The utility program /bin/sysmask ------------------------------------------ The primary use of this utility is to launch a process under a defined mask. Here is what "sysmask -h" gives out. ------------------------------------------------------- Linux sysmask 1.00, kernel protocol version 1001. Usage: sysmask [options] masks [command [arguments...]] Options: -q Query the mask setup. -qa Detailed query with list of unmasked syscalls. -t trigger Triggered mask; trigger may be a name or value. -n tcount Used with trigger, set trigger count to tcount. -h Print this message. -v Print sysmask version. -z Print the number of active sessions (for root only). masks must be a non-empty list of mask names, token names, or process ids. This program may be called in chain. --------------------------------------------------------- If no command is given on the command line prompt, /bin/sh will be launched. For a first example, try "sysmask chdir". Then in the subshell, try to cd to some directory. You will see the effect. Now try with "sysmask link", and try to create some symbolic links. The utility allows you to set active masks or triggered masks, but not both at the same time. But you can do the following. sysmask nonfreq,link,chmod sysmask -tchdir -n5 all /bin/sh For the subshell, ln and chmod are immediately unavailable. But you can make up to 4 cd's. If you issue a fifth one, you will find that everything is locked. At this point only commands that do not need kernel access will get through (set, echo, and a few others). You can also set up masks according to a token, if you type the token name in place of the list of masks. Token names can also be mixed with masks: in this case everything mentioned will be set. Of course, in this case you must have the right to set the desired tokens. Tokens cannot be mixed at the same level: if you already have a system token, no other system token is accepted. The same is true for user tokens. -------------------------------------------------------- Using the "-q" option, you can use the utility to query sysmask status. In this case, the command name and arguments after the mask parameter are ignored. By typing a simple "sysmask -q" or "sysmask -qa", you will get the actual status of yourself, that is, the shell process. And by typing sysmask -q masks,tokens you get the status of processes when the requested masks and tokens are ADDED to your current status. The query output is very terse for the time being. You have to compare it with the mask definitions contained in sysmask.h. You can also use the query feature to get the status of a running process. To do so, you must find out the process id of the running process, using ps or top. For example, suppose that the process that interests you has a pid equal to 3125. Then sysmask -q p3125 gives the current sysmask status for that process. Of course, you should have the right to query it, otherwise the query will be refused: You cannot query a process that has a different uid than yourself, unless you are root. Nor a process that has less tokens than yourself. If both have tokens at a same level, the two tokens must be equal. However, if you don't have a system token for yourself, what happens on the user token level does not matter. This last query facility makes it easy to write an auditing script that can quickly check the global security situation of a running system.