Subject: bin/23472: systrace doesn't seem to work on sparc64-current
To: None <gnats-bugs@gnats.netbsd.org>
From: Phil Jensen <philj@pihanga.solnet.co.nz>
List: netbsd-bugs
Date: 11/18/2003 17:03:06
>Number: 23472
>Category: bin
>Synopsis: systrace doesn't seem to work on sparc64-current
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Nov 18 04:14:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator: Phil Jensen
>Release: NetBSD 1.6ZD (20031017)
>Organization:
>Environment:
System: NetBSD pihanga 1.6ZD NetBSD 1.6ZD (GENERIC) #0: Sat Oct 18 15:36:21 UTC 2003 autobuild@cs20.apochromatic.org:/autobuilder/build/HEAD/sparc64/OBJ/autobuilder/build/HEAD/src/sys/arch/sparc64/compile/GENERIC sparc64
Architecture: sparc64
Machine: sparc64
>Description:
After following the instructions in the 'How-To-Repeat (below)' /bin/systrace does not function.
>How-To-Repeat:
Use `systrace -At` to create a policy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
After logging in as a normal and running `systrace -A` to generate a policy no policy was created.
$ systrace -At /bin/cat /etc/myname
pihanga
$ ls -l .systrace
NB No policay is created.
Use a pre-defined policy
~~~~~~~~~~~~~~~~~~~~~~~~
I downloaded a policy from the Hairy Eyeball project for bin_cat, and copied this to my ~/.systrace directory. I edited the file to deny everything (see below). But the cat still worked.
$ cat .systrace/bin_cat
Policy: /bin/cat, Emulation: native
native-break: deny
native-close: deny
native-exit: deny
native-fsread: true then deny
native-fstat: deny
native-issetugid: deny
native-mmap: deny
native-read: deny
native-write: deny
native-munmap: deny
$ systrace -At /bin/cat /etc/myname
pihanga
Everything seems to be allowed.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted: