You must be signed in to change notification settings - Fork 8
Adding SafePOSIX Implementation of Syscalls
Two main paths can be taken in implementing a new system call, defined in the Native Client section. In both these paths, a system call is defined in Lind_GlibC
We customize the NaCl C compiler in GlibC to identify the system calls we implement in Lind and link any further references to our implementations.
First, a file in Lind_GlibC/sysdeps/nacl/
named X.c
should be created for a system call X. In this file, a function to implement the system call should be defined with the name __X
. This definition should be followed by weak_alias (__X, X)
to denote the reference. (Aditional references can also be added here)
This file's full path (sysdeps/nacl/X.c
) should then be added to the override_list
in make_sysd_rules.py
to make sure that this function is used.
This __X
function should reference a function that can call the NACL_SYSCALL
function. Such functions can be implemented in either sysdeps/nacl/lind_syscalls.c
or sysdeps/nacl/irt_syscalls.c
(after being defined in the respective header files).
In lind_syscalls.c
, the convention is to implement this function as lind_X
after defining the function in the header file. Here, two parameters of type LindArg named in_args and out_args should be defined properly, and a NACL_SYSCALL
directly targeting the lind_api
should be carried out (for path 1). This path can be preferred if no specific checks for user address space etc. are needed for security and containment.
For this path (path 1), a number should be assigned to a macro denoting the new system call. This macro should later be used as the first argument for NACL_SYSCALL(lind_api)
In irt_syscalls.c
, the convention is to implement this function as nacl_irt_X
after defining the function as *__nacl_irt_X
in both the header and the .c file. This is followed by a devotion: __nacl_irt_X = nacl_irt_X
at the bottom of irt_syscalls.c
. These function are normally used to call NACL_SYSCALL
with a custom system call name (for path 2) but can also be used as a relay to call the functions in lind_syscalls.c
with a custom system call name is going to be used, the function should be defined nacl_syscalls.h
after the propper assignment of the syscall number. (for path 2) This path should be preferred if security checks using NaCl data are required - usually for containment.
The functions defined in lind_syscalls.c
and/or irt_syscalls.c
and/or lind_X
) should then be added to the GLIBC_PRIVATE
part in Lind_GlibC/elf/Versions
alongside other system calls to ensure their interception.
We make changes in native_client to define the behavior of the system calls in Lind. The general principle is that we make the security checks related to the information regarding the state of the NaCl session before initiating system calls here. We then define the procedures for the calling of Posix implementations and thereby link our Restricted Python syscall implementations to Native Client.
The changes needed to be done in the Native Client is completely dependent on the preferred development path:
In this path, the NACL_SYSCALL(lind_api)
reaches the NaClSysLindSyscall
function in native_client/src/trusted/service_runtime/lind_syscalls.c
file directly. In this function; the parameters are parsed and are combined with the cage_id
. Then, the CallPythonFunc
function in native_client/src/shared/platform/lind_platform.c
is called with the proper parameters. This function carries out the RPC, directly relaying the system call number coming from GlibC to the RePy alongside the proper arguments format.
No changes are necessary for any of the files in Native Client for this path.
First, the name of the implemented syscall in GlibC should be defined as the number assigned to the syscall in GlibC in the file native_client/src/trusted/service_runtime/include/bits/nacl_syscalls.h
to allow for the use of the same name macro here.
being implemented should be added to the SYSCALL_LIST
in native_client/src/trusted/service_runtime/nacl_syscall_handlers_gen.py
, denoting the inputs used and linking the name on the GlibC side to the syscall name in NaCl.
Then, the referred NaCl function should be defined in native_client/src/trusted/service_runtime/nacl_syscall_common.h
and implemented in native_client/src/trusted/service_runtime/nacl_syscall_common.c
. In the implementation here, the necessary security check should be made, and parsing of information that must be one in C must be carried out. Then, a call must be made to one of the functions pointed by the NaClDescVtbl
(more information available at native_client/src/trusted/desc/nacl_desc_base.h
). Such a call goes through many loops but finally lands on the functions calling the Posix implementations. Then, the result should be parsed and returned in the proper format.
Lastly, the implementation of functions linking the NaCl to Posix should be made. For this, functions with the name lind_X
(for a syscall named X) should be defined in native_client/src/shared/platform/lind_platform.h
that include their standard parameters and the cage id. Also, macros for the name of the syscalls (LIND_safe_fs_X
/ LIND_safe_net_X
) should be defined here to match the numbers assigned to the GlibC/NaCl macros.
These functions shouldthen be implemented in src/shared/platform/lind_platform.c
. The general format for these functions is as follows:
function (, cageid) {
callArgs = Py_BuildValue("(<format_of_the_function_parameters>)", LIND_safe_fs_X, <parameters>, cageid);
<COPY_DATA operations for return values>
We implement syscalls here.
This file is where RPC is accepted and syscalls are delivered to the dispatcher. Have the new syscall included here:
To match the syscall with its Lind implementation, add a new pairing here:
The number assigned to the system call here must match the one assigned in GlibC.
Add the syscall's Lind implementation here:
OR nacl_repy/seattlelib/lind_net_calls.py
In this directory, you will also need to create a new .repy
file that will act as the syscall's handler. There you do any mandatory checking and, after the syscall is implemented, pack the result back to NaCl.
For development path 1:
For development path 2:
For reference: