System call risk level classification ----------------------------------------------------------- Here we classify the Linux syscalls according to their security risk levels. 7 risk levels are defined, ranging from 0 to 6. The classification is very subjective. The design of the first mask set of sysmask is directly related to this risk classification. The query option of sysmask can be used to show the maximal risk level of a sysmask definition or a running process. Running "sysmask -qa" on an empty mask gives the list of risk levels for all active syscalls. -------------------------------------------------------------- Level 6: Obsolete and new syscalls. High risks of privilege elevation, as these calls are almost never used actually so they are insufficiently tested. The mask "minimal" allows to close them. Level 5: Linux-specific syscalls. High risks of privilege elevation, as these calls are rarely used in general. The mask "nonstd" (plus "minimal") closes all of them. Level 4: Syscalls allowing modification of system parameters. Risks of privilege elevation and direct damages to the system. The mask "nonfreq" closes all syscalls of this level and above. Level 3: Access to various system resources and objects. Non-negligeable risks of privilege elevation, in particular execve. Risks of DoS attacks and unauthorized accesses. For example, Linux does not provide quota limitations on ipc objets. If not masked, the creation of hard and symbolic links might also be used to escape selective file access control. The mask "resource" allows to close most of them. You might need to use it in conjunction with "nonfreq". Level 2: Filesystem accesses with pathname. If unchecked, specially crafted pathnames might trigger hidden bugs or vulnerabilities in a specific kernel filesystem driver (the risk is limited). The mask "path" together with a token definition allows filename checks before the kernel diving into the filesystem drivers. Level 1: Operations on existing file handles. Risks of undesired manipulation of the associated objects. Associated masks: "dread" "mmap" "fnoharm" "fmisc" "poll" among others. Level 0: Information requests with no significant user parameters. The security risks of these calls should be quite reduced. Associated mask: "harmless" --------------------------------------------------------------- Some syscalls are never masked: exit, exit_group: these cannot be masked. read, write, close: fundamental calls, every process should need them.