Re: kqueue EVFILT_PROC and child process pid
Re: kqueue EVFILT_PROC and child process pid
- Subject: Re: kqueue EVFILT_PROC and child process pid
- From: Stacey Son <email@hidden>
- Date: Tue, 13 Oct 2009 14:14:59 -0500
FYI Rustam:
For more information about MACF (Mandatory Access Control Framework)
see the following:
http://www.freebsd.org/doc/en/books/handbook/mac.html (FreeBSD's MAC
document. The FreeBSD and Mac OS X implementations are very similar.)
http://www.trustedbsd.org/mac.html (TrustedBSD website)
and various white papers:
http://www.trustedbsd.org/trustedbsd-usenix2003freenix.pdf
http://www.trustedbsd.org/trustedbsd-discex3.pdf
-stacey.
On Oct 13, 2009, at 12:11 PM, Terry Lambert wrote:
MACF is not KPI at present. You can use it if you are willing to
link against the entire kernel and suffer changes on point releases
until it's baked.
The kauth exec stuff allows notification but not interception,
though you could cheat at lookup, which has to be done to exec.
-- Terry
On Oct 13, 2009, at 9:39 AM, Rustam Muginov <email@hidden>
wrote:
Thank you for your advice, Terry.
I had studied Kauth approach at the times of 10.4.
I had got an impression that the only intercept possible is file
access at vnode scope, and it only intercepts file open/read but
not execute. Am i wrong in this assumption, and kauth does allow to
intercept process execution?
Also, could you please tell a little more about MACF?
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden