undefined | Better HN

0 pointswalterbell11y ago0 comments

Thanks. Looks like one of those voluntary rootkits that installs defensive code in a role that malware has been known to occupy. It's a good sign for AppArmor that it prevented it from running :)

0 comments

nl11y ago

I wouldn't have said it was much like a rootkit. It's more akin to a container or a chroot, except run without special permissions.

What am I missing? (Or is it just that some rootkits use ptrace/Seccomp?)

walterbellOP11y ago

LSM, LXC, chroot, seccomp have well defined APIs for separation. My comment was referring to ptrace.

Interposing (i.e violating API contracts) with ptrace is great for debugging or research prototypes, but the knowledge gained from that research needs to be made interoperable with existing APIs that have been battle tested. Paper said that ptrace/debug overhead is 100%, seccomp (an existing, non-debug API) reduces the need to use ptrace, halving runtime overhead.

Separately, a kernel exploit could break the "sandboxing" of ptrace or docker, hence the need for AppArmor and SE Linux. Here is a year-old Windows article about breaking out of Adobe and Chromium, principles are similar for Linux:

https://www.corelan.be/index.php/2013/03/15/blackhateu2013-d...

j / k navigate · click thread line to collapse