LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Could allow inclusion of systrace?

Could allow inclusion of systrace?

Posted Mar 22, 2008 4:28 UTC (Sat) by AnswerGuy (guest, #1256)
Parent article: The return of authoritative hooks

Perhaps this consolidation will also pave the way for the inclusion of Niels Provos' systrace patches.

Systrace implements a brilliant, elegant, approach to security, by allowing any user to interpose a set of "firewall" rules between the code that they run and the kernel (via the system call APIs).

This approach is vastly simpler than SELinux, which loads up the system with a large number of additional labels (domains, types, roles), and which add additional options to many commands (the -Z flags to ls, ps, etc.) and is generally impossible for mere mortal to comprehend

Systrace allows a normal user to create a policy and limit the access by programs, without giving the user any additional systems level permissions beyond what he or she already had. (It essentially uses the ptrace mechanism). So a user can, for example, run Mozilla while restricting it read/write open() calls to just the ~/.mozilla and ~/Downloads directories. In that example a compromised Mozilla can only write to those two directories and can't plant a trojan in your ~/bin directory, for example.

Another advantage of systrace is that it's already included in NetBSD and OpenBSD, and available for OpenSolaris, and FreeBSD. That makes it the only viable security enhancement to UNIX-like systems which is cross-platform.

(Log in to post comments)

Could allow inclusion of systrace?

Posted Mar 25, 2008 10:56 UTC (Tue) by Klavs (subscriber, #10563) [Link] 

I would hope so too. I've always liked the concept of systrace - and it's simplicity is IMHO
good for security.

Could allow inclusion of systrace?

Posted Mar 26, 2008 14:53 UTC (Wed) by oak (subscriber, #2786) [Link] 

Hm.  Systrace site says this on security:
"Just keep in mind that ptrace has not been designed as a security 
primitive and while the ptrace backend can restrict the behavior of 
programs in non-adversarial settings, there are many ways to circumvent 
it."

Maybe ltrace (new kernel implementation for ptrace that is supposed to 
solve many of its problems) could help also on this?

Could allow inclusion of systrace?

Posted Mar 26, 2008 15:38 UTC (Wed) by nix (subscriber, #2304) [Link] 

You mean Roland McGrath's utrace?

While incredibly nifty and a long-overdue revamp of the awful ptrace() 
interface, utrace hasn't been designed as a security enforcement mechanism 
either :)

(however, things like UML are in effect using it as such in any case, so 
security-hole-inducing bugs in ptrace() *are* likely to get fixed.)

Could allow inclusion of systrace?

Posted Mar 26, 2008 18:52 UTC (Wed) by oak (subscriber, #2786) [Link] 

> You mean Roland McGrath's utrace?

Sorry, yes.  I noticed that first/early patch(es) of it have gone to 
2.6.25. 


> (however, things like UML are in effect using it as such in any case, so 
security-hole-inducing bugs in ptrace() *are* likely to get fixed.)

Sounds promising. :-)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds