elad
3752840791
Add a new keyword, ``topdir'', that grants access only if the file is
...
in a hierarchy below the specified path.
2005-08-24 19:09:03 +00:00
elad
3df38a6c89
Make inpath work like strstr again. :)
2005-08-10 21:53:01 +00:00
elad
4e11de6548
Further correct handling of `inpath'.
...
The path in the policy is not normalized, and shouldn't be. We accept
only an absolute path, possibly with one trailing slash. Make note of
that in the manpage.
2005-07-04 16:32:30 +00:00
elad
931e7a5f52
Make `inpath' work as expected. Closes PR 29677.
...
Reported by Christian Biere, based on usenet post by John Wong.
2005-07-01 17:12:41 +00:00
elad
1d53f8bfa8
Use strcmp() when comparing strings in systrace.
...
Reported by Christian Biere in PR29676.
2005-07-01 16:12:11 +00:00
christos
250ff65369
Const poisoning.
2005-06-24 23:21:09 +00:00
lukem
5166671bc3
appease gcc -Wuninitialized
2005-06-01 15:41:19 +00:00
provos
61d0495091
support for cradle mode by marius at monkey.org; cradle mode allows the
...
systrace UI to be attached and re-attached, it also multiplexes across
systrace process so that one UI can function as central notification
2003-11-28 21:53:32 +00:00
provos
43914d5f2f
change CWD handling. CWD is fixed to the CWD of the systrace process.
2003-08-02 14:24:30 +00:00
provos
2268d69749
support for a new kernel message that informs userland that an in-kernel
...
policy has been freed. this allows us to enforce the kernel policy size
limit for users while users are still able to execute an arbitary number
of applications; the protocol change is backwards compatible.
2003-06-03 04:33:44 +00:00
provos
c57cb7fe98
escape " and \ to \" and \\; with the help of marius@monkey.org;
2003-06-03 01:20:06 +00:00
provos
bd80d3ced7
permit numberic values for uid and gid; allow "<" and ">" for less and
...
greater; requested by dugsong
2003-05-20 22:45:13 +00:00
provos
4a6e1b3b24
fix EOF on input bug; from mpech@prosoft
2003-04-23 17:44:59 +00:00
provos
e3cb39834b
mention "parse error" on stdout for interactive policy generation
2003-03-26 03:40:02 +00:00
provos
a2468a8d04
new "ask" action. creates a new rule that prompts the user for an
...
action but allows only yes or no answer. inspired from talking
with dugsong@monkey
2003-03-25 23:17:29 +00:00
provos
887e433ee2
bug in profile feedback optimization; found by dirt@monkey
2003-03-25 22:48:42 +00:00
provos
da50ee4397
prevent attempt to use in-kernel fastpath for aliased system calls.
2002-11-25 06:25:09 +00:00
provos
49d6b23841
check for trans_size is not needed.
2002-11-15 21:36:25 +00:00
provos
695ad5ee17
add support for regular expressions to be more flexible with policy string
...
matching.
2002-11-02 20:04:20 +00:00
provos
e93fe1e2ba
NULL to 0; from navin@gdit.iiit.net
2002-11-02 16:27:46 +00:00
provos
61e8c76047
support for privilege elevation.
...
with privilege elevation no suid or sgid binaries are necessary any
longer. Applications can be executed completely unprivileged. Systrace
raises the privileges for a single system call depending on the
configured policy.
Idea from discussions with Perry Metzger, Dug Song and Marcus Watts.
Approved by christos and thorpej.
2002-10-11 21:54:55 +00:00
provos
1b3623c27a
correctly evaluate group predicates
2002-10-10 14:06:30 +00:00
provos
89afc325c0
predicates are part of the grammar now; in non-root case, predicates are
...
evaluated only once; in root case, predicates and variable expansion are
dynamic.
2002-10-08 14:49:23 +00:00
provos
4b7278c7f2
use FNM_LEADING_DIR
2002-10-06 03:16:25 +00:00
provos
9008ac33c8
assume that inserting a template implies permit for the current syscall
2002-10-06 01:28:55 +00:00
itojun
d584f0a0fc
support for templates. they allow fast generation of new policies. an
...
appropriate template can be inserted during initial policy generation.
from provos
2002-09-23 04:35:41 +00:00
itojun
b6aefbe19f
sync with latest systrace in openbsd tree. improved systrace with chroot.
2002-08-28 03:52:44 +00:00
soren
236006d5dc
Remove extraneous \n's in {err,warn}{,x} that used to be printfs.
2002-08-08 13:24:12 +00:00
itojun
4f0c9c76b6
sync up with latest openbsd systrace.
...
- avoid race conditions by having seqno in ioctl
- better uid/gid tracking
- "replace" policy to replace args
- less diffs, as many of local changes were fed back to openbsd already
due to the 1st item, it was impossible for us to provide backward-compatibility
(new kernel + old bin/systrace won't work). upgrade both.
2002-07-30 16:29:28 +00:00
thorpej
873bb550a0
Some const poisoning.
2002-06-18 02:49:08 +00:00
christos
5039a9e5ee
Add userland portion of systrace.
2002-06-17 16:29:07 +00:00