Re: customization of Darwin kernel
Re: customization of Darwin kernel
- Subject: Re: customization of Darwin kernel
- From: Brian Tabone <email@hidden>
- Date: Sat, 8 Feb 2003 14:34:34 -0600
Mr. Wong,
I did some quick research in the source code for Darwin, in
xnu/bsd/netinet/ip_input.c, there is an integer called ipforwarding and
the definition of the sysctl that accesses it (They are around line 125
of this file). Anyhow, you could comment out the definition for the
sysctl and leave ipforwarding initialized as 0, and this would lock off
ip forwarding for your users of your custom kernel by removing access
via sysctl to this variable. Note I have not tested this method, I base
my statements off of what I see in the code. Your milage may vary :)
The drawback here though is that a savy root user with a debugger and a
symbol table could find this variable in /dev/kmem and set it to 1 the
hard way. You may wish to actually remove all the forwarding code from
the kernel itself if you are feeling adventurous.
I'm not certain where CD burning is enabled in the kernel, sorry I
couldn't be of more help with that part of your question.
-Hope that helps,
Brian Tabone
On Saturday, February 8, 2003, at 12:13 PM, Mr. Wong wrote:
Once again THANKS to all those who have replied to my questions. Your
comments are much appreciated and are helping me further understand the
Darwin (as well as other Linux) Kernels.
I am aware that many of the options I am requesting information about
are
availible as extensions, modules, and configuration file options.
However, I am still interested in enabling / disabling these options at
the kernle level. For example, when I asked about the KERNEL LEVEL
customization of allowing or disallowing IP packet forwarding I am more
interested in DISABLING it via the kernel. Why? In the past I have
constructed a more secure Linux machine by disabling "dangerous" kernel
level options such as IP packet forwarding or promiscuous mode to
prevent
packet sniffing on my network. Additionaly, disabling a CD-burner in
kernel space has its reasons as well. Assume I want the ability to
burn
CD's and am willing to swap kernels for this. I want to be assured
that
other users of my systems ARE NOT burning CD's which may contain
proprietary data. Essentially trusted users have access to the CD-R
enabled kernel... other users dont. These are the kinds of "hobby
projects" that I work on! Admittedly these proceedures are a bit
extreem...but as a security consultant I am always interested in the
MANY
ways a solution could be achieved. Anyway, I would be interested in
disabling many features in the Darwin Kernel. Also I am interested in
tweaking / creating kernel extensions... which I have done to a very
basic extent by following FAQ's about how to create a simple kernel
extension in Darwin. Thanks to Pelle Johansson for pointing out which
files might be of interest to me:
However, if you really want to do it, what you do is edit the
xnu/*/conf/MASTER.ppc files (on ppc, obviously).
--Cheers,
Matthew K. Wong
Date: Fri, 7 Feb 2003 14:14:58 +0100
Subject: Re: Kernel customization. > Cc: email@hidden
To: "Mr. Wong" > From: Pelle Johansson > onsdagen den 5 februari 2003
kl 02.26 skrev Mr. Wong: >> Hello everyone, I recently compiled the
Darwin (XNU portion v.6.0) >> kernel >> with the help from the users of
this newsgroup (thanks!). I would like >> to take this a step further
and
actually do some kernel customizations >> similar to the ones I've done
in Linux. For example, I've recompiled >> the >> Linux kernel to
specifically allow or disallow cd burning capabilities >> via SCSI
emulation support. Another thing I've done in linux is allow >> IP >>
packet forwarding. The Redhat (7.3) Linux kernel appears to be much >>
easier to handle than the Darwin kernel because there exists GUI and >>
command line utilities built specifically for the purpose of >>
custization. Anyway, my question is this: How does one go about >>
modifying the XNU kernel to achieve such customizations? Is there a >>
GUI >> or command line utility? What suggestions do you have or what
should I >> watch out for? Any help will be appreciated. Thanks in
advance, >> Matthew >> K. Wong >Well, you got a lot of replies telling
you not to, and I agree with >them. Most things are turned on by
default.
IP forwarding certainly is, >and AFAIK, cd burning is handled
completely
by the cd iokit driver, >which is a kernel extension
(src/live/IOCDStorageFamily in cvs). >However, if you really want to do
it, what you do is edit the >xnu/*/conf/MASTER.ppc files (on ppc,
obviously). >By modifying the line RELEASE = [...] you can add and
remove
options. >Of course, it's not completely obvious what options are
available, >you'll have to look around in the files in the conf/
directories to >find out.
-----------------------------------------------------------------------
-
MSN 8 helps ELIMINATE E-MAIL VIRUSES. Get 2 months FREE*.
_______________________________________________
darwin-kernel mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/darwin-kernel
Do not post admin requests to the list. They will be ignored.
_______________________________________________
darwin-kernel mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/darwin-kernel
Do not post admin requests to the list. They will be ignored.