intercepting system calls

From: buddy (buddyat_private)
Date: Thu Apr 12 2001 - 04:26:55 PDT

Next message: Douglas Kilpatrick: "intercepting system calls"

Previous message: Crispin Cowan: "GACI item list - to give some items for discussion"
In reply to: Anil B. Somayaji: "intercepting system calls"
Next in thread: Douglas Kilpatrick: "intercepting system calls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Anil B. Somayaji" wrote:

> Linus Torvalds wrote:
>
> ...
> > You interpose on well-defined abstraction levels. Anything else is a waste
> > of time, and useless. Why should you care if the user does a system call:
> > sometimes the user can do the same thing by hand, and the system call is
> > nothing but a convenience. The extreme case of this would be the whole
> > TCP/IP stack: the user _could_ just open a raw packet socket and do its
> > own TCP/IP stack totally in user mode. Or think about "gettimeofday()":
> > it could be a system call on some architectures, and avaiable in user mode
> > on others.
> >
> > And even when you have meaningful system calls like "write", why interpose
> > on that. Nobody cares if you write to /dev/null, while if you write to
> > /etc/passwd people might take a second look. You need to get in at the
> > _meaningful_ level.
>
> System calls _are_ a well-defined abstraction level - it is the
> abstraction of functions that userspace programs can invoke in the
> kernel.  It is a fundamental mechanism - system calls are how
> processes talk with the kernel.  Even memory-mapped IO and raw socket
> accesses start with system calls.  Except for maybe a few exceptions

The point made by Linus was, that you do not want to check all arguments
to all calls to "write" all the time, if you only care about people not writing
to specific files. In this sense, system calls are _not_ a well-defined
abstraction level.

Of course, if you want to disable _all_ write()s you should definitely
mess with the system call, and not with every file on the system. In this
case the filesystem is not the appropriate abstraction level.

I guess the problem is that we want a generic interface to a range
of these abstraction levels. ;-)

> I actually do believe that sometimes you do care that a program is
> writing to /dev/null - especially if that program normally writes to a
> log file!  But really, what it comes down to is that many people have
> proposed and tested effective security mechanisms that work at the
> system-call level.

You want to see that the process is not writing to your logfile anymore.


Cheers,
Buddy

Next message: Douglas Kilpatrick: "intercepting system calls"
Previous message: Crispin Cowan: "GACI item list - to give some items for discussion"
In reply to: Anil B. Somayaji: "intercepting system calls"
Next in thread: Douglas Kilpatrick: "intercepting system calls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:23 PDT