Some small tweaks from jmc@openbsd:
- .Bk/.Ek for SYNOPSIS - .Ev for environment variables - fix bogus -offsets
This commit is contained in:
wiz
parent
49fae81618
commit
6c3a1a5dfb
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: systrace.1,v 1.25 2003/08/20 01:28:44 itojun Exp $
|
||||
.\" $NetBSD: systrace.1,v 1.26 2003/09/06 16:39:34 wiz Exp $
|
||||
.\" $OpenBSD: systrace.1,v 1.27 2002/08/05 23:27:53 provos Exp $
|
||||
.\"
|
||||
.\" Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
|
|
@ -39,6 +39,7 @@
|
|||
.Nd generate and enforce system call policies
|
||||
.Sh SYNOPSIS
|
||||
.Nm systrace
|
||||
.Bk -words
|
||||
.Op Fl AaitUu
|
||||
.Op Fl c Ar uid:gid
|
||||
.Op Fl d Ar policydir
|
||||
|
|
@ -46,6 +47,7 @@
|
|||
.Op Fl g Ar gui
|
||||
.Op Fl p Ar pid
|
||||
.Ar command ...
|
||||
.Ek
|
||||
.Sh DESCRIPTION
|
||||
The
|
||||
.Nm
|
||||
|
|
@ -132,7 +134,7 @@ are translated to
|
|||
.El
|
||||
.Ss POLICY
|
||||
The policy is specified via the following grammar:
|
||||
.Bd -literal -offset 4
|
||||
.Bd -literal -offset 3n
|
||||
filter = expression "then" action errorcode logcode
|
||||
expression = symbol | "not" expression | "(" expression ")" |
|
||||
expression "and" expression | expression "or" expression
|
||||
|
|
@ -228,14 +230,19 @@ system call.
|
|||
.Pp
|
||||
Policy entries may contain an appended predicate.
|
||||
Predicates have the following format:
|
||||
.Bd -literal -offset 4
|
||||
.Bd -literal -offset 3n
|
||||
", if" {"user", "group"} {"=", "!=", "\*[Lt]", "\*[Gt]" } {number, string}
|
||||
.Ed
|
||||
.Pp
|
||||
A rule is added to the configured policy only if its predicate
|
||||
evaluates to true.
|
||||
.Pp
|
||||
The environment variables $HOME, $USER and $CWD are substituted in rules.
|
||||
The environment variables
|
||||
.Ev $HOME ,
|
||||
.Ev $USER
|
||||
and
|
||||
.Ev $CWD
|
||||
are substituted in rules.
|
||||
Comments, begun by an unquoted
|
||||
.Sq \&#
|
||||
character and continuing to the end of the line, are ignored.
|
||||
|
|
@ -247,7 +254,7 @@ privilege elevation feature instead.
|
|||
Single system calls can be executed with higher privileges if
|
||||
specified by the policy.
|
||||
For example,
|
||||
.Bd -literal -offset 4
|
||||
.Bd -literal -offset 3n
|
||||
native-bind: sockaddr eq "inet-[0.0.0.0]:22" then permit as root
|
||||
.Ed
|
||||
.Pp
|
||||
|
|
@ -259,7 +266,7 @@ process is executed as root.
|
|||
The following statements can be appended after the
|
||||
.Va permit
|
||||
in a policy to elevate the privileges for the matching system call:
|
||||
.Bd -literal -offset 4
|
||||
.Bd -literal -offset 3n
|
||||
as user
|
||||
as user:group
|
||||
as :group
|
||||
|
|
@ -289,7 +296,7 @@ replaced by the underscore character.
|
|||
An excerpt from a sample
|
||||
.Xr ls 1
|
||||
policy might look as follows:
|
||||
.Bd -literal -offset 4
|
||||
.Bd -literal -offset 2n
|
||||
Policy: /bin/ls, Emulation: native
|
||||
[...]
|
||||
native-fsread: filename eq "$HOME" then permit
|
||||
|
|
|
|||
Loading…
Reference in New Issue