Re: [Cooker] kernel and systrace

Sat, 08 Feb 2003 19:20:54 -0800 

Gustavo Franco <[EMAIL PROTECTED]> wrote:

> How many possibilities of add systrace[1] in the next release in
> kernel-secure? It's sounds very good and not impact any system
> without a policy configuration.The users that are using 
> kernel-secure without expertise won't affected.
> 
> [1] = http://www.citi.umich.edu/u/provos/systrace/linux.html
>       http://www.systrace.org
> 
> Can i request it as feature? Or what?

I am running OpenBSD current and also systrace. It's a really 
nice idea, but the implementation isn't finished yet. It doesn't 
have any stability drawbacks on the OpenBSD-kernel. I suppose 
it gives some overhead.

But before this gets merged into the main-kernel I would prefer
to see some individuals experiment with systrace on the linux 
kernel and see what happens.

btw, systrace is not really difficult, but to do it right it 
isn't really simple either.

For example: a policy file for tr, as used in a script by my bot
running in systrace:

Policy: /usr/bin/tr, Emulation: native
        native-fsread: filename eq "/usr/libexec/ld.so" then permit
        native-read: permit
        native-mmap: permit
        native-issetugid: permit
        native-__sysctl: permit
        native-fsread: filename eq "/var/run/ld.so.hints" then permit
        native-fsread: filename match "/usr/lib/*" then permit
                                ^^^^^^^^^^^^^^^^^^
                                original is quite a few specific libs from /usr/lib/, 
                                Since I track -current ( cooker for OpenBSD )
                                they change all the time.
        native-mprotect: permit
        native-close: permit
        native-munmap: permit
        native-fstat: permit
        native-fsread: filename eq "/etc/malloc.conf" then permit
        native-break: permit
        native-ioctl: permit
        native-write: permit
        native-read: permit
        native-exit: permit
        native-fsread: filename eq "/<non-existent filename>: /etc/malloc.conf" then 
permit
  

And now a line from the policyfile of the bot calling tr. 

        native-execve: filename eq "/usr/bin/tr" and argv match  "/usr/bin/tr *" then 
permit

the original command is tr "\n" " "; systrace replace that in the policy file with:

        native-execve: filename eq "/usr/bin/tr" and argv eq  "/usr/bin/tr 
  " then permit


That's right. I reported that as a bug :)
Like I said. really kewl, but not yet newbie friendly.



# Han
-- 
http://www.xs4all.nl/~hanb/software

Reply via email to