OpenBSD Journal

Systrace in Ports Build

Contributed by jose on from the more-security dept.

The ports tree now has support for building ports under systrace. From the commit message:
this makes our build infrastructure systrace aware
original idea from jsyn@, discussed and first tests at c2k3
Warning!
- this commit is different from all patches sent around, please remove
them before updating
- due to a few bugs in systrace this is currently not ready for the casual
porter and several ports will fail to build, you've been warned
The idea of this patch is to help a porter when developing a new port.
With systrace the configure, build and fake stages are not allowed to
open network connections or write outside some well defined directories.
This way misbehaving programs will be noticed due to logfile entries in
/var/log/messages and the port can be fixed. There is generally no need
for endusers to use this, as the checksum ensures that ports in the
future will behave the same as they did when porting. :)
To activate systrace'd port building, set USE_SYSTRACE=Yes (e.g. in
/etc/mk.conf)
There are some known issues, and a noticable performance hit for some people. However, this should help manage the risk associated with the ports tree and third-party software.

(Comments are closed)


Comments
  1. By Peter Hessler () spambox@theapt.org on http://www.theapt.org

    I have been running with that make variable set since it was commited, and I have had no problems. A few wierd messages (but they are a known bug), but everything works well. =)

  2. By Michael van der Westhuizen () on

    performance... security...

    security... performance...

    I think I'll take security thank you very much!

    Comments
    1. By Peter Hessler () spambox@theapt.org on http://www.theapt.org

      I have not noticed a big performance hit. I'm sure there is one, and I'm sure its much more noticable on a slower machine, but I don't see it on my setup.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]