On Tue, Sep 3, 2013 at 6:53 AM, vi0oss <vi0...@gmail.com> wrote: > On 09/02/2013 11:22 PM, niXman wrote: >> Hi, >> >> The first time I use libseccomp. >> My question is how can I specify a function that libseccomp will be >> used to test the first argument(file name) to open() syscall? >> >> Thanks. >> > seccomp can't access memory references (i.e. any strings or structures). > It can only do simple checks. >
That said, there is a hackish (and platform dependent because it deals with registers) way to check the open parameter, but should not be used as a security measure because it is easy to circumvent (the proper way would be delegate the opening to a trusted process): - Create a rule to trap any open() which has the address of the "pathname" parameter different from the address of a global char array you have previously declared (aka the "allowed buffer"). - Setup a signal handler SIGSYS. - On the signal handler, grab the contents of the registers. - Check if the path is what you want. - If yes, memcpy() to the "allowed buffer" and re-execute the syscall, now with the allowed buffer. Set the return code back to the register. - If not, set the return code with the appropriated error code on the register. This can be used as a transparent replacement for LD_PRELOAD. Take the precautions for threaded code, because you might have a race accessing the shared "allowed buffer". :) ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk _______________________________________________ libseccomp-discuss mailing list libseccomp-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
