OpenBSD Journal

systrace in OpenBSD

Contributed by grey on from the at this rate all chapters will be published online, in a decade dept.

Just a week after the last preview chapter from Secure Architectures with OpenBSD, Addison Wesley Professional put up the chapter "systrace in OpenBSD" available here:

I consider this chapter to be one of the best resources available on systrace usage. By making this detailed exposition available to anyone online, hopefully we will see more widespread deployment of this powerful tool. Of course we still think our readers can find a lot of other useful information on OpenBSD subject matter with a complete copy of the text by Brandon Palmer and Jose Nazario which can be found from a variety of sources.

(Comments are closed)

  1. By SH ( on

    Jose's stsh is very handy for having systraced login shells, but there is a huge amount of work to make/test/maintain many policies. While making policies for a few not-too-complicated-daemons-or-applications is doable, doing the same for many programs seems less than doable (depending on amount of time one may use, of course). Comprehensive testing is important , and of course time consuming, to ensure that things does not break. Example : Generate policy for /bin/mv, but only test/develop it on one partition. This policy could break mv when attempting to mv a file from one filesystem to another.

    There have been some attempts to have a community for use of systrace, like Project Hairy Eyeball, but those efforts seems to stall after some time. I don't know why they lost interest, perhaps because of the efforts required?

    1. By Luiz Gustavo ( on

      I have been keeping in my spare time an updated policy at

      Everybody are welcomed to test, fix and perhaps even open a cvs to share resources.

    2. By mirabile ( on

      I've had pretty much success building the entire base system
      (not of pristine OpenBSD, though) with systrace while disal-
      lowing write access to the installation location at compile
      time and vice versa (even if installing to /, /usr/obj is a
      no-no to write to ;).

      That helped me while porting gcc 3.4 ;)

      The policy is based upon the one from the ports tree, but
      the latter doesn't disallow the accesses.

    3. By Anonymous Coward ( on

      Another difficulty I encountered is the performance decrease. Very sensible when running daemons under systrace (I did this for apache+php, mysql and postfix).

      Any tips there to avoid/reduce the impact on performances ? are theyre some systrace directives (eg. like "inpath" or "re", or syscall aliasing) we should avoid ? did someone benchmarked how performances involves when the ruleset grows ?

      1. By Luiz Gustavo ( on

        AFAIK Niels did have a paper with some basic benchmarks with systraced applications.

        Would be interesting running full sets like MySQL super smack, bonnie++, postmark and others.

        Keep in mind that more testing will only help to get it better.

      2. By grey ( on

        It's been a while, but I seem to recall Chris Kuethe (from UoA) mentioning that rule ordering is significant with respect to performance in systrace policies. I don't believe I've ever found much of a resource or advice on that particular aspect (at least it's not in the man page), but possibly the systrace mailing list or other readers (thanks for your input already Luiz!) here could share any experiences in that respect.

        1. By Luiz Gustavo ( on

          I usually try to follow an organization that looks same for who are reading, similar to dug song original usr_sbin_sshd policy.

      3. By rene ( on

        Take a look at niels provos' original paper at It's got some useful benchmarks and ways to improve performance (use match instead of regex when appropriate for eg.)

  2. By Kevin Kadow ( on

    One cool application of systrace in OpenBSD is how it is used in ports to restrict the activity of the port build/install process.

    From "man ports":

    Set to `Yes' to protect the configure, build, and fake targets with systrace(1). This way it is ensured that ports do not make any network connections during build or write outside some well defined directories. The filter list is stored in ${PORTSDIR}/infrastructure/db/systrace.filter

    This doesn't change how the program executes once it is installed, just adds a little extra protection against trojans in the build/install process itself.

    1. By Anonymous Coward ( on

      It's also usefull for when you are building a new port. Not all applications support DESTDIR, and if you try to do the fakeinstall all of the sudden they start installing on the real filesystem.

  3. By Ray ( on

    Am I the only one who notices that there is an <em> tag that should be an </em> which causes all the text to be italicized?


    1. By Anonymous Coward ( on


    2. By Anonymous Coward ( on

      I wondered about the all-italics text too but didn't look at the HTML source. It seems you're right.
      All-italics is quite annoying :)

      1. By Anonymous Coward ( on

        looks fine in lynx though. lynx r00lz.

        1. By Anonymous Coward ( on

          it also looks fine with FireFox & Kmeleon

        2. By Anonymous Coward ( on

          lynx ?

          you are obviously a terroist !

          1. By Anonymous Coward ( on

            and a 'terrorist' to boot! ;-)


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]