5759456a18
Avoid confict with reserved identifier "log".
2002-12-06 01:43:18 +00:00
fec70f4a84
typos; fgsch@olimpo.com.br
2002-12-05 19:33:39 +00:00
e9f87b6c2c
better parsing of # comments
2002-12-04 03:19:05 +00:00
da50ee4397
prevent attempt to use in-kernel fastpath for aliased system calls.
2002-11-25 06:25:09 +00:00
048da773ed
error messages need to go to stderr
2002-11-23 17:42:45 +00:00
49d6b23841
check for trans_size is not needed.
2002-11-15 21:36:25 +00:00
695ad5ee17
add support for regular expressions to be more flexible with policy string
...
matching.
2002-11-02 20:04:20 +00:00
c27faa29c9
performance improvement by omitting a redundant getcwd.
2002-11-02 19:57:02 +00:00
98c03e54fd
register pidname and signame translation for kill(2)
2002-11-02 19:49:21 +00:00
c989923700
rename exported variables to avoid name space polution.
2002-11-02 19:43:27 +00:00
e93fe1e2ba
NULL to 0; from navin@gdit.iiit.net
2002-11-02 16:27:46 +00:00
8b5e86873c
typo, reported by avsm@openbsd
2002-10-31 23:01:27 +00:00
5f7d4eab6c
fix bug in determining execve name
2002-10-30 17:39:34 +00:00
e9ac78c504
allow empty string
2002-10-29 15:44:38 +00:00
4df7def23e
missing break; from grange@rt.mipt.ru
2002-10-28 16:50:05 +00:00
196f994fd8
use .Nx 2.0 consistently in HISTORY section
...
add .\" NEXTRELEASE tag before the .Nx to make it possible to quickly
find version references in case this would need to be changed
2002-10-23 09:44:35 +00:00
04a469212b
cleanup
2002-10-17 04:45:04 +00:00
553d79070e
\n before new sentence.
2002-10-16 14:58:33 +00:00
e8745f23b6
sync better w/ openbsd tree (cosmetic)
2002-10-16 14:56:11 +00:00
690d7c3ad0
fix type; its "as :group"
2002-10-11 23:31:00 +00:00
61e8c76047
support for privilege elevation.
...
with privilege elevation no suid or sgid binaries are necessary any
longer. Applications can be executed completely unprivileged. Systrace
raises the privileges for a single system call depending on the
configured policy.
Idea from discussions with Perry Metzger, Dug Song and Marcus Watts.
Approved by christos and thorpej.
2002-10-11 21:54:55 +00:00
931062ce16
translation for socket system call
2002-10-11 04:40:11 +00:00
1b3623c27a
correctly evaluate group predicates
2002-10-10 14:06:30 +00:00
306becc9b9
add A to usage; noted by nickus@mpi-cbg.de
2002-10-08 14:50:57 +00:00
89afc325c0
predicates are part of the grammar now; in non-root case, predicates are
...
evaluated only once; in root case, predicates and variable expansion are
dynamic.
2002-10-08 14:49:23 +00:00
ed21532463
"output" is a pointer of size "outlen", so use outlen instead of
...
sizeof(output)
From: "Vincent Labrecque" <vincent@psyfreaks.ca>
2002-10-08 02:47:59 +00:00
4b7278c7f2
use FNM_LEADING_DIR
2002-10-06 03:16:25 +00:00
9008ac33c8
assume that inserting a template implies permit for the current syscall
2002-10-06 01:28:55 +00:00
a79af4d624
fix return value; from marius@umich.edu
2002-09-28 17:56:54 +00:00
14dfaa4b03
New policy: New sentences start on a new line.
...
Patches by Robert Elz <kre at munnari oz au>, with minimal changes by me.
2002-09-25 15:18:36 +00:00
d584f0a0fc
support for templates. they allow fast generation of new policies. an
...
appropriate template can be inserted during initial policy generation.
from provos
2002-09-23 04:35:41 +00:00
ca5a36677b
split white space and single line policy processing into separate
...
functions. from provos
2002-09-17 05:07:21 +00:00
0b2d2fe3d7
daemon should not change the directory. from provos
2002-09-17 04:54:36 +00:00
c1261b4aff
periodically save policies that have been modified. from provos
...
>here is a diff that will cause systrace to periodically save policies
>that have been modified. Useful if you run systrace on an xterm and
>kill it accidently. Or other applications like opera that are long
>running and can cause weird crashes.
2002-09-16 04:31:46 +00:00
c81b949059
allow # in system call name. remove trailing white space.
...
from provos
2002-08-30 17:09:31 +00:00
b6aefbe19f
sync with latest systrace in openbsd tree. improved systrace with chroot.
2002-08-28 03:52:44 +00:00
146a774973
Use ${NETBSDSRCDIR}/some/path instead of ${.CURDIR}/../../some/path (etc).
2002-08-19 09:56:00 +00:00
236006d5dc
Remove extraneous \n's in {err,warn}{,x} that used to be printfs.
2002-08-08 13:24:12 +00:00
95c7243aec
more effort to make it compile on platforms w/o linux emul
2002-08-02 14:29:34 +00:00
71a4240254
aenable linux systrace only on platforms that support it.
...
noted by hannken@eis.cs.tu-bs.de
2002-08-01 08:47:03 +00:00
2b8709b902
backout previous. mandoc(4) lies.
2002-07-31 00:28:02 +00:00
822deb809a
.Bd -offset does not take numeric arg, but string.
2002-07-31 00:26:56 +00:00
bdd538626a
re-apply part of rev. 1.4 - Explain why you would use this.
...
contrary to rev. 1.4, keep 'The options are as follows' sentence, since
this seems to be used more on system manpages
2002-07-30 21:58:25 +00:00
e9b2b4b074
re-apply changes in rev. 1.3 - Slight changes to the English.
2002-07-30 21:43:26 +00:00
93aef72209
Sort sections, Sh -> Ss in one place.
2002-07-30 17:06:58 +00:00
4f0c9c76b6
sync up with latest openbsd systrace.
...
- avoid race conditions by having seqno in ioctl
- better uid/gid tracking
- "replace" policy to replace args
- less diffs, as many of local changes were fed back to openbsd already
due to the 1st item, it was impossible for us to provide backward-compatibility
(new kernel + old bin/systrace won't work). upgrade both.
2002-07-30 16:29:28 +00:00
8f6326d364
A local copy of <sys/tree.h> is unnecessary.
2002-07-30 06:09:56 +00:00
11bb544ec0
Mostly just a rewrite of intercept_run() so the arrangement of "child"
...
process and "parent" process is more conducive to policy generation.
Previously, tracing of a given program worked something like this:
fork()
if (child)
execprogram()
else
dotracing()
That means that if you "systrace -a named", named would fork and
background itself, but you would never get your prompt back because
systrace didn't exit. Now it works like this:
fork()
if (interactive)
if (child)
execprogram()
else
dotracing()
else
if (parent)
execprogram()
else
fork()
if (parent)
exit(0)
setsid()
dotracing()
This makes it *much* easier to do automated policy generation for
tasks run from rc.d. Or, for that matter, makes it much easier to use
systrace with tasks run from rc.d.
2002-07-03 22:54:38 +00:00
716daf6160
Sort sections.
2002-06-26 15:29:43 +00:00
28272e6493
Explain why you would use this. Reword a little and add some history.
2002-06-26 06:50:14 +00:00
1e4714b470
Slight changes to the English.
2002-06-20 10:07:42 +00:00
2265b1ff78
Fix warnings on Alpha: Cast to intptr_t to extract ints stored in void *'s,
...
and pull in proper prototypes.
2002-06-18 21:22:45 +00:00
44e317ae3d
Do the previous slightly differently.
2002-06-18 21:21:17 +00:00
2623bb99b9
Add an extra cast to size_t when extracting an int stored in a void *.
...
(XXX Gross.)
2002-06-18 21:19:59 +00:00
3196ec98ba
need ${.CURDIR} for linux_syscalls.c include
2002-06-18 09:52:04 +00:00
4192e0aa5a
Fix an include snafu pointed out by Matt Thomas.
2002-06-18 02:55:19 +00:00
873bb550a0
Some const poisoning.
2002-06-18 02:49:08 +00:00
0e0062e921
* Use CPPFLAGS for preprocessor flags, not CFLAGS.
...
* Don't -I/sys -- that breaks cross-building. Instead, use relative
pathnames in netbsd-syscalls.c, similar to what kdump does.
* No need to explicitly CLEANFILES the generated lex/yacc results.
* No need to link against libl and liby.
2002-06-18 01:37:12 +00:00
5a040ec813
The SYSTR_CLONE ioctl is gone, so don't use it. (The kernel clones
...
the systrace communication channel as needed.)
2002-06-18 01:25:04 +00:00
b70e67425c
No .Pp before .Sh, drop trailing space, sort sections.
2002-06-17 17:06:08 +00:00
5039a9e5ee
Add userland portion of systrace.
2002-06-17 16:29:07 +00:00
thorpej