You are not logged in.

Pages: 1

#1 2010-07-07 20:12:05

tuxjay
Member
Registered: 2010-01-10
Posts: 4

LD_PRELOAD based sandbox

Hi,

I've written a system that makes writing LD_PRELOAD wrappers easy. With this I can catch access to any c library functions and modify them.. It is like gentoo sandbox but plugin based and a lot more flexible.

With this I can catch all file system write requests and build the package list from a regular make install, with no make hacks or post-install trickery required, and no root access required for fuse.

Could use this to simplify pacbuilder. The code is at:

http://github.com/tuxjay/pito

It is plugin based.. two plugins provided at the moment, a system call logger and a filesystem sandbox is currently in stub form.

Cheers, James

Last edited by tuxjay (2010-07-07 20:13:28)

Offline

#2 2010-07-07 21:00:08

Rip-Rip
Member
Registered: 2008-11-09
Posts: 32

Re: LD_PRELOAD based sandbox

Hi,

Your project reminds me of systrace, an openbsd syscall policy enforcement. It has some limitations and quite a big security hole, allowing someone to modify the syscall parameters after it was checked in a threaded environement.

It would be great if yours didn't have this limitation smile

My 2 cents.

Offline

#3 2010-07-07 21:32:17

tavianator
Member
From: Waterloo, ON, Canada
Registered: 2007-08-21
Posts: 858
Website

Re: LD_PRELOAD based sandbox

@Rip-Rip: this isn't really a secure architecture.  LD_PRELOAD can be escaped very easily by changing your environment and then exec()ing (see chromium for an example).  Plus, system calls can be executed directly with assembly code (int 0x80 on i?86), which nothing but ptrace has a chance of catching (and this is what strace does).

Offline

#4 2010-07-07 22:16:28

tuxjay
Member
Registered: 2010-01-10
Posts: 4

Re: LD_PRELOAD based sandbox

tavianator wrote:

LD_PRELOAD can be escaped very easily by changing your environment and then exec()ing (see chromium for an example).

No not my system.. the library plugins capture all forms of exec and re-inforce the environment (which is retrieved in the global initialisation stage using static constructors) to avoid this problem.

It tested fine with chromium smile

.. EDIT:

Discovered pacman's fakeroot (which is LD_PRELOAD based) doesn't handle unsetenv("LD_PRELOAD") followed by execv, whilst pito preload plugins can handle this.

Last edited by tuxjay (2010-07-08 13:14:26)

Offline

#5 2010-07-08 02:57:19

tuxjay
Member
Registered: 2010-01-10
Posts: 4

Re: LD_PRELOAD based sandbox

Uploaded "pito-git" to the AUR.

Offline

Pages: 1

Board footer

Powered by FluxBB