tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

FWIW: sysrestrict



Eight months ago, I shared with a few developers the code for a kernel
interface [1] that can disable syscalls in user processes.

The idea is the following: a syscall bitmap is embedded into the ELF binary
itself (in a note section, like PaX), and each time the binary performs a
syscall, the kernel checks whether the syscall in question is allowed in
the bitmap.

In details:
 - the ELF section is a bitmap of 64 bytes, which means 512 bits, the
   number of syscalls. 0 means allowed, 1 means restricted.
 - in the proc structure, 64 bytes are present, just a copy of the
   ELF section.
 - when a syscall is performed, the kernel calls sysrestrict_enforce
   with the proc structure and the syscall number, and gives a look
   at the bitmap to make sure it is allowed. If it isn't, the process
   is killed.
 - a new syscall is added, sysrestrict, so that programs can restrict
   a syscall at runtime. This might be useful, particularly if a
   program calls a syscall once and wants to make sure it is not
   allowed any longer.
 - a userland tool (that I didn't write) can add and update such an ELF
   section in the binary.

This interface has the following advantages over most already-existing
implementations:
 - it is system-independent, it could almost be copied as-is in FreeBSD.
 - it is syscall-independent, we don't need to patch each syscall.
 - it does not require binaries to be recompiled.
 - the performance cost is low, if not non-existent.

I've never tested this code. But in case it inspires or motivates someone.

[1] http://m00nbsd.net/garbage/sysrestrict/


Home | Main Index | Thread Index | Old Index