From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.33)
	id 1CWjTt-0004UI-S2
	for qemu-devel@nongnu.org; Tue, 23 Nov 2004 17:49:53 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.33)
	id 1CWjTt-0004U6-E2
	for qemu-devel@nongnu.org; Tue, 23 Nov 2004 17:49:53 -0500
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.33) id 1CWjTt-0004U3-B0
	for qemu-devel@nongnu.org; Tue, 23 Nov 2004 17:49:53 -0500
Received: from [62.210.158.46] (helo=teheran.magic.fr)
	by monty-python.gnu.org with esmtp (Exim 4.34) id 1CWjKC-0000Dg-19
	for qemu-devel@nongnu.org; Tue, 23 Nov 2004 17:39:53 -0500
Received: from [192.168.0.2] (ppp-181.net-555.magic.fr [62.210.255.181])
	by teheran.magic.fr (8.11.6/8.11.2) with ESMTP id iANMdjZ15272
	for <qemu-devel@nongnu.org>; Tue, 23 Nov 2004 23:39:45 +0100 (CET)
Subject: Re: [Qemu-devel] syscall filtering
From: "J. Mayer" <l_indien@magic.fr>
In-Reply-To: <1101219555.8458.28.camel@localhost>
References: <1101219555.8458.28.camel@localhost>
Content-Type: text/plain
Message-Id: <1101249648.31127.1055.camel@rapid>
Mime-Version: 1.0
Date: Tue, 23 Nov 2004 23:40:48 +0100
Content-Transfer-Encoding: 7bit
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

On Tue, 2004-11-23 at 15:19, Magnus Damm wrote:
> Hello,
> 
> While Piotrek is thinking about securing the system emulator, I am more
> interested in syscall filtering. I have not thought about it too much,
> but the idea (if possible) would be to run qemu as a filter for certain
> binaries on your machine. Basically, you run i386-user with filters on a
> i386 machine.

What about systrace ?
http://www.citi.umich.edu/u/provos/systrace/index.html

You never need an emulator to filter syscalls on Unix: take a look to
ptrace syscall, especially PTRACE_SYSCALL request, all needed features
are already there...
-- 
J. Mayer <l_indien@magic.fr>
Never organized