't do that, then when you get one in, you could
always just look it up in your table.
For your last question, parameters vary by callback. If we didn't
document it, it's probably because you can't rely on them for all calls.
-- Terry
On Nov 24, 2007, at 3:32 PM, Damir Dezeljin <email@hidden> wrote:
Hi,
By reading the TN2127 and list posts I managed to develop a KEXT
'KAUTH_SCOPE_FILEOP' on OS X 10.4 that send file paths on open to
user space and blocks the execution until when the reply is
received. This is fine; however, I would need to block certain
access to files. As I know (TN2127 states it) this is not possible
withing KAUTH_SCOPE_FILEOP as the return value is ignored.
So it seems I have to use the KAUTH_SCOPE_VNODE scope. However, as I
know, it is impossible to 'filter' only open operations (access) in
the VNODE scope. Am I right? Well, my concern is I want to minimize
the kernel <-> user space trafic and so I would like to request user-
space processing only once per file open lifetime (until the close
() ).
Please, can anyone give me a suggestion how to address this issue?
Another thing I'm looking for is the posibility to attach some kind
of 'file context' to the file on open. This would help a lot as I
would be able to do the user-space processing on KAUTH_SCOPE_FILEOP
and attach results for all subsequential VNODE callbacks related to
the mentioned file. However; I guess this is not possible, but
please correct me if I'm wrong.
Additionally - is there any way how to avoid calling vn_getpath()
for every vnode callback (e.g. if it was already called for the
opened file)?
And the last question for today -> I found two or three different
VNODE callback parameters explanations on the internet. Where can I
get the 'official' (the correct) one?
Thanks and best regards,
Damir
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden