Re: how to use the new rc.d system to start the daemon with systrace?
Stuart Henderson wrote on Fri, Oct 21, 2011 at 10:17:11AM +:
> On 2011-10-21, johnw wrote:
>> after upgrade to current, now /etc/rc use the new rc.d system.
>> my question is how to start the daemon(ntpd, named etc ..) with systrace?
>> before upgrade to new rc.d system, i can edit /etc/rc like this
>>
>> echo 'starting named'; named $named_flags
>> to
>> echo 'starting named'; systrace -Ua named $named_flags
>>
>> any idea? thank you.
> it would be *possible* to do something like this and set named_systrace=YES
> in rc.conf.local, but I don't know if we want to go down that route,
> systrace isn't very widely used for daemons..
On first sight, i don't like the idea, it looks like a knob
for very little gain, if any.
The systrace facility is definitely useful for development
purposes, for example, to make sure that a port doesn't scribble
outside the proper directories.
However, is systrace really a tool to enforce security policies
in production? I don't think that's what i heard people say.
> Index: rc.subr
> ===
> RCS file: /cvs/src/etc/rc.d/rc.subr,v
> retrieving revision 1.55
> diff -u -p -r1.55 rc.subr
> --- rc.subr 15 Oct 2011 16:05:15 - 1.55
> +++ rc.subr 21 Oct 2011 10:13:33 -
> @@ -44,7 +44,7 @@ rc_rm_runfile() {
> }
>
> rc_start() {
> - ${rcexec} "${daemon} ${daemon_flags} ${_bg}"
> + ${rcexec} "${rcsystrace} ${daemon} ${daemon_flags} ${_bg}"
> }
>
> rc_check() {
> @@ -183,6 +183,7 @@ _RC_RUNFILE=${_RC_RUNDIR}/${_name}
>
> eval _rcflags=\${${_name}_flags}
> eval _rcuser=\${${_name}_user}
> +eval _rcsystrace=\${${_name}_systrace}
>
> getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1 && \
> daemon_class=${_name}
> @@ -193,8 +194,10 @@ getcap -f /etc/login.conf ${_name} 1>/de
> [ -n "${_RC_FORCE}" ] && [ X"${_rcflags}" = X"NO" ] && unset _rcflags
> [ -n "${_rcflags}" ] && daemon_flags=${_rcflags}
> [ -n "${_rcuser}" ] && daemon_user=${_rcuser}
> +[ -n "${_rcsystrace}" ] && [ X"${_rcsystrace}" = X"YES" ] || unset
> _rcsystrace
>
> daemon_flags=$(printf ' %s' ${daemon_flags})
> daemon_flags=${daemon_flags## }
> pexp="${daemon}${daemon_flags:+ ${daemon_flags}}"
> rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c"
> +[ -n "${_rcsystrace}" ] && rcsystrace="/bin/systrace -Ua"
Re: how to use the new rc.d system to start the daemon with systrace?
On 2011-10-21, johnw wrote:
> after upgrade to current, now /etc/rc use the new rc.d system.
> my question is how to start the daemon(ntpd, named etc ..) with systrace?
> before upgrade to new rc.d system, i can edit /etc/rc like this
>
> echo 'starting named'; named $named_flags
> to
> echo 'starting named'; systrace -Ua named $named_flags
>
> any idea? thank you.
>
>
it would be *possible* to do something like this and set named_systrace=YES
in rc.conf.local, but I don't know if we want to go down that route, systrace
isn't very widely used for daemons..
Index: rc.subr
===
RCS file: /cvs/src/etc/rc.d/rc.subr,v
retrieving revision 1.55
diff -u -p -r1.55 rc.subr
--- rc.subr 15 Oct 2011 16:05:15 - 1.55
+++ rc.subr 21 Oct 2011 10:13:33 -
@@ -44,7 +44,7 @@ rc_rm_runfile() {
}
rc_start() {
- ${rcexec} "${daemon} ${daemon_flags} ${_bg}"
+ ${rcexec} "${rcsystrace} ${daemon} ${daemon_flags} ${_bg}"
}
rc_check() {
@@ -183,6 +183,7 @@ _RC_RUNFILE=${_RC_RUNDIR}/${_name}
eval _rcflags=\${${_name}_flags}
eval _rcuser=\${${_name}_user}
+eval _rcsystrace=\${${_name}_systrace}
getcap -f /etc/login.conf ${_name} 1>/dev/null 2>&1 && \
daemon_class=${_name}
@@ -193,8 +194,10 @@ getcap -f /etc/login.conf ${_name} 1>/de
[ -n "${_RC_FORCE}" ] && [ X"${_rcflags}" = X"NO" ] && unset _rcflags
[ -n "${_rcflags}" ] && daemon_flags=${_rcflags}
[ -n "${_rcuser}" ] && daemon_user=${_rcuser}
+[ -n "${_rcsystrace}" ] && [ X"${_rcsystrace}" = X"YES" ] || unset _rcsystrace
daemon_flags=$(printf ' %s' ${daemon_flags})
daemon_flags=${daemon_flags## }
pexp="${daemon}${daemon_flags:+ ${daemon_flags}}"
rcexec="su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c"
+[ -n "${_rcsystrace}" ] && rcsystrace="/bin/systrace -Ua"
how to use the new rc.d system to start the daemon with systrace?
after upgrade to current, now /etc/rc use the new rc.d system. my question is how to start the daemon(ntpd, named etc ..) with systrace? before upgrade to new rc.d system, i can edit /etc/rc like this echo 'starting named'; named $named_flags to echo 'starting named'; systrace -Ua named $named_flags any idea? thank you.
