Systrace for Mac OS X 23
Niels Provos writes in that he has added Mac OS X support for Systrace, a sandboxing/application confinement tool that can be used to increase application and service security. It installs a new kernel to support /dev/systrace and the Systrace application, and a Cocoa frontend.
Replace my kernel?, but I like my kernel (Score:5, Interesting)
Is it impossible to get teh same thing done with a kernel extension?
Re:Replace my kernel?, but I like my kernel (Score:5, Informative)
My only qualm is where is this kernel coming from and why is there no other way to run this then with a specially built kernel
The patch is there for you to peruse, along with the Darwin kernel source. So if your feeling a little paranoid then go for it. As to why this couldn't be a module of some sort, does the Darwin version of the BSD kernel support lkm's? And even if it does, systrace operates at a much lower level than say a device driver (which is where kernel modules really come into their own).
Chris
Kernel vendors (Score:4, Insightful)
Why not just take a look at the source... its more readily available than the source for Mac OS X.
Re:Kernel vendors (Score:1)
Unlike MS, Apple doesn't make inferior products that have new security holes to be discovered every week. So I really have no reason not to trust Apple's stuff.
As to the source of Mac OS X: Why do you need it? Thier source being open will in no way help Mac OS X, perhaps it may help other *nix distros but not Apple's since they are heavily optimized regularly and provide a layer of operability higher than those of say systrace.
Re:Kernel vendors (Score:2, Troll)
Re:Kernel vendors (Score:4, Informative)
What's this? why, it looks like links to download the source for darwin. And whats that? why, it appears that you can peruse just about everything, save for Quartz.
Note the obfuscated URL. truly, apple is going to great links to hide the source for OS X.
I won't even mention the CVS server.
Re:Proprietary (Score:3, Insightful)
Fink's Package DB [sourceforge.net] indicates that the 'big momentum' has already begun...
Re:Proprietary (Score:4, Funny)
Yeah, because having the entire Darwin sources available under an Open Source license is just
Re:Proprietary (Score:1)
Re:Proprietary (Score:4, Informative)
Umm... you mean, like this [opendarwin.org]?
hows this differ from UML (Score:1)
So if anyone is knowlegdeable about the apple part, could you compare the two.
Set restrictions on a system call level (Score:5, Informative)
Systrace on the other hand lives inside your normal kernel - you don't run any virtual machines at all. However systrace can decide what system calls a program can use, and if desired limit how they can be called. For example you could say Apache is allowed to create a bound socket to port 80, but no other port. You can say allow it to read files in /var/www/htdocs but nothing else. This means that should some user make a symlink to /etc/passwd, it can't be read. Should someone get Apache to run shellcode, it can't run /bin/sh or open a new network socket for inbound access.
The configuration to do this is rather extensive, but anything that will be expicit must be. See the sample apache config [umich.edu] for example.
Systrace works similarly to other kernel hardening patches, such as GRSecurity or LIDS. LIDS for example can lock down access to the filesystem (read/write/nada) and to root permissions (allow root to read non-root files, dissallow socket binding, etc) but this is different in that the systemcalls themselves have been hooked, not just some common access methods.
system call tracing needs to become standard (Score:2)
In any case, I thought that one of the promises of Mach was that these kinds of changes should be doable via plug-ins, without creating a new kernel. Why does this require a "new kernel"?
Re:system call tracing needs to become standard (Score:2, Interesting)