From owner-freebsd-security Tue May 11 12:57: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from gw.whitefang.com (calnet11-70.gtecablemodem.com [207.175.234.70]) by hub.freebsd.org (Postfix) with SMTP id 8C62A15DF2 for ; Tue, 11 May 1999 12:56:42 -0700 (PDT) (envelope-from shadows@whitefang.com) Received: (qmail 5732 invoked from network); 11 May 1999 19:56:39 -0000 Received: from rage.whitefang.com (shadows@192.168.1.3) by gw.whitefang.com with SMTP; 11 May 1999 19:56:39 -0000 Date: Tue, 11 May 1999 12:55:40 -0700 (PDT) From: Thamer Al-Herbish To: freebsd-security@FreeBSD.ORG Subject: Wrapping syscalls Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've recently had the idea of wrapping system calls with a capability check per process. The end objective is to have a patch for FreeBSD that adds a system call which can be used to drop the capability of calling a certain system call. The simplest example would be a web server that after chroot()ing would call lsyscall(EXECVE) and drop its ability to execve(). It may also drop its write() ability and so on. Leaving only a few read-only system calls that would effectively make it read-only. Has anyone attempted something similar? Is there an inherent effeciency problem with just adding checks to the beginning of every system call? I'm aware of some security issues that are _not_ solved by this: specificially dropping write() capabilities but still being able to truncate files with the open() call. Additionally, the child process will inheret its parent's disposition and never be able to reclaim a system call. -- Thamer Al-Herbish PGP public key: shadows@whitefang.com http://www.whitefang.com/pgpkey.txt [ The Secure UNIX Programming FAQ http://www.whitefang.com/sup/ ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message