Limiting syscall access for a Linux application

Is the application linked statically?

If not, you may override some symbols, for example, let's redefine socket:

int socket(int domain, int type, int protocol)
{
        write(1,"Error\n",6);
        return -1;
}

Then build a shared library:

gcc -fPIC -shared test.c -o libtest.so

Let's run:

nc -l -p 6000

Ok.

And now:

$ LD_PRELOAD=./libtest.so nc -l -p 6000
Error
Can't get socket

What happens when you run with variable LD_PRELOAD=./libtest.so? It overrides with symbols defined in libtest.so over those defined in the C library.

It seems that systrace does exactly what you need. From the Wikipedia page:

An application is allowed to make only those system calls specified as permitted in the policy. If the application attempts to execute a system call that is not explicitly permitted an alarm gets raised.

This is one possible application of sandboxing (specifically, Rule-based Execution). One popular implementation is SELinux.

You will have to write the policy that corresponds to what you want to allow the process to do.

Limiting syscall access for a Linux application

Tags:

Linux

Hook

Security

System Calls

Linux Kernel

Related

Recent Posts