You are not logged in.
Hi,
I've written a system that makes writing LD_PRELOAD wrappers easy. With this I can catch access to any c library functions and modify them.. It is like gentoo sandbox but plugin based and a lot more flexible.
With this I can catch all file system write requests and build the package list from a regular make install, with no make hacks or post-install trickery required, and no root access required for fuse.
Could use this to simplify pacbuilder. The code is at:
It is plugin based.. two plugins provided at the moment, a system call logger and a filesystem sandbox is currently in stub form.
Cheers, James
Last edited by tuxjay (2010-07-07 20:13:28)
Offline
Hi,
Your project reminds me of systrace, an openbsd syscall policy enforcement. It has some limitations and quite a big security hole, allowing someone to modify the syscall parameters after it was checked in a threaded environement.
It would be great if yours didn't have this limitation
My 2 cents.
Offline
@Rip-Rip: this isn't really a secure architecture. LD_PRELOAD can be escaped very easily by changing your environment and then exec()ing (see chromium for an example). Plus, system calls can be executed directly with assembly code (int 0x80 on i?86), which nothing but ptrace has a chance of catching (and this is what strace does).
Offline
LD_PRELOAD can be escaped very easily by changing your environment and then exec()ing (see chromium for an example).
No not my system.. the library plugins capture all forms of exec and re-inforce the environment (which is retrieved in the global initialisation stage using static constructors) to avoid this problem.
It tested fine with chromium
.. EDIT:
Discovered pacman's fakeroot (which is LD_PRELOAD based) doesn't handle unsetenv("LD_PRELOAD") followed by execv, whilst pito preload plugins can handle this.
Last edited by tuxjay (2010-07-08 13:14:26)
Offline
Uploaded "pito-git" to the AUR.
Offline