tags:

views:

99

answers:

3
+2  Q: 

Limiting syscall access for a Linux application

Assume a Linux binary foobar which has two different modes of operation:

  • Mode A: A well-behaved mode in which syscalls a, b and c are used.
  • Mode B: A things-gone-wrong mode in which syscalls a, b, c and d are used.

Syscalls a, b and c are harmless, whereas syscall d is potentially dangerous and could cause instability to the machine.

Assume further that which of the two modes the application runs is random: the application runs in mode A with probability 95 % and in mode B with probability 5 %. The application comes without source code so it cannot be modified, only run as-is.

I want to make sure that the application cannot execute syscall d. When executing syscall d the result should be either a NOOP or an immediate termination of the application.

How do I achieve that in a Linux environment?

+2  A: 

This is one possible application of sandboxing (specifically, Rule-based Execution). One popular implementation is SELinux.

You will have to write the policy that corresponds to what you want to allow the process to do.

Pascal Cuoq  2010-01-27 10:33:05
This is certainly the use case for SELinux. Other sandboxing technologies are available.
stsquad  2010-01-27 15:06:20
@stsquad I incorporated your comment. You were perhaps reacting partly to the "claims" in the previous version… I phrased it this way because of having heard some people SELinux is not so usable in practice, precisely because of the need for adequate policies. Not having tried it, I do not have an opinion one way or the other, so perhaps the new version is better from this point of view.
Pascal Cuoq  2010-01-27 15:27:57
+4  A: 

Is the application linked statically?

You may override some symbols, for example, lets redefine socket

int socket(int domain, int type, int protocol)
{
        write(1,"Error\n",6);
        return -1;
}

Then build shared library:

gcc -fPIC -shared test.c -o libtest.so

Let's run:

nc -l -p 6000

Ok

And now:

$ LD_PRELOAD=./libtest.so nc -l -p 6000
Error
Can't get socket

What happens when you run with variable LD_PRELOAD=./libtest.so it overrides symbols defined in libtest.so over thous defined in the library.

Artyom  2010-01-27 10:45:06
+3  A: 

It seems that systrace does exactly what you need. From the Wikipedia page:

An application is allowed to make only those system calls specified as permitted in the policy. If the application attempts to execute a system call that is not explicitly permitted an alarm gets raised.

Torsten Marek  2010-01-27 10:57:12

related questions

grep a file, but show several surrounding lines?
VMWare Server Under Linux Secondary NIC connection
Should I move from C++ to Python? ... Or another language?
Globus Toolkit virtual machine
How to avoid redefining VERSION, PACKAGE, etc.
How do I setup Public-Key Authentication?
showing a message box from a bash script in linux
Best Linux Distro for Computer Repair
Mapping my custom keys in Debian
Any IcedTea war stories?
How do you find the age of a long-running Linux process?
Personal Linux web server
Programmatically talking to a Serial Port in OS X or Linux
what's in your .bashrc ?
Linux - files and scripts that execute on boot
Text Editor For Linux (Besides Vi)?
Lightweight IDE for Linux
Shell scripting input redirection oddities
XML Editing/Viewing Software
What should a longtime Windows user know when starting to use Linux?
Gtk SSH client for Linux?
Getting root permissions on a file inside of vi?
Is it possible to drag windows between workspaces when using Compiz?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?