Subject: Re: oooh! neat new toy!!!
To: None <tech-security@netbsd.org>
From: None <xs@kittenz.org>
List: tech-security
Date: 06/07/2002 19:50:52
I now have systrace [1] working under NetBSD/i386. Notably missing
is non-i386 support, also I have not tested non-native emulations.
Both of these require extra hooks in much the same way to ktrace hooks, but
I do not have the hardware set up to test any such changes.

The patches for this are at:
http://www.kittenz.org/xs/stuff/systrace.kern.patch
http://www.kittenz.org/xs/stuff/systrace.userland.patch

systrace.kern.patch is relative to a fairly recent (1.6A) /sys.
systrace.userland.patch is for /bin/systrace as found in OpenBSD.

The kernel space part of systrace works by communicating to a monitoring
process via a descriptor initially opened on /dev/systrace. This device is
added to the kernel via "pseudo-device systrace" in the kernel config
and creating the systrace device with mknod /dev/systrace c 90 0.

The user land part of systrace is in two parts. First is the monitoring
process itself. Second is the process that notifies the user and allows
rules to be edited. They can be built as follows:

cvs -d anoncvs@anoncvs.openbsd.org:/cvs co -d systrace src/bin/systrace
cvs -d anoncvs@anoncvs.openbsd.org:/cvs co -d xsystrace XF4/xc/programs/xsystrace

cd systrace; patch < /path/to/systrace.userland.patch; make; make install
cd ../xsystrace; imake -I/usr/X11R6/lib/X11/config;
	cd pixmaps; imake -I/usr/X11R6/lib/X11/config; cd ..
	make; make install

I would appreciate any comments/testing/suggestions/feedback/etc.


[1] http://www.citi.umich.edu/u/provos/systrace/