You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Syscall-Intercept allows you to intercept syscalls issued by programs and then block or log them according to a config file.
1
+
# syscall-interceptor
2
+
3
+
A program that intercepts syscalls issued by other programs and logs/blocks them.
4
+
5
+
## Configuring:
6
+
The configuration is the `config.yml` file in the root of the repository.
7
+
It only requires the `syscalls` field, however the `log_file` field should also be configured.
8
+
An example configuration that blocks the `umount2(2)` syscall with the `MNT_DETACH` flag, which gets called when running `umount -l`:
9
+
```
10
+
log_file: /some/random/path
11
+
syscalls:
12
+
- umount2
13
+
log: true
14
+
block: true
15
+
arg0: 1
16
+
arg0_char: false
17
+
```
18
+
the name of the object is what gets interpreted as the syscall name, here the name `umount2` is taken, but `SYS_umount2` would also be accepted.
19
+
each syscall object can have a total of 6 args, reaching from arg0 to arg5, each also having an Argo_char option, which needs to be set if the argN field is set.
20
+
The argN_char option tells the parser if the argument is a string argument, e.g. if its a path, or if it a long, e.g. flags that can be raised, like `MNT_DETACH`.
21
+
In the example, arg0 is set to a long of value 1, this corresponds to the `MNT_DETACH` flag, if, for example, the syscall should only be blocked if `MNT_DETACH` _and_ `MNT_FORCE` are set, then the result of a bitwise or (|=) with `MNT_DETACH` and `MNT_FORCE` (which is 3) should be set to arg0:
22
+
```
23
+
log_file: /some/random/path
24
+
syscalls:
25
+
- umount2
26
+
log: true
27
+
block: true
28
+
arg0: 3
29
+
arg0_char: false
30
+
```
31
+
32
+
In the future an extra tool may be developed to either fully generate or at least assist with the generation of a configuration file.
A program that intercepts syscalls issued by other programs and logs/blocks them.
4
+
5
+
## Configuring:
6
+
The configuration is the `config.yml` file in the root of the repository.
7
+
It only requires the `syscalls` field, however the `log_file` field should also be configured.
8
+
An example configuration that blocks the `umount2(2)` syscall with the `MNT_DETACH` flag, which gets called when running `umount -l`:
9
+
```
10
+
log_file: /some/random/path
11
+
syscalls:
12
+
- umount2
13
+
log: true
14
+
block: true
15
+
arg0: 1
16
+
arg0_char: false
17
+
```
18
+
the name of the object is what gets interpreted as the syscall name, here the name `umount2` is taken, but `SYS_umount2` would also be accepted.
19
+
each syscall object can have a total of 6 args, reaching from arg0 to arg5, each also having an Argo_char option, which needs to be set if the argN field is set.
20
+
The argN_char option tells the parser if the argument is a string argument, e.g. if its a path, or if it a long, e.g. flags that can be raised, like `MNT_DETACH`.
21
+
In the example, arg0 is set to a long of value 1, this corresponds to the `MNT_DETACH` flag, if, for example, the syscall should only be blocked if `MNT_DETACH`_and_`MNT_FORCE` are set, then the result of a bitwise or (|=) with `MNT_DETACH` and `MNT_FORCE` (which is 3) should be set to arg0:
22
+
```
23
+
log_file: /some/random/path
24
+
syscalls:
25
+
- umount2
26
+
log: true
27
+
block: true
28
+
arg0: 3
29
+
arg0_char: false
30
+
```
31
+
32
+
In the future an extra tool may be developed to either fully generate or at least assist with the generation of a configuration file.
0 commit comments