Deny system call using ptrace

w0rm w0rm at kmit.sk
Mon Apr 2 08:54:34 UTC 2007


Stanislav Ochotnicky wrote:

> Problem is, that FreeBSD kernel seems to ignore changed register, and
> execute original system call.

Oh well...So I'll just (try) to answer myself :)

The problem seems to be, as far as I can tell that syscall() routine
fills in syscall code and arguments, then does other stuff, finally
calling requested syscall itself. But whether process is traced is
checked after call, so there is no way to block it. I cannot tell what
would moving this block:
--------------cut here ------
/*
 * Traced syscall.
 */
if ((orig_tf_eflags & PSL_T) && !(orig_tf_eflags & PSL_VM)) {
	frame->tf_eflags &= ~PSL_T;
	ksiginfo_init_trap(&ksi);
	ksi.ksi_signo = SIGTRAP;
	ksi.ksi_code = TRAP_TRACE;
	ksi.ksi_addr = (void *)frame->tf_eip;
	trapsignal(td, &ksi);
}
-------------cut here -------

do to MP safety or other stuff. If it could be in fact safely moved to
the beginning of syscall(), it would greatly enhance features of ptrace().

Regards,
S.O.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20070402/90ad76a0/signature.pgp


More information about the freebsd-hackers mailing list