netbsd-users: NetBSD-4 systrace and unexpected sytax errors...

Subject: NetBSD-4 systrace and unexpected sytax errors...
To: None <netbsd-users@netbsd.org>
From: Aleksey Cheusov <cheusov@tut.by>
List: netbsd-users
Date: 05/21/2007 19:46:12
Hi all.
I always build pkgsrc packages using non-root account
and use SU_CMD to make installation stage with root priviledges.

Now. I'm trying to setup pkgsrc bulk build and want to make
installation stage a bit more paranoid by protecting
it using NetBSD systrace.

First, I'm trying to collect initial syscalls by=20
setting SU_CMD to

/usr/local/bin/sudo /bin/systrace -Ai -d /root/.systrace-install /bin/sh -c

In short, it doesn't work in every third case,
i.e. for ~100 packages from ~350 packages I get an error like this

     0 libuxre>make reinstall
     ...
     /usr/bin/install -c -o root -g wheel -m 444 /srv/obj_pkgsrc/wip/libuxr=
e/work/heirloom-070227/libuxre/"COPYING.LGPL" /usr/pkg/share/doc/libuxre
     syntax error
     Parse error.
     systrace: Filter generation error: filename eq "/bin/sh" and argv eq "=
/bin/sh -c { :;     /bin/cat /srv/pkgsrc/wip/libuxre/PLIST;                =
          true; } |                /usr/bin/env PKGLOCALEDIR=3Dshare USE_PK=
GLOCALEDIR=3Dno IMAKE_MANINSTALL=3D IGNORE_INFO_PATH=3D PKGINFODIR=3Dinfo I=
GNORE_LIBTOOLIZE=3D LIBTOOLIZE_PLIST=3Dyes LIBTOOL_EXPAND=3D/usr/bin/env\\ =
ECHO=3Decho\\ GREP=3D/usr/bin/grep\\      \\      \\ SORT=3D/usr/bin/sort\\=
 TEST=3Dtest\\     \\      \\ /bin/sh\\ /srv/pkgsrc/wip/libuxre/../../mk/pl=
ist/libtool-expand LS=3D/bin/ls MANINSTALL=3Dmaninstall\\ catinstall MANZ=
=3Dyes PKGMANDIR=3Dman PREFIX=3D/usr/pkg TEST=3Dtest PLIST_OPSYS=3DNetBSD P=
LIST_OS_VERSION=3D4.0_BETA2 PLIST_MACHINE_ARCH=3Di386 PLIST_MACHINE_GNU_ARC=
H=3Di386 PLIST_MACHINE_GNU_PLATFORM=3Di386--netbsdelf PLIST_LN=3D/bin/ln PL=
IST_LOWER_VENDOR=3D PLIST_LOWER_OPSYS=3Dnetbsd PLIST_LOWER_OS_VERSION=3D4.0=
_beta2 PLIST_PKGBASE=3Dlibuxre PLIST_PKGNAME=3Dlibuxre-070227 PLIST_PKGLOCA=
LEDIR=3Dshare PLIST_PKGVERSION=3D070227 PLIST_LOCALBASE=3D/usr/pkg PLIST_VI=
EWBASE=3D/usr/pkg PLIST_X11BASE=3D/usr/X11R6 PLIST_X11PREFIX=3D/usr/pkg PLI=
ST_SVR4_PKGNAME=3Dlibuxre-070227 PLIST_CHGRP=3D/usr/bin/chgrp PLIST_CHMOD=
=3D/bin/chmod PLIST_CHOWN=3D/usr/sbin/chown PLIST_MKDIR=3D/bin/mkdir\\ -p P=
LIST_RMDIR=3D/bin/rmdir PLIST_RM=3D/bin/rm PLIST_TRUE=3Dtrue PLIST_PKGMANDI=
R=3Dman PLIST_SUBST_VARS=3DPLIST_OPSYS\\ PLIST_OS_VERSION\\ PLIST_MACHINE_A=
RCH\\ PLIST_MACHINE_GNU_ARCH\\ PLIST_MACHINE_GNU_PLATFORM\\ PLIST_LN\\ PLIS=
T_LOWER_VENDOR\\ PLIST_LOWER_OPSYS\\ PLIST_LOWER_OS_VERSION\\ PLIST_PKGBASE=
\\ PLIST_PKGNAME\\ PLIST_PKGLOCALEDIR\\ PLIST_PKGVERSION\\ PLIST_LOCALBASE\=
\ PLIST_VIEWBASE\\ PLIST_X11BASE\\ PLIST_X11PREFIX\\ PLIST_SVR4_PKGNAME\\ P=
LIST_CHGRP\\ PLIST_CHMOD\\ PLIST_CHOWN\\ PLIST_MKDIR\\ PLIST_RMDIR\\ PLIST_=
RM\\ PLIST_TRUE\\ PLIST_PKGMANDIR /usr/bin/awk -f /srv/pkgsrc/wip/libuxre/.=
./../mk/plist/plist-functions.awk -f /srv/pkgsrc/wip/libuxre/../../mk/plist=
/plist-subst.awk -f /srv/pkgsrc/wip/libuxre/../../mk/plist/plist-locale.awk=
 -f /srv/pkgsrc/wip/libuxre/../../mk/plist/plist-info.awk -f /srv/pkgsrc/wi=
p/libuxre/../../mk/plist/plist-man.awk -f /srv/pkgsrc/wip/libuxre/../../mk/=
plist/plist-libtool.awk -f /srv/pkgsrc/wip/libuxre/../..
     [1]   Killed                  /usr/local/bin/s...
     *** Error code 137

     Stop.
     make: stopped in /srv/pkgsrc/wip/libuxre
     *** Error code 1

     Stop.
     make: stopped in /srv/pkgsrc/wip/libuxre
     1 libuxre>

This is a problem #1.
After initializing systrace rules in .systrace-install/bin_sh I change
SU_CMD to=20

/usr/local/bin/sudo /bin/systrace -ai -d /root/.systrace-install /bin/sh -c

Now systrace fails again with different and magic messages.

     0 libuxre>make install=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20
     =3D> Required installed package digest>=3D20010302: digest-20060826 fo=
und
     =3D=3D=3D> _flavor-check-vulnerable [libuxre-070227] =3D=3D=3D> Checki=
ng for vulnerabilities in libuxre-070227
     =3D> Fetching heirloom-070227.tar.bz2
     =3D=3D=3D> barrier [libuxre-070227] =3D=3D=3D> Invoking ``install'' af=
ter barrier for libuxre-070227
     =3D=3D=3D> install-message [libuxre-070227] =3D=3D=3D> Installing for =
libuxre-070227
     =3D> Becoming ``root'' to make su-install-all (/usr/local/bin/sudo)
     =3D> Generating pre-install file lists
     =3D> Creating installation directories
     libtool /usr/bin/install -c -o root -g wheel -m 444 /srv/obj_pkgsrc/wi=
p/libuxre/work/heirloom-070227/libuxre/libuxre.la /usr/pkg/lib
     *** Warning: inferring the mode of operation is deprecated.
     *** Future versions of Libtool will require --mode=3DMODE be specified.
     /usr/bin/install -c -o root -g wheel -m 444 /srv/obj_pkgsrc/wip/libuxr=
e/work/heirloom-070227/libuxre/.libs/libuxre.so.0.0.0 /usr/pkg/lib/libuxre.=
so.0.0.0
     systrace: filter_match has no translators
     [1]   Killed                  /usr/local/bin/s...
     *** Error code 137

     Stop.
     make: stopped in /srv/pkgsrc/wip/libuxre
     *** Error code 1

     Stop.
     make: stopped in /srv/pkgsrc/wip/libuxre
     1 libuxre>

This is a problem #2.

Is systrace workable or I do something wrong?

--=20
Best regards, Aleksey Cheusov.