Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Reformat a little, clarify terminology and make less terse.

This commit is contained in:
gmcgarry 2002-06-26 06:44:59 +00:00
parent 9cdbc86d39
commit 97652ddb51
1 changed files with 53 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
share/man/man4/systrace.4
View File

@ -1,4 +1,4 @@
.\" $NetBSD: systrace.4,v 1.4 2002/06/18 14:17:05 wiz Exp $ .\" $NetBSD: systrace.4,v 1.5 2002/06/26 06:44:59 gmcgarry Exp $
.\" $OpenBSD: systrace.4,v 1.2 2002/06/03 15:44:17 mpech Exp $ .\" $OpenBSD: systrace.4,v 1.2 2002/06/03 15:44:17 mpech Exp $
.\" .\"
.\" Copyright (c) 2002 CubeSoft Communications, Inc. .\" Copyright (c) 2002 CubeSoft Communications, Inc.
@ -34,30 +34,38 @@
.Sh SYNOPSIS .Sh SYNOPSIS
.Cd "options SYSTRACE" .Cd "options SYSTRACE"
.Sh DESCRIPTION .Sh DESCRIPTION
The
.Nm .Nm
attaches to processes and enforces policies for system calls. kernel facility provides a mechanism to manipulate and enforce access
A pseudo-device, policies for system calls. Using the
.Pa /dev/systrace ,
allows userland processes to control the behavior of
.Nm .Nm
facility it is possible to monitor and control a process's access to
the kernel through system calls.
.Pp
Access to the
.Nm
facility is provided to userland processes, such as
.Xr systrace 1 ,
through an through an
.Xr ioctl 2 .Xr ioctl 2
interface. interface on the pseudo-device
.Sh SYSTEM CALL POLICIES .Pa /dev/systrace .
This interface allows messages to be sent from the kernel to the
userland process to request confirmation of an access policy.
.Pp
The
.Nm .Nm
can assign the following policies to system calls: facility can assign the following policies to system calls for a
.Bl -tag -enum -width "xxxxxx" specific process:
.Bl -tag -offset indent -width "XXXXXX"
.It SYSTR_POLICY_ASK .It SYSTR_POLICY_ASK
Send a message of the type Send a message on
.Dv SYSTR_MSG_ASK , .Pa /dev/systrace
and put the process to sleep until a requesting the access policy for the system call.
.Dv STRIOCANSWER
.Xr ioctl 2
is made.
.It SYSTR_POLICY_PERMIT .It SYSTR_POLICY_PERMIT
Immediately allow the system call. Immediately allow the system call.
.It SYSTR_POLICY_NEVER .It SYSTR_POLICY_NEVER
Immediately return an error code. Immediately deny the system call and return an error code.
.El .El
.Sh SYSTRACE MESSAGES .Sh SYSTRACE MESSAGES
A A
@ -99,7 +107,12 @@ struct str_msg_child {
}; };
.Ed .Ed
.Sh IOCTL INTERFACE .Sh IOCTL INTERFACE
.Bl -tag -width "xxxxxx" The
.Nm
facility supports the following
.Xr ioctl 2
operations:
.Bl -tag -width "XXXXXX"
.It Dv SYSTR_CLONE Fa "int" .It Dv SYSTR_CLONE Fa "int"
Return a Return a
.Nm .Nm
@ -107,36 +120,35 @@ file descriptor for
further further
.Xr ioctl 2 .Xr ioctl 2
operations. operations.
.El
.Nm
supports the following
.Xr ioctl 2
command:
.Bl -tag -width "xxxxxx"
.It Dv STRIOCATTACH Fa "pid_t" .It Dv STRIOCATTACH Fa "pid_t"
Attach to a process, unless: Attach to the process with the specified process ID. This operation
.Bl -enum -compact -width 2n will fail under the following conditions:
.Pp
.Bl -enum -offset indent -compact -width 2n
.It .It
It's the process that's doing the attaching. The process is trying to attach to itself.
.It .It
It's a system process. The process is a system process.
.It .It
It's being traced already. The process is being traced already.
.It .It
You do not own the process and you're not root. You do not own the process and you are not root.
.It .It
It's The process is
.Xr init 8 , .Xr init 8 ,
and the and the
kernel was not compiled with kernel was not compiled with
.Cd option INSECURE . .Cd option INSECURE .
.El .El
.It Dv STRIOCDETACH Fa "pid_t" .It Dv STRIOCDETACH Fa "pid_t"
Wake up a process if it is waiting for an answer, and detach from it. Wake up the process if it is waiting for an answer, and detach from
it.
.It Dv STRIOCANSWER Fa "struct systrace_answer" .It Dv STRIOCANSWER Fa "struct systrace_answer"
Tell Notify the
.Nm .Nm
what to do with a system call that was assigned a policy of facility in response to a
SYSTR_MSG_ASK
message what to do with a system call that was assigned a policy of
.Dv SYSTR_POLICY_ASK . .Dv SYSTR_POLICY_ASK .
.Bd -literal .Bd -literal
struct systrace_answer { struct systrace_answer {
@ -148,6 +160,11 @@ struct systrace_answer {
#define SYSTR_FLAGS_RESULT 0x0001 /* Report syscall result */ #define SYSTR_FLAGS_RESULT 0x0001 /* Report syscall result */
}; };
.Ed .Ed
.Pp
Valid return values for
.Em stra_policy
are
SYSTR_POLICY_PERMIT, SYSTR_POLICY_ASK and SYSTR_POLICY_NEVER.
.It Dv STRIOCIO Fa "struct systrace_io" .It Dv STRIOCIO Fa "struct systrace_io"
Copy data in/out of the process being traced. Copy data in/out of the process being traced.
.Bd -literal .Bd -literal
@ -211,7 +228,7 @@ to
.Va strp_policy . .Va strp_policy .
.It Dv STRIOCGETCWD Fa "pid_t" .It Dv STRIOCGETCWD Fa "pid_t"
Set the working directory of the current process to that of the Set the working directory of the current process to that of the
named process. specified process.
.It Dv STRIOCRESCWD .It Dv STRIOCRESCWD
Restore the working directory of the current process. Restore the working directory of the current process.
.El .El
@ -231,5 +248,7 @@ The
.Nm .Nm
facility first appeared in facility first appeared in
.Ox 3.2 . .Ox 3.2 .
It appeared in
.Nx 1.7 .
.\" .Sh BUGS .\" .Sh BUGS
.\" .Sh CAVEATS .\" .Sh CAVEATS