TrustedBSD...
Robert Watson
rwatson at FreeBSD.org
Tue Dec 9 13:35:43 PST 2003
On Tue, 9 Dec 2003, Matthew Dillon wrote:
> I see two ways to implement the filter mechanism:
>
> (1) The filter would have to implement the copyin/copyout layer and then
> call the syscall meat layer. Any filtered syscalls that don't
> actually have to examine user-supplied data could simply call the
> main syscall entry point after acceptance, so it would not be too
> messy. This is easier to do then #(2) but makes the layering of
> multiple syscall filters difficult.
>
> (2) Do all copyins necessary for filter operations (basically anything
> that passes a path) prior to executing the first filter. Then the
> filters need only deal with the data. Harder but probably the more
> effective solution.
I think this will work fine for rules based on subjects and simple
arguments (uids, socket types, addresses, signal numbers), but will still
run into the second class of race conditions I mentioned: performing
checks separate from usage means "things can change" between the check and
the use. I.e., if you resolve a path twice, it may resolve differently.
You really want to resolve the path exactly once for check and use, and
this is largely a result of a file system pathname really representing a
compound operation which you'd like to be consistent when executed twice.
With a VFS based on capabilities and message passing, you could do it,
because the lookup would consist of a series of operations and the names
used by the consumer and producer would be in the same namespace (i.e.,
vnode references represented by ports).
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at xxxxxxxxxxxxxxxxx Senior Research Scientist, McAfee Research
More information about the Kernel
mailing list