Re: systrace: vi policy

[Okan Demirmen]

On Sun 2006.11.12 at 08:55 -0600, Jacob Yocom-Piatt wrote:

consider sorting your policies...also, try to be more generic in other
places, for example, match "/usr/lib/libc.so.*"
 
> Policy: /usr/bin/vi, Emulation: native
>         native-issetugid: permit
>         native-mprotect: permit
>         native-mmap: permit
>         native-__sysctl: permit
>         native-fsread: filename eq "/var/run/ld.so.hints" then permit
>         native-fstat: permit
>         native-close: permit
>         native-fsread: filename eq "/usr/lib/libcurses.so.10.0" then permit
>         native-read: permit
>         native-mquery: permit
>         native-fsread: filename eq "/usr/lib/libc.so.39.0" then permit
>         native-munmap: permit
>         native-sigprocmask: permit
>         native-fsread: filename eq "/etc/malloc.conf" then permit
>         native-ioctl: permit
>         native-fsread: filename eq "$HOME/.terminfo.db" then permit
>         native-fsread: filename eq "$HOME/.terminfo" then permit
>         native-fsread: filename eq "/usr/share/misc/terminfo.db" then permit
>         native-fcntl: permit
>         native-pread: permit
>         native-sigaction: permit
>         native-fsread: filename eq "/usr/share/vi/catalog" then permit
>         native-getpid: permit
>         native-fsread: filename eq "/tmp" then permit
> >>      native-fswrite: filename eq "/tmp/*" then permit

use match

>         native-lseek: permit
>         native-fsread: filename eq "/etc/vi.exrc" then permit
>         native-fsread: filename eq "$HOME/.nexrc" then permit
>         native-fsread: filename eq "$HOME/.exrc" then permit
> >>      native-fsread: filename eq "$HOME/*" then permit

use match

>         native-fsread: filename eq "/var/tmp/vi.recover" then permit
>         native-fswrite: filename eq "/var/tmp/vi.recover/*" then permit
>         native-fchmod: fd eq "3" and mode eq "700" then permit
>         native-flock: permit
>         native-write: permit
>         native-poll: permit
>         native-select: permit
>         native-getuid: permit
>         native-fsread: filename eq "/etc/spwd.db" then permit
>         native-fsread: filename eq "/etc/pwd.db" then permit
>         native-fchmod: fd eq "6" and mode eq "600" then permit
>         native-gettimeofday: permit
>         native-fsread: filename eq "/usr/share/zoneinfo/US/Central" then 
> permit
>         native-pwrite: permit
>         native-fsync: permit
>         native-chmod: filename eq "/var/tmp/vi.recover/vi.*" and mode eq "600"
> then permit
>         native-fswrite: filename eq "$HOME/*" then permit
>         native-exit: permit
>         native-fchmod: fd eq "3" and mode eq "600" then permit
>         native-fsread: filename eq "/usr/share/nls/C/libc.cat" then permit
>         native-fsread: filename eq "/<non-existent filename>:
> /usr/share/nls/libc/C" then permit