Subject: Re: extending chroot()
To: None <>
From: Dug Song <>
List: tech-security
Date: 01/24/2003 11:21:19
On Thu, Jan 16, 2003 at 04:08:57PM -0500, Steve Bellovin wrote:

> (I wish that socket() went through the file system, so that 
> I could restrict network access that way, too.)

systrace's user/group predicates and regex/glob-style pattern matching
of syscall arguments may be sufficient for what you're trying to do?

for example, a policy for /usr/bin/ftp might include the following to
restrict FTP sessions to "staff" users:

native-connect: sockaddr match "inet-*:21" then permit, if group = staff
native-connect: sockaddr re "inet-.*:[3-6][0-9][0-9][0-9][0-9]" then permit, if group = staff

the ability to enforce such policy on a per-program basis goes a bit
beyond what one might do with simple filesystem permissions (or
user/group rules in OpenBSD's pf firewall) to allow for fairly
fine-grained access control without any program modification...