Subject: Privilege Elevation with systrace
To: None <>
From: Niels Provos <>
List: current-users
Date: 10/11/2002 18:02:48

I just committed improvements to systrace to support privilege

With privilege elevation, it is possible to raise the privileges
of an application for a single system call.  You can imagine an
application like ping that requires privileges only to bind to
a raw socket.

Using systrace, ping can run without any privileges and a policy

 netbsd-socket: sockdom eq "AF_INET" and socktype eq "SOCK_RAW" then \
 permit as root

would allow ping to gain a row socket.  You can do similar things to
bind to a reserved port

 netbsd-bind: sockaddr eq "inet-[]:22" then permit as root

or allow an application to read /dev/kmem

 netbsd-fsread: filename "/dev/kmem" then permit as :kmem

As a result, it is possible to remove all suid and sgid binaries
from the system. [A single suid wrapper like dm for games would
start systrace privileged and cause the otherwise unprivileged
execution of the configured binaries.]

Before you try this new feature, you need to update both the
kernel and the systrace userland binary.  An old systrace
binary will not work with a new kernel.

I would like to thank Perry Metzger, Dug Song, Markus Watts, and
Marius Aamodt Eriksen for useful discussions about this feature.

  Niels Provos.