Dug Song (dugsongmonkey.org) wrote:
>
> or wrap it with 'systrace -a'. here's a trivial policy for it -
> uncomment the socket/connect/sendto if you really want to allow
> tcpdump to resolve hostnames:
>
> Policy: /usr/sbin/tcpdump, Emulation: native
> native-__sysctl: permit
> native-break: permit
> native-close: permit
> # native-connect: sockaddr match "*:53" then permit
> native-exit: permit
> native-fsread: filename eq "/dev/arandom" then permit
> native-fsread: filename eq "/usr/libexec/ld.so" then permit
> native-fsread: filename eq "/var/run/ld.so.hints" then permit
> native-fsread: filename match "/dev/bpf*" then permit
> native-fsread: filename match "/etc/*" then permit
> native-fsread: filename match "/usr/lib/*" then permit
> native-fsread: filename match "/usr/share/*" then permit
> native-fsread: filename match "/var/log/*" then permit
> native-fstat: permit
> native-fswrite: filename match "/dev/bpf*" then permit
> native-gettimeofday: permit
> native-getuid: permit
> native-ioctl: permit
> native-issetugid: permit
> native-mmap: permit
> native-mprotect: permit
> native-munmap: permit
> native-read: permit
> native-recvfrom: permit
> native-select: permit
> # native-sendto: permit
> native-seteuid: uname eq "$USER" then permit
> native-setuid: uname eq "$USER" then permit
> native-sigaction: permit
> native-sigprocmask: permit
> # native-socket: permit
> native-write: permit

Mighty interesting indeed, but...

[/etc/systrace]# systrace -a /usr/sbin/tcpdump -e -n -tttv -r /var/log/pflog
syntax error
/etc/systrace/usr_sbin_tcpdump:2: systax error.
zsh: 4831 segmentation fault (core dumped) systrace -a /usr/sbin/tcpdump -e -n -tttv -r /var/log/pflog

Should I s/native-__sysctl/native-sysctl/ ?

Does the "$USER" mean that I can use systrace and I can run the script
as a restricted user?

Cya, Han.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]