wrapping dynamic syscalls with wrap(1) (was: safety-rm)

On Thu, 27 Sep 2007 20:27:56 +0900
Daichi GOTO <daichi_at_freebsd.org> wrote:

> >> We have created safety expansion for rm(1). If you have any
> >> interests, please try follow patch.
> >>
> >>    http://people.freebsd.org/~daichi/safety-rm/
>
> And unusual commands like chflags I just suppose are no much
> point in this case. What is important is that adding mistake
> protecting functions into common commands like rm(1) itself.

Perhaps the solution is not general enough: rm(1) is but one
program using the unlink(2) syscall. Why not protect unlink(2)
itself by wrapping it into a function that does all this checking
that you're putting into safety-rm right now?

Users who want to protect themselves could then dynamically
link this unlink-wrapper into all their applications. When an
application calls unlink(2), that call will be diverted to
unlink(3), the wrapper.

Ideally, users should have a generic way to wrap syscalls (or
other dynamic library calls) with a program similar to env(1),
let's call it wrap(1). A call to wrap(1):

$ wrap lib1 lib2 lib3 ... prog

would dynamically relink prog in such a way that it uses objects
taken from lib1, lib2, lib3 ... instead of the libraries it is
already linked to against.

To protect unlink(2) in a shell session, one could then write an
unlink(3) wrapper into a library libsafe_unlink.so, and invoke the shell
like:

$ wrap safe_unlink /bin/sh

Now, every call to unlink(2) (be it from /bin/sh - that's easy, or
from all their children - that's the hard part), would call the
unlink(3) from this library wrapper libsafe_unlink.so

That would be really useful, not only in the unlink(2) case.
You could do all kinds of stuff with that, like profiling,
instrumenting etc...

Of course, there's already libmap.conf(5), but it would be nice
to have something that's not limited to root, and that could be
used more dynamically, as in wrap(1).

Thanks,
-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/