Contributed by jose on from the small-intro dept.
Really briefly, when I create a systrace policy I tend to run the program under systrace -A with any arguments, use it a bit, and then edit the resulting policy file. I collect the filenames I can use to go from exact matches (the eq in the policy file) and change them to be globbing matches using the match action in the systrace file. For example, I have a line like
native-fsread: filename match "/usr/lib/libc.so.*" then permitThis allows me to match any version of my libc shared object, great for upgrading. I also do this with inet sockets, specifying all of my DNS servers, and I also roll up my directory matches. Then I run the program under systrace -a and watch how it fails (it logs to the syslog) and adjust my policy as needed. This iterative approach seems to work for me but I didn't think this was well explained in Lucas' article.
(Comments are closed)