From owner-freebsd-hackers@FreeBSD.ORG Mon Apr 2 17:24:45 2007 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C5A5116A404 for ; Mon, 2 Apr 2007 17:24:45 +0000 (UTC) (envelope-from stanislav.ochotnicky@kmit.sk) Received: from alibaba.kmit.sk (alibaba.kmit.sk [194.160.28.1]) by mx1.freebsd.org (Postfix) with ESMTP id 86CE813C469 for ; Mon, 2 Apr 2007 17:24:45 +0000 (UTC) (envelope-from stanislav.ochotnicky@kmit.sk) Received: from localhost (localhost.localdomain [127.0.0.1]) by alibaba.kmit.sk (Postfix) with ESMTP id D0ADA7F93 for ; Mon, 2 Apr 2007 19:24:43 +0200 (CEST) X-Virus-Scanned: amavisd-new at kmit.sk Received: from [194.160.28.54] (roller.kmit.sk [194.160.28.54]) by alibaba.kmit.sk (Postfix) with ESMTP id 9A5277F81 for ; Mon, 2 Apr 2007 19:24:42 +0200 (CEST) Message-ID: <46113C45.8050304@kmit.sk> Date: Mon, 02 Apr 2007 19:24:21 +0200 From: Stanislav Ochotnicky MIME-Version: 1.0 To: freebsd-hackers@freebsd.org References: <460EE276.1020802@kmit.sk> <4610BF5A.7060807@kmit.sk> In-Reply-To: <4610BF5A.7060807@kmit.sk> X-Enigmail-Version: 0.94.2.0 OpenPGP: id=71A1677C Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig99B95CDF8592B904F965B2BD" Subject: Re: Deny system call using ptrace X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Apr 2007 17:24:45 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig99B95CDF8592B904F965B2BD Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: quoted-printable My mistake. I noticed later that ptrace is actually called just before system call, however system call code and arguments are already read in kernel, and are not re-read after ptrace finished. It simply does not count with that possiblity. ------ cut here --- if (error =3D=3D 0) { td->td_retval[0] =3D 0; td->td_retval[1] =3D frame->tf_edx; STOPEVENT(p, S_SCE, narg); PTRACESTOP_SC(p, td, S_PT_SCE);<=3D change syscall number or args AUDIT_SYSCALL_ENTER(code, td); error =3D (*callp->sy_call)(td, args); AUDIT_SYSCALL_EXIT(error, td); } -------cut here ----- I'm wondering if it would be possible to move STOPEVENT and PTRACESTOP lines at the beginning of syscall() without creating mayhem. Or other way to make stopping syscall execution possible. Regards, S.O. --------------enig99B95CDF8592B904F965B2BD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGETxJB9Uc/HGhZ3wRCDD/AJ9zsANgsP3Ep8nDg5pHWEu386MDnwCggauE ExXQFqOslstCkIdXhJt4AfQ= =FcWu -----END PGP SIGNATURE----- --------------enig99B95CDF8592B904F965B2BD--