
Implementing a System Call for OpenBSD - soheilpro
https://poolp.org/drafts/2020-05-28-015100-copy/
======
snvzz
Just keep in mind that adding syscalls increases the attack surface of the
kernel, and complexity needs justification in general.

Linux's syscall list is out of control. The many BSDs have managed to keep it
more reasonable.

~~~
EdSchouten
There is nothing specific about system calls that increases the attack
surface. Individual sysctls, files in procfs, sysfs, ioctls, etc. are all
separate attack vectors.

The last time I checked, FreeBSD's list of system calls was larger than
Linux's. This is because Linux tends to expose more functionality through
sysfs, procfs, ioctl, while FreeBSD uses dedicated system calls.

[https://filippo.io/linux-syscall-table/](https://filippo.io/linux-syscall-
table/) <\- max = 313

[https://github.com/freebsd/freebsd/blob/master/sys/kern/sysc...](https://github.com/freebsd/freebsd/blob/master/sys/kern/syscalls.master)
<\- max = 576, 356 marked 'STD'

~~~
vertex-four
There's an argument that files can generally just, not be visible for specific
processes using the same tooling that protects other files, but none of the
kernels make this particularly easy as far as I can tell.

~~~
EdSchouten
On the other hand, the 'everything is a file' paradigm does sometimes cause
issues where you can make kernels crash by doing unexpected things with them.

\- macOS could once easily be panicked by calling something like fpathconf()
on a message queue.

\- If you want to have fun, try calling revoke(2) on character devices that
are not TTYs. I remember fixing a bug in FreeBSD once, where you could make
the system panic by calling that function on /dev/bpf.

~~~
himinlomax
On the other hand, having a single abstraction / entry point makes it easier
to implement generic sanity checks. If you add a check for that kind of
problem at the right layer, it will cover other / future interfaces. On the
other hand, if you use ad-hoc system calls, any mitigation or fix will
typically only cover that one specific call.

~~~
cyphar
Unfortunately, generic sanity checks are often not enough. You immediately run
into problems where very file-specific concepts (owner, RWX permissions)
aren't sufficient to handle certain types of represented-as-files objects
(such as procfs files, where privileges with regard to a process aren't
accurately described through Unix DAC permissions).

And then you get into some of the really hairy issues -- any user can trick a
privileged program into writing or reading from any file by simply spawning a
setuid program with stdio set to the file they wish to operate on. Thus, any
interface which is administrative is simply unsafe to expose through the
standard open/read/write interfaces -- which means that you have to come up
with some alternative interface anyway.

------
poolpOrg
Sorry, removed the article because it was a draft not meant to be published
yet, I didn't think someone would spot my drafts directory... :-)

Will finish and republish in a few days.

------
lewis1028282
The font on that site is awful and too small. I’m on a MacBook Pro Retina 2015

~~~
anthk
Use the reader mode in your browser.

~~~
zwirbl
Still a weird choice of font for a website. It looks somehow ok in firefox,
but unreadably thin in chromium

~~~
jolmg
Looks the same in both to me.

