Subject: Re: compat_hpux, systrace
To: None <,>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-security
Date: 12/29/2007 14:40:44
> I agree that the *implementation* is not good, but the
> *functionality*, that is, allowing for the interposition of controls
> on each system call a process tries to invoke, is both doable and a
> good thing.

Unfortunately, while doable, it's very hard.  Everything the controller
looks at must be passed to the kernel in a way that guarantees that
what the kernel sees is data the controller has vetted.  For simple
arguments that are passed in registers, this is easy.  For
self-contained strings like the pathname arguments to calls like open()
or readlink(), it's a little more difficult, but not all that much.

Cases like sendmsg(), where the argument points to a structure that has
pointers off to other data, are even worse, the more so if those other
pointers are conditional on something.  With driver-specific ioctls
it's approximately impossible with our current kernel setup.

To do this right, we'd have to arrange that copyin() and its relatives
can be redirected so they get serviced by the controller process, or at
least serviced from memory not writable by anyone else during the
interval between the controller OKing the call and the kernel reading
the memory.  And, of course, ideally analogous things should be true
for data passing in the kernel->user direction too.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B