Thanks
for the reply Peter. Yes I guess I was too general in my description.
What
I am trying to accomplish is to have my NKE sending packet statistic to a
userland/client application. Seeing as how I want this userland application to
be assessable by who ever signs on to the Mac I do not want to limit the
ability of my userland application to talk to my NKE.
I
register my NKE as following:
"
struct
kern_ctl_reg AFctl_reg;
bzero(&AFctl_reg,
sizeof(AFctl_reg));
AFctl_reg.ctl_id = AFMAC_KERN_ID;
AFctl_reg.ctl_unit = 0;
AFctl_reg.ctl_flags = CTL_FLAG_PRIVILEGED;
AFctl_reg.ctl_sendsize = 0;
AFctl_reg.ctl_recvsize = 0;
AFctl_reg.ctl_connect = AFKernConnect;
AFctl_reg.ctl_disconnect = AFKernDisconnect;
AFctl_reg.ctl_write = AFClientKernXWrite;
AFctl_reg.ctl_set = NULL;
AFctl_reg.ctl_get = AFKernGet;
static
kern_ctl_ref ctlref = 0; /* Reference of the kernel controller */
nReturn
= ctl_register(&AFctl_reg, 0, &ctlref);
"
Then
in user land I make the connection to the NKE as follows:
"
u_int32t
unit = 0;
int
fd;
int
result = 1;
Struct
sockaddr_ctl addr:
Bzero(&addr,
sizeof(addr));
addr.sc_len
= sizeof(addr);
addr.sc_Family
= AF_SYSTEM;
addr.ss_sysaddr
= AF_SYS_CONTROL;
addr.sc_id
= AFMAC_KERN_ID; // unique registered creator ID addr.sc_unit = unit;
fd
= socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL);
if(fd)
{
result = connect(fd, (struct
sockaddr*)&addr, sizeof(struct sockaddr_ctl));
...
and so on
}"
My
socket routine works fine but I am failing on the connect
with errno = 1 or EPERM.
My
understanding is the with the unit value set in both the NKE and the client
that this is setting the ownership to root.
You
said there are various mechanisms for the client to communicate with the NKE,
maybe I am not using the correct mechanism or I am setting some value
incorrectly, do you see anything in error?
I
was basically following the example in the "About Network Kernel
Extensions" material.
Thanks
Carl
-----Original
Message-----
From:
Peter
Sent:
Monday,
February 14, 2005 7:17 PM
To:
Carl
Cc:
email@hidden
Subject:
Re: Change to root uid
On
Feb
14, 2005, at 6:35 PM,
Carl Smith
wrote:
>
I have a NKE and a client that I to talk to each other. If the client
>
app is run at some user’s, that might not be root, I still want my
>
client/NKE to talk with each other, but it is my understanding that
>
NKE’s need to be set with root user options only. In this case I need
>
to set the uid to root within my client application.
>
>
Is this possible and if so could you point me in the right direction
>
as to what api’s I need to be using?
The
ownership/permissions of the nke need to
be root/0755 for security
reasons
but that doesn't mean that it "runs" as root. It runs in the
kernel
and any user can talk to it, using various mechanisms. It's up
to
you to make sure that the uid and/or application which talk to your
nke
are suitable and appropriate for what you want to do.
Your
client application does not need to be suid root, nor should you
(for
usual activity) restrict your nke to a connection which can only
be
made by someone logged in as root.
You
haven't given us enough information to provide much more help than
this.
The best thing would be to describe a bit more of what you're
trying
to do.
Regards.....Peter
p.s.
remember also that nke interfaces are subject to change, and Apple
presently
discourages some of this development precisely because of the
version-to-version
compatibility issues