Contributed by grey on from the at this rate all chapters will be published online, in a decade dept.
http://www.awprofessional.com/articles/article.asp?p=363731
I consider this chapter to be one of the best resources available on systrace usage. By making this detailed exposition available to anyone online, hopefully we will see more widespread deployment of this powerful tool. Of course we still think our readers can find a lot of other useful information on OpenBSD subject matter with a complete copy of the text by Brandon Palmer and Jose Nazario which can be found from a variety of sources.
(Comments are closed)
By SH (82.182.103.172) on
There have been some attempts to have a community for use of systrace, like Project Hairy Eyeball, but those efforts seems to stall after some time. I don't know why they lost interest, perhaps because of the efforts required?
Comments
By grey (207.215.223.2) on
http://www.systrace.org/
The systrace mailing list hosted by monkey.org
Niels Provos' CITI webpage on systrace
By Luiz Gustavo (200.165.129.236) on http://hades.uint8t.org
Everybody are welcomed to test, fix and perhaps even open a cvs to share resources.
By mirabile (212.185.103.56) on http://mirbsd.de/
(not of pristine OpenBSD, though) with systrace while disal-
lowing write access to the installation location at compile
time and vice versa (even if installing to /, /usr/obj is a
no-no to write to ;).
That helped me while porting gcc 3.4 ;)
The policy is based upon the one from the ports tree, but
the latter doesn't disallow the accesses.
By Anonymous Coward (81.64.227.144) on
Another difficulty I encountered is the performance decrease. Very sensible when running daemons under systrace (I did this for apache+php, mysql and postfix).
Any tips there to avoid/reduce the impact on performances ? are theyre some systrace directives (eg. like "inpath" or "re", or syscall aliasing) we should avoid ? did someone benchmarked how performances involves when the ruleset grows ?
Comments
By Luiz Gustavo (200.225.76.130) on http://hades.uint8t.org
Would be interesting running full sets like MySQL super smack, bonnie++, postmark and others.
Keep in mind that more testing will only help to get it better.
By grey (207.215.223.2) on
Comments
By Luiz Gustavo (200.217.237.55) on http://hades.uint8t.org
By rene (138.217.52.28) on
By Kevin Kadow (163.192.21.46) on
From "man ports":
USE_SYSTRACE
Set to `Yes' to protect the configure, build, and fake targets with systrace(1). This way it is ensured that ports do not make any network connections during build or write outside some well defined directories. The filter list is stored in ${PORTSDIR}/infrastructure/db/systrace.filter
This doesn't change how the program executes once it is installed, just adds a little extra protection against trojans in the build/install process itself.
Comments
By Anonymous Coward (217.120.147.78) on
By Ray (199.67.140.77) on
Am I the only one who notices that there is an <em> tag that should be an </em> which causes all the text to be italicized?
-Ray-
Comments
By Anonymous Coward (149.72.4.199) on
By Anonymous Coward (131.130.1.143) on
All-italics is quite annoying :)
Comments
By Anonymous Coward (67.34.129.203) on
Comments
By Anonymous Coward (141.157.230.127) on
By Anonymous Coward (195.217.242.33) on
you are obviously a terroist !
Comments
By Anonymous Coward (141.157.230.127) on