On Sat, Oct 12, 2002 at 12:03:45PM +0100, xs@kittenz.org wrote:
> This rule does differ from what ping could do before. ping drops its
> privileges after it has created a raw socket. But with such a policy,
> it can keep opening raw sockets because systrace policies are
> stateless.
You can actually predicate the policy on uid and gid.  So, a ping
policy could permit raw socket creation only once:

netbsd-socket: socktype eq "SOCK_RAW" then permit as root, if user = sys1
netbsd-setuid: uid eq "sys2" the permit as root, if user = sys1

Systrace would start ping with uid sys1, ping would then do

  fd = socket(AF_INET, SOCK_RAW, 0);
  setuid(sys2);

Niels.