Bug 29423
| Summary: | [request] [patch] new feature: kernel security hooks implementation | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Evan Sarmiento <kaworu> | ||||
| Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||
| Status: | Closed Not Accepted | ||||||
| Severity: | Affects Only Me | CC: | gonzo | ||||
| Priority: | Normal | ||||||
| Version: | 5.0-CURRENT | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
State Changed From-To: open->suspended Mark as 'suspended' since this does not seem as though it is being actively worked on. For bugs matching the following conditions: - Status == In Progress - Assignee == "bugs@FreeBSD.org" - Last Modified Year <= 2017 Do - Set Status to "Open" Closing this feature request as "Reject" since nobody picked it up to work on. Feel free to reopen if there are any plans to add it to the current version. |
Kernel Security Hooks provide a standard interface for programmers of kernel security extensions to intercept system calls and other functions. Before, programmers had to wrap the system call with their own system call, resulting in two copyins. PRFW, the kernel security hook patch I am addressing in this PR, provides a standard interface for these uses. It also provides per-pid restrictions, so process X might not be able to use setuid but process Y might, depending on what restrictions you write. I have also written a brief howto at http://www.sekt7.org/~ems/prfw.howto You can also download the patch at http://www.sekt7.org/~ems/patch Quick installation: cd /usr/src && patch -p < patch I'm pretty much a kernel newbie, but this is certanly a large achievement for me, to code all this, so take pity, I'm sure my code has problems, but I've tested it and it has worked beautifully. Note: this only works on i386 platform due to a change to i386/i386/trap.c