Re: Determining specific file sessions
Re: Determining specific file sessions
- Subject: Re: Determining specific file sessions
- From: Terry Lambert <email@hidden>
- Date: Tue, 22 Jul 2008 21:06:27 -0700
On Jul 22, 2008, at 5:59 AM, Jernej Azarija wrote:
Hello,
in my current project I'm using Kauth for a security application. Part
of the application deals with file operation checking and therefore
uses KAUTH_SCOPE_VNODE.
It is required for the application to exactly know when a specific
process open/closed a file. For example, the file `foo.bar' may be
accessed by many processes each holding more than one file descriptor
associated with the given file. It is therefore not enough to know the
time a file was opened/closed as it may relate to different processes
and/or file descriptors within the process.
The only valid idea I could think of to distinguish between various
instances of opened files is to relate each open session with the
process ID and process FD associated with the file. As to my
knowledge, this is impossible within the VNODE scope, and I'm afraid
there is no legal way to do it either (am I right?).
You are correct. You will only get the KAUTH_FILEOP_CLOSE
notification for the last close instance on a file, in which the
fileglob is destroyed and the vnode_put() happens, releasing the vnode
in question so that it can be reclaimed and reused by the system.
In general, fileglobs are typically shared between open instances
resuliting for dup, dup2, passing an fd to another process via UNIX
domain socket, or inherited from the parent process by a child
process. Only when the last close happens does the last reference go
away so you get the notification.
You will get to know when the last reference goes away, but nothing
about any of the other references floating around, since in theory you
secured your software which is passing them around, so it's not a
problem, and if it becomes a problem, you will make sure that you
don't pass it over an authorization scope boundary.
I'd be really thankful is someone could tell me if there is a way to
achieve what I've specified, or alternatively anoher way to get the
same result (either in kernel or user mode).
As Mike said, your only other option besides hacking and building your
own kernel (not recommended) is library interposition in user space.
The notifications by the kernel are intended to provide a KAUTH
listener with the credential associated with the fileglob at the time
of the initial open -- which might not be the credential of the
calling process, either because the process changed privilege level,
or because the descriptor was handed to you by someone else. In
addition, you get the KAUTH_FILEOP_CLOSE notification, the f_data
field from the struct fileproc (which is a vnode or a socket or some
other data, depending on the type of the descriptor), and the
fileop_flags - indicating whether or not the file has been modified
while it was open.
Basically, descriptors carry their rights from when they were created
around with them. If you are a process with rights to a file and/or
socket, you can create an open descriptor to it and hand it off to
your children or to another process, or you can drop the privilege
that allowed you to open the thing in the first place, without your
rights to it getting revoked. This is an intentional part of how the
UNIX privilege separation model works (though most people don't take
advantage of it).
-- Terry
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden