• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Block SIGKILL/SIGTERM
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Block SIGKILL/SIGTERM

  • Subject: Re: Block SIGKILL/SIGTERM
  • From: Amarnath <email@hidden>
  • Date: Wed, 14 Aug 2013 14:10:14 +0530
Hello,

I tried to make use of the MAC framework on Mac to block signals. I observe that I am able to hook on to the signals before it gets passed onto the processes. But, I am not able to block the signals.

I had spent sometime analyzing why this was happening.

Interestingly, I see that the implementation on Mac and on FreeBSD differs significantly. These are my observations.

Definition of mac_proc_check_signal() as per Apple [1]
int
mac_proc_check_signal(proc_t curp, struct proc *proc, int signum)
{
    kauth_cred_t cred;
    int error;



    if (!mac_proc_enforce ||
        !mac_proc_check_enforce(curp, MAC_PROC_ENFORCE))
        return (0);

    cred = kauth_cred_proc_ref(curp);
    MAC_CHECK(proc_check_signal, cred, proc, signum);
    kauth_cred_unref(&cred);

    return (error);
}

Definition of mac_proc_check_signal()  as per FreeBSD [2]
int
mac_proc_check_signal(struct ucred *cred, struct proc *p, int signum)
{
    int error;

    PROC_LOCK_ASSERT(p, MA_OWNED);

    MAC_POLICY_CHECK_NOSLEEP(proc_check_signal, cred, p, signum);
    MAC_CHECK_PROBE3(proc_check_signal, error, cred, p, signum);

    return (error);
}

As a consequence, I see that the Mac implementation does not capture the error value which should have returned while I was trying to block the signals.

Any inputs on this?

[1] http://www.opensource.apple.com/source/xnu/xnu-2050.22.13/security/mac_process.c
[2] http://svnweb.freebsd.org/base/stable/9/sys/security/mac/mac_process.c?view=markup




On Thu, Jul 11, 2013 at 9:30 AM, Amarnath <email@hidden> wrote:
Rustam,

This indeed looks promising. I will try to make use of and see if I am able to block signals.

Thanks for the info,




On Tue, Jul 9, 2013 at 9:40 PM, Rustam Muginov <email@hidden> wrote:
Amarnath,
it seems to be possible to install mpo_proc_check_signal_t check in TrustedBSD, see the <security/mac_policy.h> in Kernel framework.
Returning non-zero should prevent signal to be passed to target process.

--
Sincerely,
Rustam Muginov

On Jul 9, 2013, at 4:12 AM, Amarnath <email@hidden> wrote:

Hello,

Is there any way I can block SIGKILL/SIGTERM to a process at kernel level?


--
അമര്‍നാഥ്
V A Amarnath

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)

This email sent to email@hidden




--
അമര്‍നാഥ്
V A Amarnath




--
അമര്‍നാഥ്
V A Amarnath
NITC
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Block SIGKILL/SIGTERM
      • From: Phil Jordan <email@hidden>
  • Next by Date: Re: Block SIGKILL/SIGTERM
  • Next by thread: Re: Block SIGKILL/SIGTERM
  • Index(es):
    • Date
    • Thread