and the subsequent namei(): inform the kernel portion of
valid filenames and then disallow symlink lookups for
those filenames by means of a hook in namei().
with suggestions from provos@
also, add (currently unused) seqnr field to struct
systrace_replace, from provos@
policy has been freed. this allows us to enforce the kernel policy size
limit for users while users are still able to execute an arbitary number
of applications; the protocol change is backwards compatible.
with privilege elevation no suid or sgid binaries are necessary any
longer. Applications can be executed completely unprivileged. Systrace
raises the privileges for a single system call depending on the
configured policy.
Idea from discussions with Perry Metzger, Dug Song and Marcus Watts.
Approved by christos and thorpej.
- avoid race conditions by having seqno in ioctl
- better uid/gid tracking
- "replace" policy to replace args
- less diffs, as many of local changes were fed back to openbsd already
due to the 1st item, it was impossible for us to provide backward-compatibility
(new kernel + old bin/systrace won't work). upgrade both.
process and "parent" process is more conducive to policy generation.
Previously, tracing of a given program worked something like this:
fork()
if (child)
execprogram()
else
dotracing()
That means that if you "systrace -a named", named would fork and
background itself, but you would never get your prompt back because
systrace didn't exit. Now it works like this:
fork()
if (interactive)
if (child)
execprogram()
else
dotracing()
else
if (parent)
execprogram()
else
fork()
if (parent)
exit(0)
setsid()
dotracing()
This makes it *much* easier to do automated policy generation for
tasks run from rc.d. Or, for that matter, makes it much easier to use
systrace with tasks run from rc.d.
cb