Systrace for Mac OS X 23
Niels Provos writes in that he has added Mac OS X support for Systrace, a sandboxing/application confinement tool that can be used to increase application and service security. It installs a new kernel to support /dev/systrace and the Systrace application, and a Cocoa frontend.
Re:Replace my kernel?, but I like my kernel (Score:5, Informative)
My only qualm is where is this kernel coming from and why is there no other way to run this then with a specially built kernel
The patch is there for you to peruse, along with the Darwin kernel source. So if your feeling a little paranoid then go for it. As to why this couldn't be a module of some sort, does the Darwin version of the BSD kernel support lkm's? And even if it does, systrace operates at a much lower level than say a device driver (which is where kernel modules really come into their own).
Chris
Re:Proprietary (Score:4, Informative)
Umm... you mean, like this [opendarwin.org]?
Set restrictions on a system call level (Score:5, Informative)
Systrace on the other hand lives inside your normal kernel - you don't run any virtual machines at all. However systrace can decide what system calls a program can use, and if desired limit how they can be called. For example you could say Apache is allowed to create a bound socket to port 80, but no other port. You can say allow it to read files in /var/www/htdocs but nothing else. This means that should some user make a symlink to /etc/passwd, it can't be read. Should someone get Apache to run shellcode, it can't run /bin/sh or open a new network socket for inbound access.
The configuration to do this is rather extensive, but anything that will be expicit must be. See the sample apache config [umich.edu] for example.
Systrace works similarly to other kernel hardening patches, such as GRSecurity or LIDS. LIDS for example can lock down access to the filesystem (read/write/nada) and to root permissions (allow root to read non-root files, dissallow socket binding, etc) but this is different in that the systemcalls themselves have been hooked, not just some common access methods.
Re:Kernel vendors (Score:4, Informative)
What's this? why, it looks like links to download the source for darwin. And whats that? why, it appears that you can peruse just about everything, save for Quartz.
Note the obfuscated URL. truly, apple is going to great links to hide the source for OS X.
I won't even mention the CVS server.