Re: FreeBSD hooks

• Previous message: Evan Sarmiento: "FreeBSD hooks"
• In reply to: Evan Sarmiento: "FreeBSD hooks"
• Next in thread: Stephen Smalley: "Re: FreeBSD hooks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Aug 20, 2001 at 07:39:22PM -0400, Evan Sarmiento wrote:
> I've been following this list for quite a while, and attended the BoF
> at DC. I've taken many of your theories into account when beginning to
> work on PRFW, the set of hooks for the FreeBSD operating system. I
> know this surely is not a FreeBSD hook mailing list, but perhaps you'd
> be interested to compare, and I'd be glad to hear your feedback. One
> thing I added in my hooks implementation is the ability to have
> per-process hooks, for example, you might have process A return EPERM
> when it tries to setuid(), and you can tell process B that it can only
> use SOCKET() if it is PF_LOCAL. These rules also propagate through
> children.
> 
> Here is the website for it:
> http://www.freesoftware.fsf.org/jailuser/

A while ago, I was considering the feasibility of using the same hooks
between the Linux kernel and the various BSD kernels, so that one could
write one security module and get all the main free OSs covered in one
fell swoop.

I came to the decision that it would be right difficult to pull this
off, because the various kernels, while providing similar external
interfaces, take all manner of methods while computing the same effects.
Specifically, the structures to be protected are different, and the code
paths to access those structures are going to be very different.

As a result of the different code paths, the best hook placement may
entail different hook semantics among the kernels -- causing the modules
to occasionally return bogus values in those corner cases -- unless
there are kernel-specific #defines and #ifdefs going on.

While it may be possible, it would take a fair bit of effort on
someone's part to ensure the hooks are meaningful for all kernels, and
document the different semantics among the kernels.

Ah, if only I had more free time -- this would be a cool thing to
investigate, but it won't be quick.

Thanks for the pointer -- I know I am always interested in learning
about different OS security projects. :)

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Crispin Cowan: "Bounces to cern.ch [Fwd: Message non delivered through CERN Mail Gateway]"
• Previous message: Evan Sarmiento: "FreeBSD hooks"
• In reply to: Evan Sarmiento: "FreeBSD hooks"
• Next in thread: Stephen Smalley: "Re: FreeBSD hooks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 16:58:01 PDT