Home » Mailing list archives » freebsd-hackers » 2007 » March » 31

Deny system call using ptrace

Previous thread: Re: 32/64bit KSE issues? by Andriy Gapon on Saturday, March 31, 2007 - 12:16 am. (4 messages)

Next thread: any vm gurus in the house? :) (was: Fatal trap 12, at use qemu) by Juergen Lock on Sunday, April 1, 2007 - 12:39 pm. (1 message)
[view original message]
From: Stanislav Ochotnicky
Subject: Deny system call using ptrace
Date: Saturday, March 31, 2007 - 3:36 pm

Hi,

I'm trying to create sort of user-space access control system based on
allowing/denying syscalls. I was able (after a few problems) to start
ptracing program, stop at every enter/exit from system call, inspect
arguments etc. What I'm however trying to do, is denying access to
syscalls. In linux I was able to do this by changing register eax to
SYS_getpid or other safe system call using ptrace(PT_SETREGS,..).
Problem is, that FreeBSD kernel seems to ignore changed register, and
execute original system call.
If I do PT_SETREGS and right after that PT_GETREGS, I can see that
register was changed, so that should be ok.

It is possible I'm missing something, or there is another option. I'd be
grateful for any advice or idea.

Thanks,

S.O.


[ message continues ]
[view original message]
From: Thijs Eilander
Subject: RE: Deny system call using ptrace
Date: Sunday, April 1, 2007 - 3:48 pm

>I'm trying to create sort of user-space access control system based on
allowing/denying syscalls. I was able (after a few problems) to start
ptracing >program, stop at every enter/exit from system call, inspect
arguments etc. What I'm however trying to do, is denying access to syscalls.
In linux I was 


If you are interested in doing some development to make it work, I am
porting systrace to FreeBSD but due to time restrictions development is
slow. More information about systrace can be found on
http://www.citi.umich.edu/u/provos/systrace/ and www.systrace.org

I almost finished the kernelpart, it is usable but still needs some fixes
and cleaning up, but the userland code needs adding a lot of syscall
translations.


Regards,
Thijs Eilander

_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"

[ message continues ]
[view original message]
From: Stanislav Ochotnicky
Subject: Re: Deny system call using ptrace
Date: Monday, April 2, 2007 - 1:34 am

I'm pretty clogged with school right now myself (2 months from
bachelor's thesis evaluation). But as soon as I'm done I plan on having
pretty free summer, so I guess I'll find some time to help you. I
already added a reminder into calendar to contact you  :)

Bye,
S.O.


[ message continues ]
[view original message]
From: Alexander Leidinger
Subject: RE: Deny system call using ptrace
Date: Monday, April 2, 2007 - 12:57 am

Quoting Thijs Eilander <eilander@myguard.nl> (from Mon, 2 Apr 2007  

kdump does something like this. Maybe you can use parts of it.

Bye,
Alexander.

-- 
Worlds may change, galaxies disintegrate, but a woman always remains a
woman.
		-- Kirk, "The Conscience of the King", stardate 2818.9

http://www.Leidinger.net    Alexander @ Leidinger.net: PGP ID = B0063FE7
http://www.FreeBSD.org       netchild @ FreeBSD.org  : PGP ID = 72077137
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"

[ message continues ]
[view original message]
From: w0rm
Subject: Re: Deny system call using ptrace
Date: Monday, April 2, 2007 - 1:31 am

Oh well...So I'll just (try) to answer myself :)

The problem seems to be, as far as I can tell that syscall() routine
fills in syscall code and arguments, then does other stuff, finally
calling requested syscall itself. But whether process is traced is
checked after call, so there is no way to block it. I cannot tell what
would moving this block:
--------------cut here ------
/*
 * Traced syscall.
 */
if ((orig_tf_eflags & PSL_T) && !(orig_tf_eflags & PSL_VM)) {
	frame->tf_eflags &=3D ~PSL_T;
	ksiginfo_init_trap(&ksi);
	ksi.ksi_signo =3D SIGTRAP;
	ksi.ksi_code =3D TRAP_TRACE;
	ksi.ksi_addr =3D (void *)frame->tf_eip;
	trapsignal(td, &ksi);
}
-------------cut here -------

do to MP safety or other stuff. If it could be in fact safely moved to
the beginning of syscall(), it would greatly enhance features of ptrace()=
=2E

Regards,
S.O.


[ message continues ]
[view original message]
From: Stanislav Ochotnicky
Subject: Re: Deny system call using ptrace
Date: Monday, April 2, 2007 - 10:24 am

My mistake.

I noticed later that ptrace is actually called just before system call,
however system call code and arguments are already read in kernel, and
are not re-read after ptrace finished. It simply does not count with
that possiblity.
------ cut here ---
if (error =3D=3D 0) {
	td->td_retval[0] =3D 0;
	td->td_retval[1] =3D frame->tf_edx;

	STOPEVENT(p, S_SCE, narg);

	PTRACESTOP_SC(p, td, S_PT_SCE);<=3D change syscall number or args

	AUDIT_SYSCALL_ENTER(code, td);
	error =3D (*callp->sy_call)(td, args);
	AUDIT_SYSCALL_EXIT(error, td);
}
-------cut here -----

I'm wondering if it would be possible to move STOPEVENT and PTRACESTOP
lines at the beginning of syscall() without creating mayhem. Or other
way to make stopping syscall execution possible.

Regards,
S.O.


[ message continues ]
Previous thread: Re: 32/64bit KSE issues? by Andriy Gapon on Saturday, March 31, 2007 - 12:16 am. (4 messages)

Next thread: any vm gurus in the house? :) (was: Fatal trap 12, at use qemu) by Juergen Lock on Sunday, April 1, 2007 - 12:39 pm. (1 message)