|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Dug Song (dugsong_at_monkey.org)
Date: Tue Aug 06 2002 - 11:37:27 CDT
On Tue, Aug 06, 2002 at 10:04:15AM -0600, kjell
pintday.org wrote:
> I would be very tempted to run it as a locked-down regular user
> instead, since it doesn't actually have to read data from the wire.
or wrap it with 'systrace -a'. here's a trivial policy for it -
uncomment the socket/connect/sendto if you really want to allow
tcpdump to resolve hostnames:
Policy: /usr/sbin/tcpdump, Emulation: native
native-__sysctl: permit
native-break: permit
native-close: permit
# native-connect: sockaddr match "*:53" then permit
native-exit: permit
native-fsread: filename eq "/dev/arandom" then permit
native-fsread: filename eq "/usr/libexec/ld.so" then permit
native-fsread: filename eq "/var/run/ld.so.hints" then permit
native-fsread: filename match "/dev/bpf*" then permit
native-fsread: filename match "/etc/*" then permit
native-fsread: filename match "/usr/lib/*" then permit
native-fsread: filename match "/usr/share/*" then permit
native-fsread: filename match "/var/log/*" then permit
native-fstat: permit
native-fswrite: filename match "/dev/bpf*" then permit
native-gettimeofday: permit
native-getuid: permit
native-ioctl: permit
native-issetugid: permit
native-mmap: permit
native-mprotect: permit
native-munmap: permit
native-read: permit
native-recvfrom: permit
native-select: permit
# native-sendto: permit
native-seteuid: uname eq "$USER" then permit
native-setuid: uname eq "$USER" then permit
native-sigaction: permit
native-sigprocmask: permit
# native-socket: permit
native-write: permit
-d.
--- http://www.monkey.org/~dugsong/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]