Take a look at the St. Jude kernel module/model paper on sourceforge. I haven't gotten the module to do anything other than hang the box (under 2.4), but the paper itself is interesting, and along the lines of what you want. Essentially, privileged processes have certain syscalls watched (sys_exec(), for example). When one of these syscalls is run, St. Jude checks its list of what the process is allowed to exec, and blocks the syscall if you can't. The list of syscall arguments is created by running the module in "learn" mode, where it allows all syscalls.
http://sourceforge.net/projects/stjude On Fri, Dec 21, 2001 at 12:35:27PM -0500, Gary MacDougall wrote: > > Interesting. > > Has someone done some work on this? > I'm mean, lets face it, your running a bunch of > servers and they have boat loads of daemon's. Why > they'll need to fork/exec a shell is really a good > question -- in my mind, they don't. I could be wrong. > > Why not simply build this ability into the kernel? > Could be an option at menuconfig time... > > Gary > > -----Original Message----- > From: Kelly Martin [mailto:[EMAIL PROTECTED] > Sent: Friday, December 21, 2001 12:24 PM > To: 'Robert Clay'; debian-security@lists.debian.org > Subject: RE: Secure 2.4.x kernel > > > As far as I know, Linux does not support doing that. So the way you do it > is modify your kernel to make fork and exec revokable syscalls, write a > syscall allowing a process to request revocation of unneeded syscalls, and > add that call to your daemon. > > Kelly > > > -----Original Message----- > > From: Robert Clay [SMTP:[EMAIL PROTECTED] > > Sent: Friday, December 21, 2001 11:17 AM > > To: debian-security@lists.debian.org > > Subject: RE: Secure 2.4.x kernel > > > > And how would one do that? > > > > >>> Kelly Martin <[EMAIL PROTECTED]> 12/21/01 12:09PM >>> > > ...Taking away the fork and exec syscalls from a daemon which does not > > need to do either would be a good start. > > > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001 > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.310 / Virus Database: 171 - Release Date: 12/19/2001 > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- "I think a lot of the basis of the open source movement comes from procrastinating students..." -- Andrew Tridgell <http://www.linux-mag.com/2001-07/tridgell_04.html>
