Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
136,916 Commits 606 Branches 0 Tags 3.1 GiB
Commit Graph

18 Commits

Author SHA1 Message Date
provos d6497b197c provide translation for fcntl cmd names; requested by Nicolai Johannes 2005-05-07 15:11:02 +00:00
provos d830f0d651 increase the maximum length of allowable system call names 2004-12-01 03:30:07 +00:00
provos 61d0495091 support for cradle mode by marius at monkey.org; cradle mode allows the 
systrace UI to be attached and re-attached, it also multiplexes across
systrace process so that one UI can function as central notification
 2003-11-28 21:53:32 +00:00
cb 5f734a1850 fix a race condition between path resolution in userland 
and the subsequent namei(): inform the kernel portion of
valid filenames and then disallow symlink lookups for
those filenames by means of a hook in namei().
with suggestions from provos@

also, add (currently unused) seqnr field to struct
systrace_replace, from provos@
 2003-08-25 09:12:42 +00:00
provos 2268d69749 support for a new kernel message that informs userland that an in-kernel 
policy has been freed.  this allows us to enforce the kernel policy size
limit for users while users are still able to execute an arbitary number
of applications;  the protocol change is backwards compatible.
 2003-06-03 04:33:44 +00:00
provos bd80d3ced7 permit numberic values for uid and gid; allow "<" and ">" for less and 
greater; requested by dugsong
 2003-05-20 22:45:13 +00:00
provos a2468a8d04 new "ask" action. creates a new rule that prompts the user for an 
action but allows only yes or no answer.  inspired from talking
with dugsong@monkey
 2003-03-25 23:17:29 +00:00
provos 695ad5ee17 add support for regular expressions to be more flexible with policy string 
matching.
 2002-11-02 20:04:20 +00:00
provos 98c03e54fd register pidname and signame translation for kill(2) 2002-11-02 19:49:21 +00:00
provos c989923700 rename exported variables to avoid name space polution. 2002-11-02 19:43:27 +00:00
provos 61e8c76047 support for privilege elevation. 
with privilege elevation no suid or sgid binaries are necessary any
longer.  Applications can be executed completely unprivileged. Systrace
raises the privileges for a single system call depending on the
configured policy.

Idea from discussions with Perry Metzger, Dug Song and Marcus Watts.
Approved by christos and thorpej.
 2002-10-11 21:54:55 +00:00
provos 931062ce16 translation for socket system call 2002-10-11 04:40:11 +00:00
provos 89afc325c0 predicates are part of the grammar now; in non-root case, predicates are 
evaluated only once; in root case, predicates and variable expansion are
dynamic.
 2002-10-08 14:49:23 +00:00
itojun d584f0a0fc support for templates. they allow fast generation of new policies. an 
appropriate template can be inserted during initial policy generation.
from provos
 2002-09-23 04:35:41 +00:00
itojun b6aefbe19f sync with latest systrace in openbsd tree. improved systrace with chroot. 2002-08-28 03:52:44 +00:00
itojun 71a4240254 aenable linux systrace only on platforms that support it. 
noted by hannken@eis.cs.tu-bs.de
 2002-08-01 08:47:03 +00:00
itojun 4f0c9c76b6 sync up with latest openbsd systrace. 
- avoid race conditions by having seqno in ioctl
- better uid/gid tracking
- "replace" policy to replace args
- less diffs, as many of local changes were fed back to openbsd already

due to the 1st item, it was impossible for us to provide backward-compatibility
(new kernel + old bin/systrace won't work).  upgrade both.
 2002-07-30 16:29:28 +00:00
christos 5039a9e5ee Add userland portion of systrace. 2002-06-17 16:29:07 +00:00