
Syswall: a firewall for syscalls - teovoinea
https://www.polaris64.net/blog/programming/2019/syswall-a-firewall-for-syscalls
======
equalunique
Sounds a little bit like OpenBSD's pledge - was that a source of inspiration?

~~~
polaris64
Yes, partially, although I wanted to create a more interactive system for end-
users to reason about software. I wouldn't recommend it (certainly not yet at
least) for system security, tools like seccomp and pledge will do a better job
there.

~~~
lsofzz
Nice work. Just read this :-)

------
jquast
sounds like
[https://en.wikipedia.org/wiki/Systrace#Features](https://en.wikipedia.org/wiki/Systrace#Features)

more ...
[http://www.citi.umich.edu/u/provos/systrace/](http://www.citi.umich.edu/u/provos/systrace/)

it didn't work out then, but best wishes to the new generation

~~~
yazr
What do you mean by it didn't work? Not adopted or are there implementation
issues?

Also - for the OP. Don't be discouraged there's so many features to add,
management, attribution, machine learning etc

~~~
zxombie
There were some security issues in systrace.
/[http://www.watson.org/~robert/2007woot/](http://www.watson.org/~robert/2007woot/)

------
lsofzz
How is this different from seccomp?

~~~
polaris64
seccomp is a robust way of restricting a process's syscalls so that it can
only do what you allow it to.

syswall is more of an interactive tool (similar to systrace as mentioned in
another comment). The goal is not to replace seccomp (it's certainly not meant
to provide complete security), but rather to allow users to reason about what
a process is actually doing. For example, allowing users to see if a new
version does something different from the previous, perhaps meaning that
malicious code was added unexpectedly.

