[Systrace] Granularity of ioctl and fcntl
Niels Provos
provos at citi.umich.edu
Mon May 2 17:46:21 EDT 2005
On Mon, May 02, 2005 at 07:55:37PM +0200, Johannes Nicolai wrote:
> I have attached a little program to demonstrate how one can use
> fcntl (the same is true for ioctl) to kill an arbitrary process that
> you were also able to kill with the kill command. However, systrace
> only gives me the opprtunity to deny or permit fnctl / ioctl at all
> but no translations are available to decide this regarding the flags
> for the system call. Perhaps (I hope so) I am wrong with this
> statement and there is a way to do it. If so please tell me. If
> not, please tell me how I can implement it or if a new version of
> systrace will cover this feature.
The systrace policy language is completely independent of any system
call interface. Systrace consists of several independent layers, one
of them is the system call translation layer. The translation layer
translates any system call into a human readable string on which the
policy language operates.
So, what you are missing are translators for fcntl and ioctl. They
should be trivial to implement.
Niels.
More information about the systrace
mailing list