Firewall Wizards mailing list archives
syscall wrappers (was Re: chroot useful?)
From: Bennett Todd <bet () rahul net>
Date: Mon, 17 Nov 1997 09:31:05 -0800
On Sun, Nov 16, 1997 at 09:59:03AM -0500, Marcus J. Ranum wrote:
On the topic of reducing privilege, one thing I've always wanted to do (but never had time for!) is what I'd call "syscall wrappers" for lack of a better term.
I believe that that's very similar to what Janus[1] does. I agree, it would be a wonderfully useful hack. Nicer still would be to integrate the facility down in the kernel proper, on the far side of the syscall interface; rather than wrapping the syscalls in libc, actually indirect them on the far side of the syscall interface so the original (unwrapped) syscalls aren't available through any calling interface in the client program. One promising result from Janus, if I recall correctly, is that the authors found that useful sandboxing could be achieved with only a handful of syscalls being checked --- basically, the ones that create or attach handles. So you don't need to trap read/write/lseek/close, you just need to trap open/accept/connect and maybe a couple of others. -Bennett [1] <URL:http://www.cs.berkeley.edu/~daw/janus/>
Current thread:
- Re: chroot useful?, (continued)
- Re: chroot useful? Anton J Aylward (Nov 16)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Rick Murphy (Nov 17)
- Hardening, (was Re: chroot useful?) Marcus J. Ranum (Nov 20)
- Re: Hardening, (was Re: chroot useful?) Paul D. Robertson (Nov 21)
- Re: chroot useful? C. Harald Koch (Nov 20)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 16)
- Re: chroot useful? Wolfgang Ley (Nov 16)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Aleph One (Nov 17)
- syscall wrappers (was Re: chroot useful?) Bennett Todd (Nov 17)
- Re: syscall wrappers (was Re: chroot useful?) George Ross (Nov 20)
- Re: chroot useful? Darren Reed (Nov 20)
- Firewalling DCOM and brethren David C Niemi (Nov 21)
- Re: Firewalling DCOM and brethren Magossa'nyi A'rpa'd (Nov 21)