From owner-freebsd-arch@FreeBSD.ORG Thu Apr 8 15:42:29 2010 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D4803106564A; Thu, 8 Apr 2010 15:42:29 +0000 (UTC) (envelope-from alexanderchuranov@gmail.com) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id 798F28FC0A; Thu, 8 Apr 2010 15:42:29 +0000 (UTC) Received: by gyh20 with SMTP id 20so1339983gyh.13 for ; Thu, 08 Apr 2010 08:42:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:cc:content-type; bh=U9okjS4SlLwn4H6f2VZBvUfM+w0m+NfMVxJbOnPQDp0=; b=fH/YBJZx2Em7t5/A3OuSIenH7P0kz6MaLn42okMeEnQLrAi7osnvdgvT9P5iKKh9Bx QowtykGuXSVuJJ57Bzu5gu1+90NnCw4J0QILMl699wWejfVXi4NyD5rQfUtVfbCV3zUY GEbiISvaz8LCv59Pj1mBozWA2R8qA5sxR58lg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Rf+cVrNBGxl5LzsyKZnv3WRDiz8ID771yEtqO0k+KMeyJcjvLa7VXJT76EvNiBsj1E FUMq5H1zUOrmClSqm5b5E2b+AlVfKBxU5g7Qv2DBTmiFIT7j+hHy4J0uYFAhX7Fa9XRT faBcYUfEZ2JviON3Rhr2SXP467VL2obcIfvjc= MIME-Version: 1.0 Received: by 10.90.119.15 with HTTP; Thu, 8 Apr 2010 08:42:24 -0700 (PDT) In-Reply-To: References: Date: Thu, 8 Apr 2010 19:42:24 +0400 Received: by 10.91.152.12 with SMTP id e12mr101186ago.73.1270741348378; Thu, 08 Apr 2010 08:42:28 -0700 (PDT) Message-ID: From: Alexander Churanov To: Robert Watson , "M. Warner Losh" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-arch@freebsd.org Subject: Re: New "scallhook" feature. Is is OK to create a proposal? X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2010 15:42:29 -0000 Robert, Warner, and the mailing list, Some things need to be clarified: 1) This is NOT a Google Summer of Code project and we are not students. 2) There are NO plans to create a wrapper for system calls. The feature should be an integral part of the kernel. 3) There are plans to avoid races by design. The feature is to be implemented into several steps: * Deal with direct arguments only. This is not hard and easy to get right. * Deal with indirect arguments of some calls by copying values. When passing control to the actual syscall, substitute original indirect arguments with copies. * Optimize indirect arguments handling by eliminating extra copies and processing. This is actually hard. It's necessary to mention that this is not an all-or-nothing project. The goal is to provide actually useful and safe features. It's expected that some calls may be left unhookable. 4) The quality is to be maintained by using automated unit-tests, integration tests, stress and capacity testing as well as utilizing working exploits for system call wrappers. 5) The feature will never provide privilege elevation (unlike systrace). It's intended to be more like securelevel and ulimit: there will be a single operation for adding a module to the list of hooks for the process. The lists, of course are inherited. The application will be unable to examine the list. We are going to create a page on FreeBSD wiki with details of the proposal: motivation, comparison to other security features, feature details, test plan and implementation plan. When the page is finished and before the implementation, we'd like to gather reviews of the plan. Then the information about progress will be posted periodically to the lists. If everything is right with the project, based on the information provided here, then we are going to proceed with the wiki. Should we go ahead? Alexander Churanov