From mboxrd@z Thu Jan 1 00:00:00 1970 From: valdis.kletnieks@vt.edu (valdis.kletnieks at vt.edu) Date: Wed, 28 Jun 2017 21:19:11 -0400 Subject: Keeping track of called syscalls in real-time In-Reply-To: <50c1511b-dd32-b653-82bb-b17783f16dca@seds.nl> References: <42397.1498684750@turing-police.cc.vt.edu> <19bc9ba9-5a95-7a4d-3763-57f3f695ef7f@seds.nl> <47802.1498688788@turing-police.cc.vt.edu> <50c1511b-dd32-b653-82bb-b17783f16dca@seds.nl> Message-ID: <60537.1498699151@turing-police.cc.vt.edu> To: kernelnewbies@lists.kernelnewbies.org List-Id: kernelnewbies.lists.kernelnewbies.org On Wed, 28 Jun 2017 20:16:33 -0300, Ben Mezger said: (By the way - fopen() is a glibc construct, not a syscall) > I understand seccomp and LSM allows __some__ type of syscall > interposition (where afaik seccomp blocks mostly all of them), but what > I am willing to do here is not *reinvent* the wheel, I am willing to > make things a bit more configurable, where a user has access to an API > where he could write custom procedures to run on the interception side, > without having to dig through the source. AppArmor, SMACK, SELinux, and Tomoyo all allow writing of user-readable policies in userspace and then applying the policy (through some combination of labelling and/or loading policy into the kernel at boot), without having to "dig through the source". In fact, it's probably impossible to write a non-trivial and yet actually usable LSM that doesn't work this way. So it sounds like you probably *are* re-inventing some wheels here. If you have a *very* recent kernel, you can probably get yourself into all sorts of trouble by creating an LSM that allows attachment of arbitrary BPF programs to the various hooks listed in include/linux/lsm_hooks.h. However, there's no really good way to allow unrestricted "custom procedures to run on intercept" that doesn't involve having a reasonably good idea of how the rest of the source works. You *really* want to restrict it to interpreting a policy language of some sort - at which point BPF is probably overkill. (For bonus points - spend at least 30-45 minutes thinking deeply about all the ways an attacker can use the ability to use "custom procedures on intercept" to attack the system. In particular, examine ways an attacker who gets root and/or "authority to load policy" can leverage it to load in a kernel-resident rootkit. See http://phrack.org/issues/58/7.html#article on SucKIT for a worked example of loading code into a kernel that doesn't even support modules.) Note also that you're going to have a *lot* of issues trying to do path-based security - there's all sorts of ugly things that can be done with deep nested paths, symlinks, remote NFS servers, and race conditions. And things like openat() and namespaces only add to the fun... And I'm convinced that even after some 4 decades, there's *still* code and systems configurations out there that allows naughty uses of multiple hard links to a file. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 486 bytes Desc: not available Url : http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20170628/f52f4e53/attachment.bin