← Back to context

Comment by pdonis

2 years ago

> assuming your programs don't execute other programs.

What about language runtimes? They don't execute other programs in the sense of ELF executables (although the programs they interpret might), but they have to support every syscall that's included in the language. So, for example, the Python interpreter would have to include the appropriate code for every syscall that Python byte code could call (in addition to whatever internal syscalls are used by the interpreter itself). That would be a pretty complete set of syscalls.

6 comments

pdonis

Reply
woodruffw  2 years ago

Yep, language runtimes are an (inevitably?) large attack surface. My understanding is that OpenBSD userspace processes can voluntarily limit their own syscall behavior with pledge[1], so a Python program (or the interpreter itself) could limit the scope of a particular process. But I have no idea how common that is.

[1]: https://man.openbsd.org/pledge

masklinn  2 years ago

A langage runtime would dispatch to the libc, which is always whitelisted.

This is only an issue for the weirdo langage runtimes who’d also refuse to use libc.

  • arzig  2 years ago

    cough go cough

    Although it is periodically useful to be able to copy a binary to some random Linux server and know it will work.

    • masklinn  2 years ago

      Even for go it should actually work as-is: the syscalls should exist statically in the binary, so the loader can enumerate and whitelist them.

      What gets blocked is the system constructing the entire thing at runtime, or at least setting the syscall number dynamically.

      2 replies →