You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+51-10Lines changed: 51 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,8 +12,9 @@ syscalls:
12
12
- umount2
13
13
log: true
14
14
block: true
15
-
arg0: 1
16
-
arg0_char: false
15
+
arg0:
16
+
content: 1
17
+
isChar: false
17
18
```
18
19
the name of the object is what gets interpreted as the syscall name, here the name `umount2` is taken, but `SYS_umount2` would also be accepted.
19
20
each syscall object can have a total of 6 args, reaching from arg0 to arg5, each also having an Argo_char option, which needs to be set if the argN field is set.
@@ -25,23 +26,63 @@ syscalls:
25
26
- umount2
26
27
log: true
27
28
block: true
28
-
arg0: 3
29
-
arg0_char: false
29
+
arg0:
30
+
content: "/some/path"
31
+
isChar: true
32
+
isFdesc: false
33
+
matchtype: "begins"
34
+
```
35
+
In this example, syscall interceptor checks if the argument in the syscall begins with "/some/path", meaning that trying to call `umount2` on `/some/path` or `/some/path/nested` would be blocked.
36
+
37
+
38
+
- umount2
39
+
log: true
40
+
block: true
41
+
arg0:
42
+
content: 3
43
+
isChar: false
30
44
```
31
45
In the case, that the argument is a char pointer, it can be specified how the argument should be matched, possible options are "full", "begins" and "contains":
32
46
```
33
47
log_file: /some/random/path
48
+
syscalls:It is also possible that some syscalls (such as arg0 in mount_setattr) use file descriptors to access files, in this case it is not possible for syscall-interceptor to intercept a sycall based on a clear path, instead the `isFdesc` option has to be set to true:
49
+
```
50
+
log_file: /some/random/path
34
51
syscalls:
35
-
- umount2
52
+
- mount_setattr
36
53
log: true
37
54
block: true
38
-
arg0: "/some/path"
39
-
arg0_char: true
40
-
arg0_matchtype: "begins"
55
+
arg0:
56
+
content: "/some/path"
57
+
isChar: true
58
+
isFdesc: true
59
+
matchtype: "begins"
41
60
```
42
-
In this example, syscall interceptor checks if the argument in the syscall begins with "/some/path", meaning that trying to call `umount2` on `/some/path` or `/some/path/nested` would be blocked.
43
61
44
-
In the future an extra tool may be developed to either fully generate or at least assist with the generation of a configuration file.
62
+
In the case where a syscall accepts both (also mount_setattr), two entries for the same syscall can be configured:
63
+
```
64
+
log_file: /some/random/path
65
+
syscalls:
66
+
- mount_setattr
67
+
log: true
68
+
block: true
69
+
arg0:
70
+
content: "/some/path"
71
+
isChar: true
72
+
isFdesc: true
73
+
matchtype: "begins"
74
+
- mount_setattr
75
+
log: true
76
+
block: true
77
+
arg1:
78
+
content: "/some/path"
79
+
isChar: true
80
+
isFdesc: false
81
+
matchtype: "begins"
82
+
```
83
+
In this case a `mount_setattr` syscall gets blocked if either the file descriptor in `arg0` points to `/some/path` or if `arg1` equals `/some/path`
84
+
85
+
In the future an extra tool may be developed to either fully generate or at least assist with the generation of a configuration file, for now `strace` can be used to check which syscalls a program uses.
0 commit comments