On Thu, 28 Jul 2011, s wrote:
I need to get some info about the socket being created by the user. What I want to do is log all TCP/UDP outgoing connections that are being made. I *need* to get the local and remote address, as well as the local and remote port. I managed to get all of the remote data, but this is useless to me, if I haven't got the local port. Here is what I have already written:
Most MAC Framework entry points are invoked before operations of interest, rather than after, because they are intended to perform access control on operations. I think the closest you may be able to get given current entry points is logging when the first operation is performed on the connected socket: i.e., read, write, sendfile, etc, since it will be established at that point (some caution required: you can invoke system calls on sockets before and during connect()).
However, I can't help but wonder: would you be better-served by using the kernel's audit facilities to track events like socket connection? Are you blending access control and logging in your module, or is this really just about logging?
Robert
static int slog_socket_check_connect(struct ucred *cred, struct socket *socket, struct label *socketlabel, struct sockaddr *sockaddr) { if(sockaddr->sa_family == AF_INET) { struct sockaddr_in sa;log(LOG_SECURITY | LOG_DEBUG, "Somebody made a socket: %d:%d (%d)\n",cred->cr_ruid, ntohs(((struct sockaddr_in*)sockaddr)->sin_port), ntohs(((struct in_endpoints*)sockaddr)->ie_lport) ); } return 0; } -- Pozdrawiam, Jakub 'samu' SzafraĆski _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
_______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
