Subject: Re: systrace features?
To: Charles Blundell <>
From: Daniel Carosone <>
List: tech-security
Date: 09/24/2003 19:30:25
On Wed, Sep 24, 2003 at 09:38:58AM +0100, Charles Blundell wrote:
> > I think they're great ideas, especially the former.  Would the
> > latter be more usefully/generally handled by a new action type,
> > say "kill" or "terminate" - or even "signal" with an argument?
> I was going to do something like this, but I'm not so sure. We
> already have -A and -a, so I figured putting this at the top level
> made sense, instead of stuff like:
>   for x in $(jot 10); do systrace -m learn,random-20,kill ls; done

I was thinking something more like (in the policy)

  netbsd-fswrite: filename eq "/etc/master.passwd" then kill

or even

  netbsd-connect: sockaddr match "/tmp/.X11-unix/* then signal SIGSTOP

That way you can be specific about actions that really indicate
miscreant processes.  Perhaps combine the two, so that on the
command line you specify the default action for anything not in
the policy (like -a = deny, -A = permit-and-add, -k = kill).

I'm not sure there are enough signals that would really be interesting
enough to be worth implementing the latter mechanism, but it's an
idea to consider.