systrace - enforce and generate policies for system calls
pseudo-device systrace [count]
systrace attaches to processes and enforces policies for
system calls. A
pseudo-device, /dev/systrace, allows userland processes to
control the
behavior of systrace through an ioctl(2) interface.
systrace can assign the following policies to system calls:
SYSTR_POLICY_ASK Send a message of the type SYSTR_MSG_ASK, and put
the process to sleep until a STRIOCANSWER ioctl(2)
is made.
SYSTR_POLICY_PERMIT Immediately allow the system call.
SYSTR_POLICY_NEVER Immediately return an error code.
A read(2) operation on the systrace pseudo-device will block
if there are
no pending messages, or return the following structure:
struct str_message {
int msg_type;
#define SYSTR_MSG_ASK 1
#define SYSTR_MSG_RES 2
#define SYSTR_MSG_EMUL 3
#define SYSTR_MSG_CHILD 4
pid_t msg_pid;
short msg_policy;
union {
struct str_msg_emul msg_emul;
struct str_msg_ask msg_ask;
struct str_msg_child msg_child;
} msg_data;
};
struct str_msg_emul {
char emul[SYSTR_EMULEN];
};
struct str_msg_ask {
int code;
int argsize;
register_t args[SYSTR_MAXARGS];
register_t rval[2];
int result;
};
struct str_msg_child {
pid_t new_pid;
};
systrace supports the following ioctl(2) commands:
SYSTR_CLONE int
Return a systrace file descriptor for further ioctl(2)
operations.
STRIOCATTACH pid_t
Attach to a process, unless:
1. It's the process that's doing the attaching.
2. It's a system process.
3. It's being traced already.
4. You do not own the process and you're
not root.
5. It's init(8), and the kernel was not
compiled with
option INSECURE.
STRIOCDETACH pid_t
Wake up a process if it is waiting for an
answer, and detach
from it.
STRIOCANSWER struct systrace_answer
Tell systrace what to do with a system call
that was assigned
a policy of SYSTR_POLICY_ASK.
struct systrace_answer {
pid_t stra_pid; /* PID of process being traced */
int stra_policy; /* Policy to assign */
int stra_error; /* Return value
of denied syscall
(will return
EPERM if zero) */
int stra_flags;
#define SYSTR_FLAGS_RESULT 0x0001 /* Report syscall result */
};
STRIOCREPORT pid_t
Report the current emulation a process is
using inside
the msg_emul structure.
STRIOCREPLACE struct systrace_replace
Arrange for system call arguments to be replaced by arguments
supplied by the monitoring process.
struct systrace_replace {
pid_t strr_pid;
int strr_nrepl; /* # of arguments to replace */
caddr_t strr_base; /*
Base user memory */
size_t strr_len; /*
Length of memory */
int strr_argind[SYSTR_MAXARGS]; /*
Argument indexes */
size_t strr_off[SYSTR_MAXARGS]; /*
Argument offsets */
size_t strr_offlen[SYSTR_MAXARGS];
/* Argument sizes */
};
STRIOCIO struct systrace_io
Copy data in/out of the process being
traced.
struct systrace_io {
pid_t strio_pid; /* PID of process being traced */
int strio_ops;
#define SYSTR_READ 1
#define SYSTR_WRITE 2
void *strio_offs;
void *strio_addr;
size_t strio_len;
};
STRIOCPOLICY struct systrace_policy
Manipulate the set of policies.
struct systrace_policy {
int strp_op;
#define SYSTR_POLICY_NEW 1 /* Allocate a new policy */
#define SYSTR_POLICY_ASSIGN 2 /* Assign policy to process */
#define SYSTR_POLICY_MODIFY 3 /* Modify an entry */
int strp_num;
union {
struct {
short code;
#define SYSTR_POLICY_ASK 0
#define SYSTR_POLICY_PERMIT 1
#define SYSTR_POLICY_NEVER 2
short policy;
} assign;
pid_t pid;
int maxents;
} strp_data;
#define strp_pid strp_data.pid
#define strp_maxents strp_data.maxents
#define strp_code strp_data.assign.code
#define strp_policy strp_data.assign.policy
};
The SYSTR_POLICY_NEW operation allocates a
new policy
with all entries initialized to SYSTR_POLICY_ASK, and returns
the new policy number into strp_num.
The
SYSTR_POLICY_ASSIGN operation attaches the
policy identified
by strp_num to strp_pid, with a maximum
of
strp_maxents entries. The SYSTR_POLICY_MODIFY operation
changes the entry indexed by strp_code to
strp_policy.
STRIOCGETCWD pid_t
Set the working directory of the current
process to that
of the named process.
STRIOCRESCWD Restore the working directory of the current
process.
/dev/systrace system call tracing facility
ioctl(2), read(2), options(4), securelevel(7)
The systrace facility first appeared in OpenBSD 3.2.
OpenBSD 3.6 May 26, 2002
[ Back ] | 