on Sun, Aug 04, 2002 at 07:58:06PM +0300, Mihai Chelaru wrote:
> Here is the first problem:
> 
>         netbsd-fsread: filename match "/etc*" then deny[EPERM], if user != 
> root
>         netbsd-fsread: permit, if user = root
>
> but still: 
> # systrace -a ls /etc/
> ls: : Operation not permitted

It seems that the alias code does not like simple rules (just "permit" or
just "deny") because of how they are processed in trans_cb. I shall look
into it. Using netbsd-open instead of netbsd-fsread should work for now.

systrace denies/asks by default, so the first rule is not needed. "/etc*"
would not match anyhow, because matching is done via fnmatch(3); an
'eq "/etc"' and 'match "/etc/*"' achieves the desired result, except NetBSD
has no FNM_LEADING_DIR so it only matches the first level of files off /etc.
At least that's what I think FNM_LEADING_DIR allows under OpenBSD.

> And the second question: is there any thought of implementing the `else` 
> keyword ?

There is an implicit 'or' between rules of the same syscall. This allows
'else' style semantics already, I think.