Subject: systrace
To: None <netbsd-help@netbsd.org>
From: Mihai Chelaru <kefren@netbastards.org>
List: netbsd-help
Date: 08/04/2002 19:58:06
Hello,
I played today with systrace and I encoutered some problems.
Here is the first problem:
Policy: /bin/ls, Emulation: netbsd
netbsd-issetugid: permit
netbsd-ioctl: permit
netbsd-getuid: permit
netbsd-__sysctl: permit
netbsd-mmap: permit
netbsd-break: permit
netbsd-fsread: filename match "/etc*" then deny[EPERM], if user !=
root
netbsd-fsread: permit, if user = root
netbsd-fchdir: permit
netbsd-__fstat13: permit
netbsd-fcntl: permit
netbsd-fstatfs: permit
netbsd-lseek: permit
netbsd-getdents: permit
netbsd-close: permit
netbsd-write: permit
netbsd-exit: permit
netbsd-execve: permit
but still:
# systrace -a ls /etc/
ls: : Operation not permitted
also:
# systrace -a ls /
ls: /: Operation not permitted
The policy file is obtained from -A and I just played with fsread. Why is not
working for root to do `ls`, I just can't understand. Can anyone explain me
the rule parsing of systrace ? I mean, is using first match or last match ?
And the second question: is there any thought of implementing the `else`
keyword ?
Thanks,
Mihai Chelaru