Skip to content

Limiting syscall access for a Linux application

Assume a Linux binary foobar which has two different modes of operation:

  • Mode A: A well-behaved mode in which syscalls a, b and c are used.
  • Mode B: A things-gone-wrong mode in which syscalls a, b, c and d are used.

Syscalls a, b and c are harmless, whereas syscall d is potentially dangerous and could cause instability to the machine.

Assume further that which of the two modes the application runs is random: the application runs in mode A with probability 95 % and in mode B with probability 5 %. The application comes without source code so it cannot be modified, only run as-is.

I want to make sure that the application cannot execute syscall d. When executing syscall d the result should be either a NOOP or an immediate termination of the application.

How do I achieve that in a Linux environment?



Is the application linked statically?

If not, you may override some symbols, for example, let’s redefine socket:

int socket(int domain, int type, int protocol)
        return -1;

Then build a shared library:

gcc -fPIC -shared test.c -o

Let’s run:

nc -l -p 6000


And now:

$ LD_PRELOAD=./ nc -l -p 6000
Can't get socket

What happens when you run with variable LD_PRELOAD=./ It overrides with symbols defined in over those defined in the C library.

User contributions licensed under: CC BY-SA
5 People found this is helpful