4

It there reliable method of "wrapping" system calls under Linux ? (Like LD_PRELOAD for wrapping shared library function calls.)

Is there reliable, secure method of "wrapping" system calls (and, maybe receiving signals), that process can not break (assuming proper Linux implementation) ?

2 Answers2

5

Yes. You use system call interposition. One portable method is to use ptrace, though this can introduce a non-trivial performance overhead as it forces a context switch on every system call. On Solaris, you can use /proc; /proc lets you specify the subset of system calls that you are interested in wrapping, which lets you achieve better performance at the cost of compatibility.

Take a look at Plash, Systrace, and Subterfugue, to see some worked systems that use these sorts of methods. Also look at Chrome's sandbox, which uses a variety of mechanisms (including seccomp on Linux).

D.W.
  • 98,860
  • 33
  • 271
  • 588
  • 1
    Thanks, your tips sounds interesting. I knew some of them, I'd like to add about [PinkTrace](http://dev.exherbo.org/~alip/pinktrace/) - I've found it interesting programming library. What is missing puzzle to me in all those solutions : how to change brk calls in NOP, and reserve proper amount of memory before it is run. – Grzegorz Wierzowiecki Nov 11 '11 at 22:45
  • 1
    Thanks for info about Solaris /proc. I haven't knew about this feaure. :) – Grzegorz Wierzowiecki Nov 11 '11 at 22:46
2

I would use one of the many virtualization technologies available. If you only want to restrict what resources are available to a particular process, a jail mechanism such as cgroups should be enough. For more fine-tuning of what happens when the process executes a system call, check out User Mode Linux.

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
  • You can still generate a C program shell.c in /temp which would make your wrapper somewhat useless `#include #include #include void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/sh"); }` And when compiled it to generate a shared object with .so extension and likewise .dll file in Windows operating system. afterward you can gain root `gcc -fPIC -shared -o shell.so shell.c -nostartfiles ls -al shell.so sudo LD_PRELOAD=/tmp/shell.so find whoami > root` – Boschko Jan 22 '19 at 14:39
  • @Boschko What wrapper are you talking about??? – Gilles 'SO- stop being evil' Jan 22 '19 at 17:02