OpenBSD Journal

Do you use the default systrace policies?

Contributed by grey on from the dept.

Yes 26.1% (161 votes)

No 35.4% (219 votes)

Just /etc/systrace/usr_sbin_lpd 0.2% (1 votes)

Just /etc/systrace/usr_sbin_named 1.5% (9 votes)

I use USE_SYSTRACE for building ports 4.7% (29 votes)

I wish there were more shipped by default 19.1% (118 votes)

I use everything on hairy eyeball 1.8% (11 votes)

I write my own if I can't find one 3.9% (24 votes)

I write my own period, can't trust anyone and systrace -i is great 7.4% (46 votes)

Total votes: 618

(Comments are closed)

  1. By Anonymous Coward ( on

    and for bittorrent and quite a few other apps. I doubt the others are stricktly necessary, but heey, this is fun :-)

  2. By Anonymous Coward ( on

    im creating systrace rules for every application that i run, because i do not trust anyone, not even myself

    1. By Janne Johansson ( on

      Ok, can I see your /etc/systrace/bin_systrace then? ;-)

  3. By Anonymous Coward ( on

    Maybe time to add something about them to man afterboot.

  4. By Luiz Gustavo ( on

    Hairy Eyeball is just really outdated... Please stop pointing people to it.

    It's not that easy tracking all new ports and -current, so I'm trying. (;

  5. By SH ( on

    Noted today that some ports (at least one) do have a sample systrace policy :
    ===>  Installing ap-utils-1.3.2p0 from /usr/ports/packages/i386/all/ap-utils-1.3.2p0.tgz
    ap-utils-1.3.2p0: complete                                                                          
    --- ap-utils-1.3.2p0 -------------------
    The ap-config systrace sample policy has been installed into
    /usr/local/share/examples/systrace. Please view this file
    and change the policy to meet your needs. You can install this
    file into /etc/systrace or your ~/.systrace directory.

    This is very nice as it will means much less work to start using systrace for a port. But I can understand that port maintainers might sceptical of the amount of work that may be put on them as they have to test the application running under systrace as well.

    1. By Luiz Gustavo ( on

      A great idea.

      Still doing ftpd one, works but incomplete.

  6. By Anonymous Coward ( on

    can we please have non-stoopid polls, there were so many good proposals


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]