I'm writing a program that spawns child processes. For security reasons, I want to limit what these processes can do. I know of security measures from outside the program such as chroot
or ulimit
, but I want to do something more than that. I want to limit the system calls done by the child process (for example preventing calls to open()
, fork()
and such things). Is there any way to do that? Optimally, the blocked system calls should return with an error but if that's not possible, then killing the process is also good.
I guess it can be done wuth ptrace()
but from the man page I don't really understand how to use it for this purpose.
Process control is the system call that is used to direct the processes. Some process control examples include creating, load, abort, end, execute, process, terminate the process, etc.
System calls are usually made when a process in user mode requires access to a resource. Then it requests the kernel to provide the resource via a system call. As can be seen from this diagram, the processes execute normally in the user mode until a system call interrupts this.
This system calls perform the task of process creation, process termination, etc. The Linux System calls under this are fork() , exit() , exec(). A new process is created by the fork() system call.
It sounds like SECCOMP_FILTER, added in kernel version 3.5, is what you're after. The libseccomp
library provides an easy-to-use API for this functionality.
By the way, chroot()
and setrlimit()
are both system calls that can be called within your program - you'd probably want to use one or both of these in addition to seccomp filtering.
If you want to do it the ptrace
way, you have some options (and some are really simple). First of all, I recommend you to follow the tutorial explained here. With it you can learn how to know what system calls are being called, and also the basic ptrace
knowledge (don't worry, it's a very short tutorial). The options (that I know) you have are the following:
PTRACE_SETREGS
, putting wrong values in them, and you can also change the return value of the system call if you want (again, with PTRACE_SETREGS
).PTRACE_SETREGS
).If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With