Do you use the default systrace policies?

Contributed by grey on 2005-02-07 from the dept.

Yes

26.1% (161 votes)

35.4% (219 votes)

Just /etc/systrace/usr_sbin_lpd

0.2% (1 votes)

Just /etc/systrace/usr_sbin_named

1.5% (9 votes)

I use USE_SYSTRACE for building ports

4.7% (29 votes)

I wish there were more shipped by default

19.1% (118 votes)

I use everything on hairy eyeball

1.8% (11 votes)

I write my own if I can't find one

3.9% (24 votes)

I write my own period, can't trust anyone and systrace -i is great

7.4% (46 votes)

Total votes: 618

(Comments are closed)

Comments

By Anonymous Coward (217.120.147.78) on 2005-02-07 20:31

and for bittorrent and quite a few other apps. I doubt the others are stricktly necessary, but heey, this is fun :-)
By Anonymous Coward (192.84.184.75) on 2005-02-08 09:13

im creating systrace rules for every application that i run, because i do not trust anyone, not even myself
Comments
1. By Janne Johansson (130.237.95.115) on 2005-02-17 13:34
  
  Ok, can I see your /etc/systrace/bin_systrace then? ;-)
By Anonymous Coward (216.220.225.229) on 2005-02-08 18:53

Maybe time to add something about them to man afterboot.
By Luiz Gustavo (200.165.130.203) on 2005-02-09 01:29 http://hades.uint8t.org

Hairy Eyeball is just really outdated... Please stop pointing people to it.

It's not that easy tracking all new ports and -current, so I'm trying. (;
By SH (82.182.103.172) on 2005-02-13 12:22
Noted today that some ports (at least one) do have a sample systrace policy :
```
===>  Installing ap-utils-1.3.2p0 from /usr/ports/packages/i386/all/ap-utils-1.3.2p0.tgz
ap-utils-1.3.2p0: complete                                                                          
--- ap-utils-1.3.2p0 -------------------
The ap-config systrace sample policy has been installed into
/usr/local/share/examples/systrace. Please view this file
and change the policy to meet your needs. You can install this
file into /etc/systrace or your ~/.systrace directory.
```
This is very nice as it will means much less work to start using systrace for a port. But I can understand that port maintainers might sceptical of the amount of work that may be put on them as they have to test the application running under systrace as well.
Comments
1. By Luiz Gustavo (200.225.76.130) on 2005-02-14 13:03 http://hades.uint8t.org
  
  A great idea.
  
  Still doing ftpd one, works but incomplete.
By Anonymous Coward (141.39.13.5) on 2005-02-28 15:02

can we please have non-stoopid polls, there were so many good proposals

Latest Articles

Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (11)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]