[<prev] [next>] [day] [month] [year] [list]
Message-ID: <30335309.9kgxB5Lv94@sifl>
Date: Mon, 16 Apr 2012 10:09:50 -0400
From: Paul Moore <paul@...l-moore.com>
To: libseccomp-discuss@...ts.sourceforge.net
Cc: David Windsor <dwindsor@...il.com>,
linux-security-module@...r.kernel.org,
Will Drewry <wad@...omium.org>, linux-kernel@...r.kernel.org
Subject: Re: [libseccomp-discuss] ANN: libseccomp
On Saturday, April 14, 2012 10:10:28 AM David Windsor wrote:
> Out of curiosity, are there any current efforts towards creating a "learning
> mode" type of application for seccomp? I.e. creating a profile for a
> particular application based upon which syscalls it makes during normal
> operation. I realize that many people consider this a security anti-
> pattern, but it could be useful for the initial creation of a seccomp filter
> for a particular application, and other security subsystems already do this
> (ala AppArmor's learning/complain mode). IIUC, no other kernel mechanisms
> would need to be created; ptrace could accomplish syscall monitoring.
I'm not aware of any serious efforts, but as Kees already pointed out, his
seccomp tutorial could be extended to do something similar to what you
describe. Kees' tutorial uses raw BPF, but the same basic principles would
work with libseccomp as well if you wanted a higher level interface.
The libseccomp sources also contain a simple little script which runs an
application via strace and presents a slightly cleaned up version of the
strace report which shows the syscalls, their frequency (important if you want
to tune the seccomp filter), and some of the arguments you're likely to want
to filter on. Simple example:
# ./tools/sys_inspector -h
usage ./tools/sys_inspector [-f] [-a] [-o <file>] <command> [<args>]
# ./tools/sys_inspector -f /bin/true
============================================================
Syscall Report ("/bin/true")
freq syscall
============================================================
8 mmap
4 mprotect
2 open
2 fstat
2 close
1 read
1 munmap
1 exit_group
1 execve
1 brk
1 arch_prctl
1 access
--
paul moore
www.paul-moore.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists