Syswall is a new development aimed at creating a similarity of a dynamic firewall to filter the access of applications to system calls. The project code is written in the Rust language, the license is not specified.
This new development it looks like the interactive version of the strace utility and allows you to keep track of every system call made by the program. The key difference is that, in addition to displaying information about the system calls and the results of their execution.
About Syswall
syswall supports interactive mode in which the monitored process is stopped before making a system call and the user is asked to continue or ignore the operation (for example, you can monitor attempts to open each file or network connection process).
Syswall can also collect statistics on the system calls made and generate a report based on it.
The objectives of syswall are as follows:
For provide an improved version of strace which is easier to determine what software is actually doing.
Provide an environment to test and experiment with the software by allowing a detailed and interactive approach to allowing and rejecting system calls.
Each process can have a configuration file
For each process, se can connect a configuration file with a list of explicitly allowed or blocked system calls.
For supported calls, syswall allows the user to perform the following actions:
- Allow syscall once
- Always allow that particular syscall
- Block syscall once (hard or soft)
- Always block that particular syscall (hard or soft)
- When blocking, the program can perform a block (hard or soft).
During the interactive session, it is possible to allow or block specific system calls at run time and any calls to this system call, regardless of where the program is accessed.
Blocking is supported in "hard" and "soft" modes.
Types of locks
In the first case, the system call is not executed and the access error code is sent to the process. In the second case, the system call is also not executed, but the process receives a fictitious successful return code, simulating the successful execution of the system call.
For example, at the moment, only system call analysis related to file operations is supported.
A hard block prevents the syscall from executing and returns a permission denied error to the child process. On the other hand, a soft lock prevents the syscall, but tries to return an appropriate response to the child process to pretend that the syscall was actually executed.
In this case, the confirmation requests will be displayed only when they refer to specially dialed or previously missing system calls.
Save and load a process configuration.
Choices made during execution can be saved to a JSON file. This file can be loaded during another run so that the above options are used.
This is a work in progress - only allowed / blocked responses will always be saved.
Reports
When the child process finishes, syswall will issue a short report on the child process's system calls. Currently, it consists of all open or locked files, but will be expanded in future releases.
The project is still in the stage of a functional prototype and not all the conceived possibilities are realized.
There is still more to develop
There is a large to-do list for the project, in the future it is planned to add support for additional classes of system calls, la ability to verify, taking into account the arguments passed to the system call, means of saving the process state to a file for later comparison of activity during different program launches (for example, to compare lists of files and connections of network), option to ignore load dynamic libraries and support the typical set of settings (for example, lock all sockets, but allow file access).