防止进程执行某些系统调用 [英] Preventing processes to execute certain system calls

问题描述

我正在编写一个生成子进程的程序.出于安全原因，我想限制这些过程可以做什么.我知道程序外部的安全措施，例如chroot或ulimit，但是我想做的还不止这些.我想限制子进程完成的系统调用(例如，阻止对open()，fork()等的调用).有什么办法吗?理想情况下，被阻止的系统调用应返回一个错误，但如果不可能，则杀死该进程也很好.

I'm writing a program that spawns child processes. For security reasons, I want to limit what these processes can do. I know of security measures from outside the program such as chroot or ulimit, but I want to do something more than that. I want to limit the system calls done by the child process (for example preventing calls to open(), fork() and such things). Is there any way to do that? Optimally, the blocked system calls should return with an error but if that's not possible, then killing the process is also good.

我想可以通过ptrace()完成，但是从手册页中我并不真正了解如何为此目的使用它.

I guess it can be done wuth ptrace() but from the man page I don't really understand how to use it for this purpose.

推荐答案

如果您想以ptrace的方式进行操作，则可以使用一些选项(有些非常简单).首先，我建议您遵循此处解释的教程.使用它，您可以学习如何知道正在调用的系统调用，以及基本的ptrace知识(不用担心，这是一个非常简短的教程).您知道的选项如下:

If you want to do it the ptrace way, you have some options (and some are really simple). First of all, I recommend you to follow the tutorial explained here. With it you can learn how to know what system calls are being called, and also the basic ptrace knowledge (don't worry, it's a very short tutorial). The options (that I know) you have are the following:

• 最简单的方法是杀死孩子，即此处的确切代码.
• 其次，您可以使子代失败，只需使用PTRACE_SETREGS更改寄存器，将错误的值放入其中，并且您还可以根据需要更改系统调用的返回值(同样，使用PTRACE_SETREGS)
• 最后，您可以跳过系统调用.但是为此，您应该在系统调用之后知道地址，将指令寄存器指向该地址并进行设置(再次使用PTRACE_SETREGS键).

• The easiest one would be to kill the child, that is this exact code here.
• Secondly you could make the child fail, just by changing the registers with PTRACE_SETREGS, putting wrong values in them, and you can also change the return value of the system call if you want (again, with PTRACE_SETREGS).
• Finally you could skip the system call. But for that you should know the address after the system call call, make the intruction register point there and set it (again, with PTRACE_SETREGS).

这篇关于防止进程执行某些系统调用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！