Gustavo Franco <[EMAIL PROTECTED]> wrote: > How many possibilities of add systrace[1] in the next release in > kernel-secure? It's sounds very good and not impact any system > without a policy configuration.The users that are using > kernel-secure without expertise won't affected. > > [1] = http://www.citi.umich.edu/u/provos/systrace/linux.html > http://www.systrace.org > > Can i request it as feature? Or what?
I am running OpenBSD current and also systrace. It's a really nice idea, but the implementation isn't finished yet. It doesn't have any stability drawbacks on the OpenBSD-kernel. I suppose it gives some overhead. But before this gets merged into the main-kernel I would prefer to see some individuals experiment with systrace on the linux kernel and see what happens. btw, systrace is not really difficult, but to do it right it isn't really simple either. For example: a policy file for tr, as used in a script by my bot running in systrace: Policy: /usr/bin/tr, Emulation: native native-fsread: filename eq "/usr/libexec/ld.so" then permit native-read: permit native-mmap: permit native-issetugid: permit native-__sysctl: permit native-fsread: filename eq "/var/run/ld.so.hints" then permit native-fsread: filename match "/usr/lib/*" then permit ^^^^^^^^^^^^^^^^^^ original is quite a few specific libs from /usr/lib/, Since I track -current ( cooker for OpenBSD ) they change all the time. native-mprotect: permit native-close: permit native-munmap: permit native-fstat: permit native-fsread: filename eq "/etc/malloc.conf" then permit native-break: permit native-ioctl: permit native-write: permit native-read: permit native-exit: permit native-fsread: filename eq "/<non-existent filename>: /etc/malloc.conf" then permit And now a line from the policyfile of the bot calling tr. native-execve: filename eq "/usr/bin/tr" and argv match "/usr/bin/tr *" then permit the original command is tr "\n" " "; systrace replace that in the policy file with: native-execve: filename eq "/usr/bin/tr" and argv eq "/usr/bin/tr " then permit That's right. I reported that as a bug :) Like I said. really kewl, but not yet newbie friendly. # Han -- http://www.xs4all.nl/~hanb/software