hmm, on Mon, Oct 31, 2005 at 03:05:49PM -0700, Theo de Raadt said that > > I'd love to see a bootable OpenBSD desktop CD with all applications > > tightly wrapped by systrace, so I don't need to recreate and redistribute > > the boot disk after each new Firefox, GAIM, etc exploit. > > It is really unfortunate that I have never seen a perfect systrace > policy. Not once. > > Not even for small programs like ping. > > People just don't like what system calls libraries do on their behalf. > It is really quite depressing. > > So people end up using systrace to break their applications further.
hm. does this mean that systrace is not a good idea anymore? i mean it was a big something when it landed in openbsd but somehow it didn't get off.... i also don't see its main developer around here anymore, sorry i forgot his name.... -f -- careful planning will never replace dumb luck.