OpenBSD Journal

Systrace explained @ oreillynet

Contributed by jose on from the sandbox dept.

floh writes:
"Michael Lucas (of Absolute BSD fame) does a nice job of explaining what systrace does and how to write a systrace policy in this article. "
It's a very brief article, but serves as useful documentation on Systrace (found in NetBSD as well as OpenBSD).

(Comments are closed)

  1. By Justin () on

    It is brief but I really didn't have a grasp on what systrace really did. I am not a c programmer so the brief clarification at the beginning was very nice too. It does seem like it is going to be mega cool when it is fully implemented.

    Tools like this require that you understand more of the system than I am used to understanding, which is good and bad. Bad because then I have go to take some time to know what I am doing. Good because of the same reason as bad.

    This goes well with the previous post on deadly about documentation. Good timing and well done Michael.

  2. By Script Kiddie! () on

    - Chroot'd processes
    - Non-executable stack
    - Systrace

    It's like breaking into a house and being stuck in a box with nothing to do :(

    You never let me have any fun lol

  3. By Anonymous Coward () on

    I admit that I haven't looked into it very much so I could be totally wrong, but the thing that stops me from using systrace is this quote from Provos' systrace page: You need to install both the gtk frontend and the systrace userland.

    Does it really need the frontend? My OpenBSD box is headless, what are my options?

    1. By jose () on

      nope, you can use systrace in terminal only mode. i do all the time (you get a small text question about what to do unless you have autoenforce on).

      the normal Xsystrace that ships with the system uses simple X widgets. the extended gtksystrace uses the gtk widgets.

      you dont need gtk or even X to run systrace.

  4. By Anonymous Coward () on

    how does systrace compare to cerber ( for freebsd? (ok, cerber is a kernel module. i mean functionality differences.)

    1. By Andrew Thomas Pinski () on

      more complex configuration file it looks like.

    2. By tedu () on

      at first glance it looks like cerber keeps all the config data in the kernel. systrace keeps it in the userland, and the kernel asks a userland process when it needs to make a decision.

    3. By RC () on

      In addition, there is also Cylant Secure for FreeBSD/Linux, although it isn't Open Source...

      It's a bit more advanced, and doesn't require the user to setup config files either. I tried it for a short time, a nd decided that I perfered systrace's method, despite the advanced setup. One thing in Cylant's favor is that it is more mature, and some companies are using it in real-world situations.

  5. By MK () on

    So what's the deal with systrace anyway? Is it a netbsd project now?

    AFAICT there have been no openbsd systrace commits since Dec 11, and Provos' page states that systrace is now part of netbsd -current.

    And please no fucking "speculation". Does anyone have any FACTS about this?

    1. By Anonymous Coward () on

      seems Niels doesn't have commit access to OpenBSD anymore. All the systrace commits he makes to the NetBSD tree are backported to OpenBSD, mainly by itojun@

      1. By Anonymous Coward () on

        "seems Niels doesn't have commit access to OpenBSD anymore."

        I'd like to know how did that happen. I mean, Provos is an awesome coder and well respected security developer. Why in the world would we want to lose someone like him? (by going to NBSD is not actually losing, but it certainly is a step farther away).

        1. By Anonymous Coward () on



Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]