syscall wrappers (was Re: chroot useful?)

[Bennett Todd <bet () rahul net>]

On Sun, Nov 16, 1997 at 09:59:03AM -0500, Marcus J. Ranum wrote:
> On the topic of reducing privilege, one thing I've always wanted
> to do (but never had time for!) is what I'd call "syscall wrappers"
> for lack of a better term.

I believe that that's very similar to what Janus[1] does. I agree, it
would be a wonderfully useful hack. Nicer still would be to integrate
the facility down in the kernel proper, on the far side of the syscall
interface; rather than wrapping the syscalls in libc, actually indirect
them on the far side of the syscall interface so the original
(unwrapped) syscalls aren't available through any calling interface in
the client program.

One promising result from Janus, if I recall correctly, is that the
authors found that useful sandboxing could be achieved with only a
handful of syscalls being checked --- basically, the ones that create or
attach handles. So you don't need to trap read/write/lseek/close, you
just need to trap open/accept/connect and maybe a couple of others.

-Bennett

[1] <URL:http://www.cs.berkeley.edu/~daw/janus/>