Skip to content

Adding SafePOSIX Implementation of Syscalls

Jump to bottom
Çağlar Doğan edited this page Jan 7, 2021 · 22 revisions

Development Cycle:

There are two main paths that can be taken in implementing a new system call, defined in the Native Client section. In both these paths, a system call is defined in Lind_GlibC.

GlibC (Lind_GlibC)

We customize the NaCl C compiler in GlibC to identify the system calls we implement in Lind and link any further references to our implementations.

First, a file in Lind_GlibC/sysdeps/nacl/ named X.c should be created for a system call X. In this file, a function to implement the system call should be defined with the name __X. This definition should be followed by weak_alias (__X, X) to denote the reference. (Aditional references can also be added here)

This file's full path (sysdeps/nacl/X.c) should then be added to the override_list in make_sysd_rules.py to make sure that this function is used.

This __X function should reference a function that can call the NACL_SYSCALL function. Such functions can be implemented in either sysdeps/nacl/lind_syscalls.c or sysdeps/nacl/irt_syscalls.c (after being defined in the respective header files).

In lind_syscalls.c, the convention is to implement this function as lind_X after defining the function in the header file. Here, two parameters of type LindArg named in_args and out_args should be defined properly, and a NACL_SYSCALL directly targeting the lind_api should be carried out (for path 1). This path can be preferred if no specific checks for user address space etc. are needed for security and containment.

For this path (path 1), a number should be assigned to a macro denoting the new system call. This macro should later be used as the first argument for NACL_SYSCALL(lind_api).

In irt_syscalls.c, the convention is to implement this function as nacl_irt_X after defining the function as *__nacl_irt_X in both the header and the .c file. This is followed by a devotion: __nacl_irt_X = nacl_irt_X at the bottom of irt_syscalls.c. These function are normally used to call NACL_SYSCALL with a custom system call name (for path 2) but can also be used as a relay to call the functions in lind_syscalls.c.

If a NACL_SYSCALL with a custom system call name is going to be used, the function should be defined nacl_syscalls.h after the propper assignment of the syscall number. (for path 2) This path should be preferred if security checks using NaCl data are required - usually for containment.

The functions defined in lind_syscalls.c and/or irt_syscalls.c (__nacl_irt_X and/or lind_X) should then be added to the GLIBC_PRIVATE part in Lind_GlibC/elf/Versions alongside other system calls to ensure their interception.

Native Client (native_client)

We make changes in native_client to define the behavior of the system calls in Lind. The general principle is that we make the security checks related to the information regarding the state of the NaCl session before initiating system calls here. We then define the procedures for the calling of Posix implementations and thereby link our Restricted Python syscall implementations to Native Client.

The changes needed to be done in the Native Client is completely dependent on the preferred development path:

1) Using native_client as a relay:

In this path, the NACL_SYSCALL(lind_api) reaches the NaClSysLindSyscall function in native_client/src/trusted/service_runtime/lind_syscalls.c file directly. In this function; the parameters are parsed and are combined with the cage_id. Then, the CallPythonFunc function in native_client/src/shared/platform/lind_platform.c is called with the proper parameters. This function carries out the RPC, directly relaying the system call number coming from GlibC to the RePy alongside the proper arguments format.

No changes are necessary for any of the files in Native Client for this path.

2) Implementing parts of the system call in native_client:

First, the name of the implemented syscall in GlibC should be defined as the number assigned to the syscall in GlibC in the file native_client/src/trusted/service_runtime/include/bits/nacl_syscalls.h to allow for the use of the same name macro here.

Then, the NACL_SYSCALL being implemented should be added to the SYSCALL_LIST in native_client/src/trusted/service_runtime/nacl_syscall_handlers_gen.py, denoting the inputs used and linking the name on the GlibC side to the syscall name in NaCl.

Then, the referred NaCl function should be defined in native_client/src/trusted/service_runtime/nacl_syscall_common.h and implemented in native_client/src/trusted/service_runtime/nacl_syscall_common.c. In the implementation here, the necessary security check should be made, and parsing of information that must be one in C must be carried out. Then, a call must be made to one of the functions pointed by the NaClDescVtbl (more information available at native_client/src/trusted/desc/nacl_desc_base.h ). Such a call goes through many loops but finally lands on the functions calling the Posix implementations. Then, the result should be parsed and returned in the proper format.

Lastly, the implementation of functions linking the NaCl to Posix should be made. For this, functions ith the name lind_X (for a syscall named X) should be defined in native_client/src/shared/platform/lind_platform.h that include their standard parameters and the cage id. Also, macros for the name of the syscalls (LIND_safe_fs_X / LIND_safe_net_X) should be defined here to match the numbers assigned to the GlibC/NaCl macros.

These functions shouldthen be implemented in src/shared/platform/lind_platform.c. The general format for these functions is as follows:

function (, cageid) { LIND_API_PART1; callArgs = Py_BuildValue("(<format_of_the_function_parameters>)", LIND_safe_fs_X, , cageid); LIND_API_PART2; <COPY_DATA operations for return values> LIND_API_PART3; }

Repy + SafePOSIX:

We implement syscalls here.

This file is where RPC is accepted and syscalls are delivered to the dispatcher. Have the new syscall included here:

  • nacl_repy/seattlelib/lind_server.mix

To match the syscall with its Lind implementation, add a new pairing here:

  • nacl_repy/seattlelib/dispatcher.repy

It is important that the number assigned to the system call here matches the one assigned in GlibC.

Add the syscall's Lind implementation here:

  • nacl_repy/seattlelib/lind_fs_calls.py OR
  • nacl_repy/seattlelib/lind_net_calls.py

In this directory, you will also need to create a new .repy file that will act as the syscall's handler. There you do any mandatory checking and, after the syscall is implemented, pack the result back to NaCl.

Important files (for a system call X):

GlibC

  • Lind-GlibC/sysdeps/nacl/X.c

  • Lind-GlibC/make_sysd_rules.py

  • Lind-GlibC/elf/Versions

For development path 1:

  • Lind-GlibC/sysdeps/nacl/lind_syscalls.h
  • Lind-GlibC/sysdeps/nacl/lind_syscalls.c

For development path 2:

  • Lind-GlibC/sysdeps/nacl/irt_syscalls.h
  • Lind-GlibC/sysdeps/nacl/irt_syscalls.c
  • Lind-GlibC/sysdeps/nacl/nacl_syscalls.h

Native Client

  • `native_client/src/trusted/service_runtime/include/bits/nacl_syscalls.h

  • native_client/src/trusted/service_runtime/nacl_syscall_handlers_gen.py

  • native_client/src/trusted/service_runtime/nacl_syscall_common.h

  • native_client/src/trusted/service_runtime/nacl_syscall_common.c

  • native_client/src/shared/platform/lind_platform.h

  • native_client/src/shared/platform/lind_platform.c

For reference:

  • native_client/src/trusted/desc/nacl_desc_base.h

  • native_client/src/trusted/service_runtime/lind_syscalls.h

  • native_client/src/trusted/service_runtime/lind_syscalls.c

Repy + SafePOSIX

  • nacl_repy/seattlelib/X.repy

  • nacl_repy/seattlelib/lind_server.mix

  • nacl_repy/seattlelib/dispatcher.repy

  • nacl_repy/seattlelib/lind_fs_calls.py

  • nacl_repy/seattlelib/lind_net_calls.py

Clone this wiki locally