Deny system call using ptrace

Stanislav Ochotnicky stanislav.ochotnicky at kmit.sk
Mon Apr 2 17:24:45 UTC 2007


My mistake.

I noticed later that ptrace is actually called just before system call,
however system call code and arguments are already read in kernel, and
are not re-read after ptrace finished. It simply does not count with
that possiblity.
------ cut here ---
if (error == 0) {
	td->td_retval[0] = 0;
	td->td_retval[1] = frame->tf_edx;

	STOPEVENT(p, S_SCE, narg);

	PTRACESTOP_SC(p, td, S_PT_SCE);<= change syscall number or args

	AUDIT_SYSCALL_ENTER(code, td);
	error = (*callp->sy_call)(td, args);
	AUDIT_SYSCALL_EXIT(error, td);
}
-------cut here -----

I'm wondering if it would be possible to move STOPEVENT and PTRACESTOP
lines at the beginning of syscall() without creating mayhem. Or other
way to make stopping syscall execution possible.

Regards,
S.O.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20070402/29d95cd9/signature.pgp


More information about the freebsd-hackers mailing list