Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Preventing processes to execute certain system calls

I'm writing a program that spawns child processes. For security reasons, I want to limit what these processes can do. I know of security measures from outside the program such as chroot or ulimit, but I want to do something more than that. I want to limit the system calls done by the child process (for example preventing calls to open(), fork() and such things). Is there any way to do that? Optimally, the blocked system calls should return with an error but if that's not possible, then killing the process is also good.

I guess it can be done wuth ptrace() but from the man page I don't really understand how to use it for this purpose.

like image 538
petersohn Avatar asked Nov 12 '12 11:11

petersohn


People also ask

What is process control in system call?

Process control is the system call that is used to direct the processes. Some process control examples include creating, load, abort, end, execute, process, terminate the process, etc.

Are system calls process?

System calls are usually made when a process in user mode requires access to a resource. Then it requests the kernel to provide the resource via a system call. As can be seen from this diagram, the processes execute normally in the user mode until a system call interrupts this.

Which system call is used for process?

This system calls perform the task of process creation, process termination, etc. The Linux System calls under this are fork() , exit() , exec(). A new process is created by the fork() system call.


2 Answers

It sounds like SECCOMP_FILTER, added in kernel version 3.5, is what you're after. The libseccomp library provides an easy-to-use API for this functionality.

By the way, chroot() and setrlimit() are both system calls that can be called within your program - you'd probably want to use one or both of these in addition to seccomp filtering.

like image 124
caf Avatar answered Sep 19 '22 08:09

caf


If you want to do it the ptrace way, you have some options (and some are really simple). First of all, I recommend you to follow the tutorial explained here. With it you can learn how to know what system calls are being called, and also the basic ptrace knowledge (don't worry, it's a very short tutorial). The options (that I know) you have are the following:

  • The easiest one would be to kill the child, that is this exact code here.
  • Secondly you could make the child fail, just by changing the registers with PTRACE_SETREGS, putting wrong values in them, and you can also change the return value of the system call if you want (again, with PTRACE_SETREGS).
  • Finally you could skip the system call. But for that you should know the address after the system call call, make the intruction register point there and set it (again, with PTRACE_SETREGS).
like image 20
kosklain Avatar answered Sep 22 '22 08:09

kosklain