tag:blogger.com,1999:blog-2238516101365346732.post650638336388347182..comments2009-12-12T09:39:14.365+01:00Stephan Peijnikhttps://profiles.google.com/109766633501211556199noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-2238516101365346732.post-37232714383356707552009-12-12T09:39:14.365+01:002009-12-12T09:39:14.365+01:00@lamby:<br /><br />Thanks for the hint. This is actually similar to what I am working on right now.<br /><br />@lindi<br /><br />Without having had a look at the exact details plash seems to rely on software using the C-libraries functions for accessing syscalls instead of calling them directly. I have not yet tried it myself, but if my assumption is correct limitations could be worked around by doing a syscall directly. With a chroot in place and the &quot;iptables tricks&quot; (haven&#39;t looked at them) it is possible that plash provides a similar level of security though.<br />ujail is not about protecting the system from bugs in syscall implementations, but rather providing a secure sandboxing environment. <br /><br />On your note about subterfugue: according to what looks like its official website it has been unmaintained since 2001, so it&#39;s probably not an option.<br /><br />@3jAmY5a7:<br /><br />Yes, this should be possible to do with ujail, once I get the code ready (which is likely to take some time).sphttp://www.blogger.com/profile/10693058812548733549noreply@blogger.comtag:blogger.com,1999:blog-2238516101365346732.post-20981096843790487412009-12-11T00:35:14.000+01:002009-12-11T00:35:14.000+01:003jAmY5a7: you can easily do that with subterfugue. It lets you write python code that can install handlers for syscalls.lindihttp://lindi.myopenid.com/noreply@blogger.comtag:blogger.com,1999:blog-2238516101365346732.post-38027365491452545752009-12-11T00:05:31.204+01:002009-12-11T00:05:31.204+01:00Here is another use-case to consider: Sometimes I use LD_PRELOAD tricks to change the behavior of a closed-source process, e.g. if the process creates and then deletes a file, I can replace the unlink operation so that the deleted file gets moved to a temporary directory instead. This only works if they use shared libraries, while replacing the unlink system call would instead let me easily do this to any binary.3jAmY5a7http://openid.anonymity.com/3jAmY5a7noreply@blogger.comtag:blogger.com,1999:blog-2238516101365346732.post-54120713074019761682009-12-10T10:25:01.379+01:002009-12-10T10:25:01.379+01:00@sp: Do you mean that a process could escape plash by making syscall directly? I thought the new UID/GID, chroot and iptables tricks were there to block file and network access. Of course you can try to exploit unknown linux bugs but can ujail really do much about those other than block some seldomly used syscalls completely?lindihttp://lindi.myopenid.com/noreply@blogger.comtag:blogger.com,1999:blog-2238516101365346732.post-83118534956722339312009-12-09T13:18:44.976+01:002009-12-09T13:18:44.976+01:00Geordi is an IRC bot that uses a ptrace-based supervisor to compile execute arbitrary code. The code is written in literate Haskell so could provide a good example of what you want to do. Alternatively, the supervisor section can even be used outside of IRC - indeed, codepad.org runs on precisely this code.lambyhttp://www.blogger.com/profile/00824098599241357355noreply@blogger.comtag:blogger.com,1999:blog-2238516101365346732.post-36541344629556489362009-12-09T12:38:00.588+01:002009-12-09T12:38:00.588+01:00@lindi:<br /><br />I totally agree with you that this approach is possibly faster than ujail. However, this can also be worked around by injecting code that invokes the syscalls directly. I also agree that this is hard to achieve from within python code, but not impossible, at least in theory.<br /><br />Also, ujail should be a lot more flexible, as it applies to *any* binary, including the Python interpreter (and Perl, and machine-native code, and ...).<br /><br />I will consider adding a comparison to plash the next time I update the FAQ.<br /><br />Thanks for your input!sphttp://www.blogger.com/profile/10693058812548733549noreply@blogger.comtag:blogger.com,1999:blog-2238516101365346732.post-77756458286989304902009-12-09T11:57:17.286+01:002009-12-09T11:57:17.286+01:00You might want add comparison to plash to your FAQ. For example<br /><br />python foo.py test1.txt test2.txt<br /><br />in pola-shell will let foo.py only read the files test1.txt and test2.txt (There&#39;s a lot more syntax to specify what files can be written to).<br /><br />Afaik plash works using a chroot and a modified glibc that can talk to the outside world using a unix socket. Via this unix socket it can prompt for my permissions and also ask the helper to open file descriptors for it, the file descriptors can then be passed via the unix socket so that they can be used in side the chroot.<br /><br />Very cool and faster than tracing every syscall.lindihttp://lindi.myopenid.com/noreply@blogger.com