All geek questions in one place

Linux syscall access restriction

Assume that there is a Linux foobar binary that has two different modes of operation:

  • Mode A: A well-managed mode is used that uses the system calls a , b and c .
  • Mode B: Misuse mode using system calls a , b , c and d .

Syscalls a , b and c are harmless, while syscall d potentially dangerous and can lead to device instability.

Suppose further that of the two modes executed by the application, it is random: the application runs in mode A with a probability of 95% and in mode B with a probability of 5%. The application is delivered without source code, so it cannot be changed, run only as is.

I want to make sure that the application cannot execute syscall d . When executing syscall d result should be either NOOP or the application terminate immediately.

How to achieve this in a Linux environment?

+4
source share
4 answers

Is the application related to static?

You can override some characters, for example, override socket

 int socket(int domain, int type, int protocol) { write(1,"Error\n",6); return -1; }

Then create a shared library:

 gcc -fPIC -shared test.c -o libtest.so

Let the mileage:

 nc -l -p 6000

OK

And now:

 $ LD_PRELOAD=./libtest.so nc -l -p 6000 Error Can't get socket

What happens when you run the variable LD_PRELOAD=./libtest.so , it overrides the characters defined in libtest.so for more than a thousand defined in the library.

+6
source

It seems that systrace does exactly what you need. On the Wikipedia page:

An application is allowed to specify only those system calls that are allowed in the policy. If an application tries to make a system call that is not explicitly allowed, an alarm occurs.

+6
source

This is one possible sandbox application (in particular, rule-based). One popular implementation is SELinux .

You need to write a policy that matches what you want to allow the process.

+3
source

Source: https://habr.com/ru/post/1299530/

More articles:


All Articles