diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2011-06-22 01:32:17 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2011-06-22 01:32:17 +0000 |
| commit | 4f0546e1bdcfaf41875f487df2603a194f410fe6 (patch) | |
| tree | 10b7802b9e8cb5c52e024b38f6f5597b37bed427 | |
| parent | 5d5e214bb3fc042864e46fc7ded36e4e82ac98c0 (diff) | |
Add a SYSTR_POLICY_KILL per-syscall policy option that sends SIGKILL to
the traced process when the syscall is attempted. This is more useful and
safer for unsupervised sandboxing than returning EPERM (which is the
behaviour of SYSTR_POLICY_NEVER), as this could cause dangerous misbehaviour
in applications that don't expect it.
"I like it" deraadt@ markus@
| -rw-r--r-- | sys/dev/systrace.c | 14 | ||||
| -rw-r--r-- | sys/dev/systrace.h | 3 |
2 files changed, 12 insertions, 5 deletions
diff --git a/sys/dev/systrace.c b/sys/dev/systrace.c index 8c58eaff34f..a7c04e35bd1 100644 --- a/sys/dev/systrace.c +++ b/sys/dev/systrace.c @@ -1,4 +1,4 @@ -/* $OpenBSD: systrace.c,v 1.54 2011/04/02 17:04:35 guenther Exp $ */ +/* $OpenBSD: systrace.c,v 1.55 2011/06/22 01:32:16 djm Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -261,7 +261,8 @@ systracef_write(fp, poff, uio, cred) #define POLICY_VALID(x) ((x) == SYSTR_POLICY_PERMIT || \ (x) == SYSTR_POLICY_ASK || \ - (x) == SYSTR_POLICY_NEVER) + (x) == SYSTR_POLICY_NEVER || \ + (x) == SYSTR_POLICY_KILL) /* ARGSUSED */ int @@ -748,7 +749,8 @@ systrace_redirect(int code, struct proc *p, void *v, register_t *retval) /* Fast-path */ if (policy != SYSTR_POLICY_ASK) { - if (policy != SYSTR_POLICY_PERMIT) { + if (policy != SYSTR_POLICY_PERMIT && + policy != SYSTR_POLICY_KILL) { if (policy > 0) error = policy; else @@ -756,7 +758,11 @@ systrace_redirect(int code, struct proc *p, void *v, register_t *retval) } systrace_replacefree(strp); rw_exit_write(&fst->lock); - if (policy == SYSTR_POLICY_PERMIT) + if (policy == SYSTR_POLICY_KILL) { + error = EPERM; + printf("systrace: killed on syscall %d\n", code); + psignal(p, SIGKILL); + } else if (policy == SYSTR_POLICY_PERMIT) error = (*callp->sy_call)(p, v, retval); return (error); } diff --git a/sys/dev/systrace.h b/sys/dev/systrace.h index d727bedead7..9af22c05cf8 100644 --- a/sys/dev/systrace.h +++ b/sys/dev/systrace.h @@ -1,4 +1,4 @@ -/* $OpenBSD: systrace.h,v 1.21 2008/11/09 05:13:53 deraadt Exp $ */ +/* $OpenBSD: systrace.h,v 1.22 2011/06/22 01:32:16 djm Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -184,6 +184,7 @@ struct systrace_inject { #define SYSTR_POLICY_ASK 0 #define SYSTR_POLICY_PERMIT 1 #define SYSTR_POLICY_NEVER 2 +#define SYSTR_POLICY_KILL 3 #define SYSTR_FLAGS_RESULT 0x001 #define SYSTR_FLAGS_SETEUID 0x002 |