Re: Syscall security

[Muli Ben-Yehuda]

On Fri, Sep 26, 2003 at 04:05:50PM +0200, Maciej Zenczykowski wrote:

> I'm wondering if there is any way to provide per process bitmasks of 
> available/illegal syscalls.  Obviously this should most likely be 
> inherited through exec/fork.

syscalltrack can do it, per executable / user / syscall parameters /
whatever, but it's per syscall. Writing a perl script or C program to
iterate over the supplied syscall list and write the allow/deny rules
is pretty simple. Also, syscalltrack is meant for debugging, not
security, so if you want something that's 100% tight you'd better go
with one of the Linux security modules based on the LSM framework. 

> For example specyfying that pid N should return -ENOSYS on all syscalls 
> except read/write/exit.

Yeah, syscalltrack can do that ;-) 

> The reason I'm asking is because I want to run totally untrusted 
> statically linked binary code (automatically compiled from user 
> submitted untrusted sources) which only needs read/write access to stdio 
> which means it only requires syscalls read/write/exit + a few more for
> memory alloc/free (like brk) + a few more generated before main is called 
> (execve and uname I believe).

Since it's a known binary, if you can handle the increased run time,
strace is your best shot. syscalltrack and other kernel based
solutions are best when you need something that is "system wide". 

> Basically my question is: has this been done before (if so where/when?), 
> what would be considered 'the right' way to do this, would this be a 
> feature to include in the main kernel source?

Previous discussion seemed to conclude that features like these are
"not interesting enough to the majority of users". Maybe it's time to
revise those discussions (c.f. the inclusion of SELinux, for
example). 
-- 
Muli Ben-Yehuda
http://www.mulix.org

Attachment: signature.asc
Description: Digital signature