On Sun, 2020-11-22 at 01:22 -0700, Andrew Warkentin wrote:
I am wanting to implement a system call origin limit (akin to that of OpenBSD) in UX/RT. This could probably be accomplished by adding a "set system call range" TCB method that takes the start and end addresses of the range in which system calls will be permitted without interception. Any system call issued from code outside this range would incur a user exception (which would provide all the state required for user code to handle the system call and resume the thread if desired).
I'm not convinced that adding this feture to the kernel itself is reasonable. Performing any system call (except for Yield) on seL4 requires a capability in the calling threads CSpace. This should be sufficient to protect a thread from performing any unauthorised action. If a thread attempts to perform a syscall directly rather than via the interface library, this shouldn't be a security issue although it may be a correctness one (if you intend to allow applications to make syscalls directly). You shouldn't rely on the shared library within the binary to enforce security requirements. If you need to be able to emulate the Linux system call ABI for the level of compatibility you are attempting to achieve, this should be feasible with the VCPUs present in seL4. You don't necessarily need to provide an entire linux VM within the VCPU, but a minimal guest supervisor mode would be sufficient to trap all calls made from the linux user-level and redirect them to the host system using the seL4 API.