Eight months ago, I shared with a few developers the code for a kernel interface [1] that can disable syscalls in user processes.
The idea is the following: a syscall bitmap is embedded into the ELF binary itself (in a note section, like PaX), and each time the binary performs a syscall, the kernel checks whether the syscall in question is allowed in the bitmap. In details: - the ELF section is a bitmap of 64 bytes, which means 512 bits, the number of syscalls. 0 means allowed, 1 means restricted. - in the proc structure, 64 bytes are present, just a copy of the ELF section. - when a syscall is performed, the kernel calls sysrestrict_enforce with the proc structure and the syscall number, and gives a look at the bitmap to make sure it is allowed. If it isn't, the process is killed. - a new syscall is added, sysrestrict, so that programs can restrict a syscall at runtime. This might be useful, particularly if a program calls a syscall once and wants to make sure it is not allowed any longer. - a userland tool (that I didn't write) can add and update such an ELF section in the binary. This interface has the following advantages over most already-existing implementations: - it is system-independent, it could almost be copied as-is in FreeBSD. - it is syscall-independent, we don't need to patch each syscall. - it does not require binaries to be recompiled. - the performance cost is low, if not non-existent. I've never tested this code. But in case it inspires or motivates someone. [1] http://m00nbsd.net/garbage/sysrestrict/
