Re: Don't forget systrace Was: running multiple simultaneous X sessions as different users
On 03/22/15 07:44, Kevin Chadwick wrote: Systrace is also an option but the policy writing could be a little work, the regex support is certainly helpful there. systrace -A is very helpful Excellent info; thanks. (This list has the highest signal/noise ratio among tech lists that come to mind.) For now I'll try "ssh -X ", umask 0077 for all users including root (though I learned the hard way you have to relax that before doing pkg_add...), and keep all this other material as reference for when I can do more or want to try things more like systrace, xauth etc (or non-drm video driver etc to get more screens recognized by X). That is, unless I learn that there are still ways for one user to view another's data etc, when I do just that much. Corrections to my thinking are welcomed. (This effort is so impressive. Especially compared to so many other situations where if it seems to work on the surface, even smart people call it good & move on. It seems like the worst problems now could be hardware security, which seems very hard, and 3rd-party systems. And general human behavior but we can keep trying there too.) Best regards, Luke
Re: Don't forget systrace Was: running multiple simultaneous X sessions as different users
On Sat, 21 Mar 2015 14:14:22 -0700 luke...@onemodel.org wrote: > Thanks to all who've commented: this has been educational & useful. Systrace is also an option but the policy writing could be a little work, the regex support is certainly helpful there. systrace -A is very helpful then edit files in .systrace such as removing lib version numbers to prevent upgrades from breaking the policy and adding regex for IP connections systrace -a to enforce. Personally I'd like to use systrace -A with cksum -a sha256 on the updated policy file and gxmessage to warn about previously unseen behaviour but unfortunately I don't think the policy generation has any regex support so every IP connected to will be logged and flag up new behavior and I think the -E logging option will only help in enforcement mode. There used to be a gui mode which I believe Ted removed without any objections but was quite cool and would enforce but ask you upon new system calls but it would very occasionally get stuck during the deny while asking stage and so cause user complaints (here, not on list). chflags sappnd might work too on the policy files making a pretty good yet trouble free HIPS but I haven't tested that yet