Theo de Raadt wrote in <93466.1685743...@cvs.openbsd.org>: |We will wait for the demo. ... |Leah Rowe <i...@minifree.org> wrote: ... |> Yeah I was kinda thinking, just have it be a tool to *assist* but not |> to automatically pledge the program itself. It wouldn't replace |> human-performed auditing or analysis. |> |> You'd run it just to get a basic gist of where you're going, for |> different code paths (which are affected by how you use the program).
After having such problems with the linux way of doing things i thought i write a strace(1) rule to have it easier "later on". (Ie, "peek the program" a bit.) I then asked for a generic "when" addition to the strace(1) tool[1], because of the excessive things the program does in the setup phase, before it enters the sandbox. (Without response ;) [1] https://lists.strace.io/pipermail/strace-devel/2023-April/011305.html But strace is a bit of a help (should be a shell script, and skip over most of that maybe): # test-strace {{{ test-strace: all if [ "$(VAL_OS_SANDBOX)" -ne 0 ]; then echo >&2 this will not do; exit 1; fi;\ trap "rm -rf .z .b.rc .r.rc .c.xout .c.out .s.strace .c.strace" EXIT; trap "exit 1" INT HUP QUIT TERM;\ mkdir .z || exit 2;\ { \ echo action=DEFER_IF_PERMIT 4.2.0;echo;\ echo action=DUNNO;echo;\ echo action=REJECT;echo;\ echo action=DUNNO;echo;\ echo action=DUNNO;echo;\ echo action=REJECT;echo;\ } > .c.xout || exit 3;\ echo test.localdomain > .b.rc || exit 4;\ echo test2.localdomain > .z/a.rc || exit 5;\ pwd=$$(pwd);\ { \ echo msg-defer DEFER_IF_PERMIT 4.2.0;\ echo store-path $$pwd/.z; echo block-file $$pwd/.b.rc; echo allow-file $$pwd/.z/a.rc;\ echo verbose; echo verbose; echo count 1; echo delay-min 0;\ } > .r.rc || exit 6;\ \ strace -f -c -U name -o .s.strace ./"$(VAL_NAME)" -R $$pwd/.r.rc --startup & [ $$? -eq 0 ] || exit 10;\ ^ 1. Server (keeps on going). sleep 2;\ { \ echo recipient=x1@y; echo sender=y@z; echo client_address=127.1.2.2; echo client_name=xy; echo;\ echo recipient=x1@y; echo sender=y@z; echo client_address=127.1.2.2; echo client_name=test2.localdomain; echo;\ echo recipient=x1@y; echo sender=y@z; echo client_address=127.1.2.2; echo client_name=test.localdomain; echo;\ echo recipient=x1@y; echo sender=y@z; echo client_address=127.1.2.2; echo client_name=xy; echo;\ } | strace -c -U name -o .c.strace ./"$(VAL_NAME)" -R $$pwd/.r.rc >> .c.out || exit 11;\ ^ 2. Client. sleep 2;\ \ ./"$(VAL_NAME)" -R $$pwd/.r.rc --status || exit 12;\ ./"$(VAL_NAME)" -R $$pwd/.r.rc --shutdown || exit 13;\ ./"$(VAL_NAME)" -R $$pwd/.r.rc --status && exit 14;\ \ echo once >> .r.rc || exit 20;\ strace -A -f -c -U name -o .s.strace ./"$(VAL_NAME)" -R $$pwd/.r.rc --startup & [ $$? -eq 0 ] || exit 21;\ ^ More and different client code paths. { \ echo recipient=x1@y; echo sender=y@z; echo client_address=127.1.2.2; echo client_name=xy; echo;\ echo this should not create result;echo;\ } | strace -A -c -U name -o .c.strace ./"$(VAL_NAME)" -R $$pwd/.r.rc >> .c.out || exit 22;\ ^ More client code paths. sleep 2;\ ./"$(VAL_NAME)" -R $$pwd/.r.rc --status || exit 23;\ \ echo 'block xy' >> .r.rc || exit 24;\ kill -HUP $$(cat $$pwd/.z/"$(VAL_NAME)".pid) || exit 25;\ sleep 2;\ kill -USR1 $$(cat $$pwd/.z/"$(VAL_NAME)".pid) || exit 26;\ sleep 2;\ kill -USR2 $$(cat $$pwd/.z/"$(VAL_NAME)".pid) || exit 27;\ sleep 2;\ { \ echo recipient=x1@y; echo sender=y@z; echo client_address=127.1.2.2; echo client_name=xy; echo;\ } | strace -A -c -U name -o .c.strace ./"$(VAL_NAME)" -R $$pwd/.r.rc >> .c.out || exit 28;\ ^ Even more client paths. \ ./"$(VAL_NAME)" -R $$pwd/.r.rc --status || exit 29;\ ./"$(VAL_NAME)" -R $$pwd/.r.rc --shutdown || exit 30;\ \ diff -u .c.xout .c.out; echo diff said $$?;\ \ And now the fun part: generate system call listing from what we have, distinct for client and server: < .c.strace awk '\ BEGIN{c=hot=0}\ /^-+$$/{hot=!hot;next}\ {if(!hot) next; for(i=1; i <= c; ++i) if(a[i] == $$1) next; a[++c] = $$1}\ END{for(i=1;i<=c;++i) print "a_Y(SYS_" a[i] "),"}\ ' > .c.txt;\ echo 'VAL_OS_SANDBOX_CLIENT_RULES="'$$(cat .c.txt)'"';\ \ < .s.strace awk '\ BEGIN{c=hot=0}\ /^-+$$/{hot=!hot;next}\ {if(!hot) next; for(i=1; i <= c; ++i) if(a[i] == $$1) next; a[++c] = $$1}\ END{for(i=1;i<=c;++i) print "a_Y(SYS_" a[i] "),"}\ ' > .s.txt;\ echo 'VAL_OS_SANDBOX_SERVER_RULES="'$$(cat .s.txt)'"'; # }}} This worked in practice (with strace 6.3), but since it covers the startup phase it is a bit useless. With a "when" clause it would be cool(er). (Having said that i think the Linux seccomp approach is a lonely programmer's mess. Ah yes -- and as i tested it only on x86-64 hardware i can enable the seccomp only there, as other platforms have other system calls...) A nice western world weekend everybody. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) |~~ |..and in spring, hear David Leonard sing.. | |The black bear, The black bear, |blithely holds his own holds himself at leisure |beating it, up and down tossing over his ups and downs with pleasure |~~ |Farewell, dear collar bear
