Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Limiting syscall access for a Linux application

Assume a Linux binary foobar which has two different modes of operation:

  • Mode A: A well-behaved mode in which syscalls a, b and c are used.
  • Mode B: A things-gone-wrong mode in which syscalls a, b, c and d are used.

Syscalls a, b and c are harmless, whereas syscall d is potentially dangerous and could cause instability to the machine.

Assume further that which of the two modes the application runs is random: the application runs in mode A with probability 95 % and in mode B with probability 5 %. The application comes without source code so it cannot be modified, only run as-is.

I want to make sure that the application cannot execute syscall d. When executing syscall d the result should be either a NOOP or an immediate termination of the application.

How do I achieve that in a Linux environment?

like image 862
knorv Avatar asked Jan 27 '10 10:01

knorv


People also ask

What does syscall do in Linux?

As the name suggests, syscalls are system calls, and they're the way that you can make requests from user space into the Linux kernel. The kernel does some work for you, like creating a process, then hands control back to user space.

What is Linux Seccomp?

Secure computing mode ( seccomp ) is a Linux kernel feature. You can use it to restrict the actions available within the container. The seccomp() system call operates on the seccomp state of the calling process. You can use this feature to restrict your application's access.

What is syscall hooking?

Hooking a system call means that you are able to manipulate data sent from userland applications to the operating system (OS) and vice versa. This means that you can hide things from applications running on the OS and influence their behaviour.


1 Answers

Is the application linked statically?

If not, you may override some symbols, for example, let's redefine socket:

int socket(int domain, int type, int protocol)
{
        write(1,"Error\n",6);
        return -1;
}

Then build a shared library:

gcc -fPIC -shared test.c -o libtest.so

Let's run:

nc -l -p 6000

Ok.

And now:

$ LD_PRELOAD=./libtest.so nc -l -p 6000
Error
Can't get socket

What happens when you run with variable LD_PRELOAD=./libtest.so? It overrides with symbols defined in libtest.so over those defined in the C library.

like image 153
Artyom Avatar answered Oct 11 '22 16:10

Artyom