Kernel Security Hooks provide a standard interface for programmers of kernel security extensions to intercept system calls and other functions. Before, programmers had to wrap the system call with their own system call, resulting in two copyins. PRFW, the kernel security hook patch I am addressing in this PR, provides a standard interface for these uses. It also provides per-pid restrictions, so process X might not be able to use setuid but process Y might, depending on what restrictions you write.

Platform: x86 ONLY!
O/S: Works on 5.0-CURRENT

Development News:

  • Sorry for the lack of updates, I'm at school, being bogged down with work. I have working code which I am soon going to make into a patch which includes: Moving hooks to sysent for per-process restrictions, a beginning implementation of kernel-function hooks, and increased readability of code.
  • New patch released! Look under the patch section of this page.
  • Finally, I have a mailing list going. Please participate, developers wanted. Subscribe Here
  • I did much hacking on PRFW during my time at DC, but I just sold my laptop, and I havn't had time to diff the changes I've made. The new patch should be here in about a week.
  • Added a TO-DO list. Take a look.


  • Howto: Programming Interface
  • Patch:

  • Download PRFW 0.1.0
    These changes are rather important. So, read this.
  • Got rid of all spl*, mutex locks only.
  • Cleaned up code and added comments
  • Added two new functions to unclutter trap.c
  • Important: Renamed ALL functions, please re-read the Programming Interface document for changes.
  • Important:: Structures renamed and changed
  • Important:: kern_jailuser.c renamed to kern_hook.c, jailuser.h to hook.h
  • Important:: Installation CHANGED. Read installation.
  • Download PRFW 0.0.1
  • Installation:
    PRFW 0.1.0: cd /usr/src/sys && patch -p < patch
    PRFW 0.0.1: cd /usr/src && patch -p < patch

    Evan Sarmiento | | (C) 2001