From 6c3a1a5dfb77f5f68fa686ff7d90ca03d66bdf37 Mon Sep 17 00:00:00 2001 From: wiz Date: Sat, 6 Sep 2003 16:39:34 +0000 Subject: [PATCH] Some small tweaks from jmc@openbsd: - .Bk/.Ek for SYNOPSIS - .Ev for environment variables - fix bogus -offsets --- bin/systrace/systrace.1 | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/bin/systrace/systrace.1 b/bin/systrace/systrace.1 index be412b41c4a0..a19b43a434ea 100644 --- a/bin/systrace/systrace.1 +++ b/bin/systrace/systrace.1 @@ -1,4 +1,4 @@ -.\" $NetBSD: systrace.1,v 1.25 2003/08/20 01:28:44 itojun Exp $ +.\" $NetBSD: systrace.1,v 1.26 2003/09/06 16:39:34 wiz Exp $ .\" $OpenBSD: systrace.1,v 1.27 2002/08/05 23:27:53 provos Exp $ .\" .\" Copyright 2002 Niels Provos @@ -39,6 +39,7 @@ .Nd generate and enforce system call policies .Sh SYNOPSIS .Nm systrace +.Bk -words .Op Fl AaitUu .Op Fl c Ar uid:gid .Op Fl d Ar policydir @@ -46,6 +47,7 @@ .Op Fl g Ar gui .Op Fl p Ar pid .Ar command ... +.Ek .Sh DESCRIPTION The .Nm @@ -132,7 +134,7 @@ are translated to .El .Ss POLICY The policy is specified via the following grammar: -.Bd -literal -offset 4 +.Bd -literal -offset 3n filter = expression "then" action errorcode logcode expression = symbol | "not" expression | "(" expression ")" | expression "and" expression | expression "or" expression @@ -228,14 +230,19 @@ system call. .Pp Policy entries may contain an appended predicate. Predicates have the following format: -.Bd -literal -offset 4 +.Bd -literal -offset 3n ", if" {"user", "group"} {"=", "!=", "\*[Lt]", "\*[Gt]" } {number, string} .Ed .Pp A rule is added to the configured policy only if its predicate evaluates to true. .Pp -The environment variables $HOME, $USER and $CWD are substituted in rules. +The environment variables +.Ev $HOME , +.Ev $USER +and +.Ev $CWD +are substituted in rules. Comments, begun by an unquoted .Sq \&# character and continuing to the end of the line, are ignored. @@ -247,7 +254,7 @@ privilege elevation feature instead. Single system calls can be executed with higher privileges if specified by the policy. For example, -.Bd -literal -offset 4 +.Bd -literal -offset 3n native-bind: sockaddr eq "inet-[0.0.0.0]:22" then permit as root .Ed .Pp @@ -259,7 +266,7 @@ process is executed as root. The following statements can be appended after the .Va permit in a policy to elevate the privileges for the matching system call: -.Bd -literal -offset 4 +.Bd -literal -offset 3n as user as user:group as :group @@ -289,7 +296,7 @@ replaced by the underscore character. An excerpt from a sample .Xr ls 1 policy might look as follows: -.Bd -literal -offset 4 +.Bd -literal -offset 2n Policy: /bin/ls, Emulation: native [...] native-fsread: filename eq "$HOME" then permit