List of available masks and their meanings Names are valid for the utility /bin/sysmask and for sysmask configuration. When used in C directly with sysmask_struct, the masks should be converted to upper case then prefixed with SM1_ and SM2_, for the masks m1 and m2 respectively. For example, the mask "chmod" corresponds to SM1_CHMOD for m1, and SM2_CHMOD for m2 (the latter = 0). When used with /bin/sysmask, several masks may be juxtposed, separated by commas or spaces. Token names may be mixed with them. Mask names preceeded by "no" can be used for exclusion, for example "all,noopen" means all masks except "open". Also, system call names preceeded by an "x" can be used to designate syscall exceptions. Unrecognized names are silently ignored. Names of capability masks are their corresponding names prepended with "cap_". For example, the mask name for mknod capability is "cap_mknod". There is also a "cap_all" mask that masks all capabilities. Similar for the "mask" and "tmask" definitions in sysmask configuration, except that token names will be ignored there. The "maskset" and "maskunset" conditions in the configuration further exclude the use of exceptions and capability masks. ################################################################# Name: all Effect: put up every mask bit in the first and second mask set. Capability masks are not affected. Use cap_all for the latter. Name: brk Mask set: 1 Effect: hard-mask of brk. Fully masked syscalls: brk Comment: This syscall is usually necessary for process startup. It is also behind malloc(). Name: chdir Mask set: 1 Effect: hard-mask of chdir. Fully masked syscalls: chdir fchdir Name: chmod Mask set: 1 Effect: denies modification of file attributes. Fully masked syscalls: chmod utime umask fchmod setxattr lsetxattr fsetxattr removexattr lremovexattr fremovexattr Partially masked syscalls: open creat Comment: besides the hard-masks, this mask also disallows the opening of an executable file for writing. Thus the ability of the process to write on executable files is fully disabled. Useful for virus protection. Name: chroot Mask set: 1 Effect: hard-mask of chroot. Fully masked syscalls: chroot Comment: fchdir is not masked with chroot despite the famous historic reasons. This is because sh needs fchdir to do recursive operations. Therefore, you'd better mask chdir too if you want to prohibit escaping form chroot jail. Name: core Mask set: 2 Effect: prohibits core dump. Comment: This mask prohibits core dump when the process dies unexpectedly. It is there mainly to prevent resource exhaustion using core dumps, and can also avoid potential exploit of vulnerabilities behind the core dump routines. Name: creat Mask set: 2 Effect: denies creation of non-existing files. Partially masked syscalls: open creat Comment: This mask only affects creation of regular files. Use "link" and "dir" for the creation of hard/symbolic links and directories. Name: denyid Mask set: 2 Partially masked syscalls: many Effect: The rc file /etc/sysmask/smkdrc defines a special uid-gid number, called denyid. One may add a special user/group to /etc/passwd and /etc/groups, with the name "smk-deny", and with the gid and uid equal to denyid. The uid and gid of smk-deny should be the same. When smkd is launched, it registers this uid to the kernel. Any process with this mask set will be denied access to files whose uid or gid is equal to smk-deny. This mask can be used to globally define system-wise inaccessible files to exposed processes. Files or directories that may be candidates of protection include /etc/sysmask/sys, /var/log/smkd.log, /dev/kmem, /dev/mem, /dev/port, etc. On the other hand, it is not recommended to protect /etc/shadow by this method, because this file is needed by exposed daemons. Name: dev Mask set: 2 Effect: denies access to device drivers except /dev/null (major=1, minor=3). Partially masked syscalls: open creat comment: This mask only denies access to file opening. Access to already opened file handles is not affected. Name: dir Mask set: 1 Effect: hard-mask of mkdir and rmdir. Fully masked syscalls: mkdir rmdir Name: dread Mask set: 1 Effect: hard-mask of syscalls reading directory contents and file attributes. Fully masked syscalls: oldstat oldfstat oldlstat access readlink stat lstat fstat getdents getcwd stat64 lstat64 fstat64 getdents64 getxattr lgetxattr fgetxattr listxattr llistxattr flistxattr lookup_dcookie Name: dwrite Effect: this is the synonyme of creat,erase,dir,link,mount Name: erase Mask set: 1 Effect: hard-mask of file erasing. Fully masked syscalls: unlink rmdir truncate truncate64 Name: exec Mask set: 2 Effect: mask of execve. Partially masked syscalls: execve Comment: this mask totally denies execve if smkd is not running or if token is not defined for the process. Otherwise, smkd is consulted to determine whether or not the request is allowed and under which conditions, according to the process's tokens. Name: execve Mask set: 2 Effect: hard mask of execve Fully masked syscalls: execve Comment: This is a hard mask installed within the syscall. Name: file Effect: this is the synonyme of fopen,dread,dwrite,chmod,chdir,mmap,fs,fmisc Comment: This group of masks should deny all accesses to local file system. Name: fmisc Mask set: 1 Effect: hard-mask of miscillaneous file manipulation syscalls. Fully masked syscalls: dup pipe fcntl dup2 ftruncate flock ftruncate64 fcntl64 Name: fnoharm Mask set: 1 Effect: hard-mask of probably harmless syscalls on file handles. Fully masked syscalls: sync fsync msync fdatasync lseek llseek Name: fopen Effect: this is the synonyme of open,erase,mmap,ipc,dev,procfs Name: fork Mask set: 1 Effect: hard-mask of process forking and threading. Fully masked syscalls: fork waitpid wait4 clone vfork Name: fs Mask set: 1 Effect: hard-mask of file system manipulating syscalls. Fully masked syscalls: ustat statfs fstatfs sysfs statfs64 fstatfs64 Name: harmless Mask set: 1 Effect: hard-mask of miscellaneous syscalls that should be harmless. Fully masked syscalls: getpid getuid pause getgid16 geteuid16 getegid16 getppid getpgrp getgroups16 readv writev nanosleep pread64 pwrite64 getuid getgid geteuid getegid getgroups gettid newuname time times gettimeofday Name: ioctl Mask set: 1 Effect: hard-mask of ioctl. Fully masked syscalls: ioctl Name: ipc Mask set: 1 Effect: hard-mask of ipc. Fully masked syscalls: ipc Comment: in Linux this is the common gateway for all ipc syscalls. Hence this mask blocks all access to ipc objects. Actually quota restrictions are missing in the kernel for ipc objects. This makes them ideal targets for denial-of-service attacks. This mask should be set whenever possible. Name: kill Mask set: 1 Effect: hard-mask of kill. Fully masked syscalls: kill prctl tkill Name: killsmkd Mask set: 2 Effect: Disallow manipulation of the sysmask daemon smkd. Comment: This mask should be set except for processes that should manipulate smkd (or become the daemon). Name: kmod Mask set: 2 Partially masked syscalls: many Comment: This mask prohibits the process to call usermodehelper() (see kernel/kmod.c). This helper allows a process to be created and executed under full root (even with some sysmask masks removed), so its use has to be controled. usermodehelper() usually calls /sbin/modprobe. This in itself constitutes a considerable risk, because kernel rootkits can be installed in this way. Name: ldt Mask set: 2 Effect: hard mask of modify_ldt. Fully masked syscalls: modify_ldt Comment: This is a hard mask installed within the syscall. This syscall seems to be vital for User-Mode Linux, but is otherwise only used by some special programs. This syscall is cut off from the big list nonstd, for reason of future enhancements (dataexec mask). Name: link Mask set: 1 Effect: hard-mask of the creation of hard and symbolic links plus rename. Fully masked syscalls: link symlink rename Comment: We gather under this mask the system calls that create new names for an existing file. Setting this mask helps selective file access control. Name: log Mask set: 2 Effect: This mask does not add any restriction to the process. It just tells smkd (if present) to log refused accesses. Very useful for debugging, but not really useful for attack detection because the number of logs for each process is limited for security reasons. Name: minimal Effect: this is the synonyme of obsolete,new,killsmkd,cap Comment: This group of masks should accomodate the great majority of actual programs. Name: misc Mask set: 1 Comment: non-used. Effect: hard-mask of some miscellaneous syscalls. Fully masked syscalls: ptrace mprotect Comment: Set this mask whenever possible: they may become useful tools for attackers. Name: mmap Mask set: 1 Effect: hard-mask of mmap syscalls. Fully masked syscalls: old_mmap munmap msync mremap mmap2 remap_file_pages Comment: mmap is needed by ld at most process startup time, to map libraries into memory. Name: mount Mask set: 1 Effect: hard-mask of filesystem mount and umount. Fully masked syscalls: mount umount umount2 swapon swapoff mknod Name: new Mask set: 1 Effect: hard-mask of new syscalls (number 270 and above), as well as restart_syscall (number 0). Fully masked non-implemented syscalls: #222 #223 #251 Comment: On the one hand, new syscalls are rarely used by existing programs. On the other, they are probably not fully tested therefore may contain vulnerabilities more easily. To be masked out whenever possible. Name: nonfreq Effect: this is the synonyme of misc,root,nonstd,obsolete,new,killsmkd,ldt Name: nonstd Mask set: 1 Effect: hard-mask of non-standard (linux-specific) syscalls. Fully masked syscalls: ioperm iopl vhangup sysinfo setdomainname adjtimex create_module init_module delete_module get_kernel_syms bdflush personality afs_syscall sysctl setfsuid16 setfsgid16 mremap setresuid16 getresuid16 vm86 query_module nfsservctl setresgid16 getresgid16 prctl sigaltstack sendfile setresuid getresuid setresgid getresgid setfsuid setfsgid pivot_root mincore madvise readahead tkill sendfile64 futex sched_setaffinity sched_getaffinity set_thread_area get_thread_area io_setup io_destroy io_getevents io_submit io_cancel fadvise64 Syscalls of number 253 and up are all fully masked by this mask: lookup_dcookie epoll_create epoll_ctl epoll_wait remap_file_pages set_tid_address timer_create timer_settime timer_gettime timer_getoverrun timer_delete clock_settime clock_gettime clock_getres clock_nanosleep statfs64 fstatfs64 Fully masked non-implemented syscalls: break stty gtty ftime prof lock ulimit profil idle getpmsg putpmsg Comment: This mask is very fat. Programs trying to use Linux-specific functionalities will inevitably get hurt, but in many cases setting up exceptions and/or using triggers can help. Truly portable programs are not sensitive to this mask. It is to be noted that these syscalls are not frequently used, therefore might have high vulnerability densities. Historically vulnerabilities have been discovered in several syscalls in this list. Name: obsolete Mask set: 1 Effect: hard-mask of obsolete syscalls. Fully masked syscalls: oldstat oldfstat oldlstat olduname uselib old_readdir oldolduname vm86old Comment: Obsolete syscalls are rarely used by actual programs. Due to this fact they are less well-checked and may contain a higher rate of bugs and vulnerabilities. This mask should be set whenever possible. More obsolete syscalls will be pushed into this mask later. Name: open Mask set: 1 Effect: hard-mask of file opening and property modif of opened files. Fully masked syscalls: open creat fcntl fcntl64 Name: open2 Effect: this is the synonyme of ropen,wopen Name: orphan Mask set: 2 Effect: kill every child process when the parent exits. Comment: When this mask is set, the process will send SIGKILL to all its direct children when it exists. Against denial-of-service attacks. The children of children will get killed in turn because the mask is inherited, unless one of the children has its sysmask redefined by smkd. Note that this mask gives the right to a process for killing all its children, regardless of the uid setups. Name: path Mask set: 2 Effect: check pathnames submitted by the process. Comment: When this mask is set, any pathnames submitted by the process will be checked against sysmask file access configuration, for reading if ropen is set, and/or for writing if wopen is set and if the syscall risks to modify something about the file. Nothing is done if neither ropen nor wopen is set. The affected syscalls range from stat() to mount(). If smkd is not present or if the process has no token, this mask will refuse any corresponding syscall with pathnames according to ropen and wopen. Name: priv Effect: this is the synonyme of rlim,sysmask,cap Name: proc Effect: this is the synonyme of fork,exec,kill,signal Name: procfs Mask set: 2 Effect: denies access to proc file system. Partially masked syscalls: open creat comment: This mask only denies access to file/directory opening. Access to already opened file handles is not affected. Name: poll Mask set: 1 Effect: hard-mask of event polling syscalls. Fully masked syscalls: old_select select poll epoll_create epoll_ctl epoll_wait Name: rlim Mask set: 1 Effect: hard_mask of process privilege manipulation syscalls. Fully masked syscalls: nice setrlimit getrlimit getrusage getpriority setpriority setitimer getitimer sched_yield sched_get_priority_max sched_get_priority_min ugetrlimit Name: root Effect: this is the synonyme of rootmisc,sysadm,mount,chroot,suid Name: rootmisc Mask set: 1 Effect: hard-mask of various syscalls generally only available to root. Fully masked syscalls: lchown reboot fchown ioperm syslog iopl vhangup bdflush mlock munlock mlockall munlockall sched_setparam sched_getparam sched_setscheduler sched_getscheduler sched_rr_get_interval chown chown16 lchown fchown pivor_root mincore madvise sched_setaffinity sched_getaffinity Name: ropen Mask set: 2 Effect: selectively mask file opening for read. Partially masked syscalls: open Comment: The selective mask feature is available only when the process has non-zero sysmask tokens and when smkd is activated. Depends on the smkd configuration. Otherwise, every request is denied. This mask does not affect already opened file handles. Name: signal Mask set: 1 Effect: hard-mask of signal processing syscalls. Fully masked syscalls: alarm signal sigaction sgetmask ssetmask sigsuspend sigpending sigreturn sigprocmask rt_sigreturn rt_sigaction rt_sigprocmask rt_sigpending rt_sigtimedwait rt_sigqueueinfo rt_sigsuspend sigaltstack Name: socketcall Mask set: 1 Effect: hard-mask of socketcall. Fully masked syscalls: socketcall Comment: in Linux this is the common gateway for all socket syscalls. Hence this mask efficiently blocks access to sockets, including unix domain sockets (hence X windows), except read/write to already opened sockets. Name: socknet Mask set: 2 Effect: denies socket opening except for unix domains. Partially masked syscalls: socket Comment: This mask allows the process to connect to a local X windows, but denies network accesses. Name: sockopen Mask set: 2 Effect: selective mask of socket opening. Partially masked syscalls: socket socketpair Comment: Needs smkd for policy enforcing, otherwise every call is denied. Name: sockop Mask set: 2 Effect: selective mask of socket operations. Partially masked syscalls: socketcall Comment: This mask checks the token configuration for the following socket operation requests: bind, listen, accept, connect, setsockopt, sendto, sendmsg. If smkd is not active or the process has no sysmask tokens, these socket operations will always be refused except for sending operations on already connected sockets. Name: spid Mask set: 1 Effect: hard-mask of process id manipulating syscalls. Fully masked syscalls: setpgid setsid getpgid getsid Name: startup Effect: this is the synonyme of mmap,ldt Name: suid Mask set: 2 Effect: denies uid/gid change if euid!=0. Also silently ignores the suid bit of executables. Partially masked syscalls: setuid16 setgid16 setreuid16 setregid16 setgroups16 setreuid setregid setgroups setuid setgid setresuid setresgid execve setfsuid16 setfsgid16 setfsuid setfsgid Name: sysadm Mask set: 1 Effect: hard-mask of system administration syscalls usually reserved to root. Fully masked syscalls: stime acct sethostname settimeofday setdomainname adjtimex create_module init_module delete_module get_kernel_syms quotactl sysctl query_module nfsservctl Name: sysmask Mask set: 1 Effect: hard-mask of sysmask and capability manipulation syscalls. Fully masked syscalls: sysmask (hijacked mpx) capget capset Name: umask1 umask2 umask3 umask4 Mask set: 2 Effect: These masks do nothing in the kernel, but can be used in daemon configuration to define conditional accesses. Combined with access mask-triggering, sophisticated interactive reactions can be defined. Name: wopen Mask set: 2 Effect: selectively mask file system writing. Partially masked syscalls: open creat link unlink mknod chmod lchown mount umount rename mkdir rmdir symlink swapon truncate swapoff truncate64 chown setxattr lsetxattr removexattr lremovexattr Comment: The selective mask feature is available only when the process has non-zero sysmask tokens and when smkd is activated. Depends on the smkd configuration. Otherwise, every request is denied. This mask does not affect already opened file handles.