From: Maciej Zenczykowski <maze@cela.pl>
To: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Syscall security
Date: Fri, 26 Sep 2003 16:05:50 +0200 (CEST) [thread overview]
Message-ID: <Pine.LNX.4.44.0309261553180.6080-100000@gaia.cela.pl> (raw)
Hi,
I'm wondering if there is any way to provide per process bitmasks of
available/illegal syscalls. Obviously this should most likely be
inherited through exec/fork.
For example specyfying that pid N should return -ENOSYS on all syscalls
except read/write/exit.
The reason I'm asking is because I want to run totally untrusted
statically linked binary code (automatically compiled from user
submitted untrusted sources) which only needs read/write access to stdio
which means it only requires syscalls read/write/exit + a few more for
memory alloc/free (like brk) + a few more generated before main is called
(execve and uname I believe).
Currently I'm running the code in a chroot'ed environment (to an empty
dir) under a 'nobody' uid/gid with no open fd's except for std in/out/err
with limits for mem, processor usage, open files, processes (to 1), etc.
Obviously this still allows calling code like 'time', 'getuid', etc and
the like.
Modifying the compiler (or removing the headers) won't help since at worst
I can code it in asm in the source or even in a plain byte table.
I have a working (very much a hack) patch which turns of all but 7 (or
so) of the syscalls (via pseudo-bitmaps).
Basically my question is: has this been done before (if so where/when?),
what would be considered 'the right' way to do this, would this be a
feature to include in the main kernel source?
Thanks,
MaZe.
next reply other threads:[~2003-09-26 14:05 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-26 14:05 Maciej Zenczykowski [this message]
2003-09-26 14:10 ` Syscall security Ingo Molnar
2003-09-26 14:16 ` Maciej Zenczykowski
2003-09-26 14:19 ` Ingo Molnar
2003-09-26 14:21 ` Ruth Ivimey-Cook
2003-09-26 16:14 ` Maciej Zenczykowski
2003-09-26 15:01 ` Davide Libenzi
2003-09-26 16:18 ` Maciej Zenczykowski
2003-09-28 11:38 ` Kenneth Johansson
2003-09-26 15:16 ` Muli Ben-Yehuda
2003-09-26 16:25 ` Maciej Zenczykowski
2003-09-26 15:18 ` Joe McClain
2003-09-26 16:10 ` Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.44.0309261553180.6080-100000@gaia.cela.pl \
--to=maze@cela.pl \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).