summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--bin/systrace/systrace.123
1 files changed, 15 insertions, 8 deletions
diff --git a/bin/systrace/systrace.1 b/bin/systrace/systrace.1
index fbbb1a729c1..bbe5211c51f 100644
--- a/bin/systrace/systrace.1
+++ b/bin/systrace/systrace.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: systrace.1,v 1.35 2003/08/20 00:18:34 deraadt Exp $
+.\" $OpenBSD: systrace.1,v 1.36 2003/09/04 12:17:44 jmc Exp $
.\"
.\" Copyright 2002 Niels Provos <provos@citi.umich.edu>
.\" All rights reserved.
@@ -38,6 +38,7 @@
.Nd generate and enforce system call policies
.Sh SYNOPSIS
.Nm systrace
+.Bk -words
.Op Fl AaitUu
.Op Fl c Ar uid:gid
.Op Fl d Ar policydir
@@ -45,6 +46,7 @@
.Op Fl g Ar gui
.Op Fl p Ar pid
.Ar command ...
+.Ek
.Sh DESCRIPTION
The
.Nm
@@ -106,7 +108,7 @@ knows about.
.It Fl g Ar gui
Specifies an alternative location for the notification user interface.
.It Fl i
-Inherits the policy - child processes inherit policy of the parent binary.
+Inherits the policy \- child processes inherit policy of the parent binary.
.It Fl p Ar pid
Specifies the pid of a process that
.Nm
@@ -131,7 +133,7 @@ are translated to
.El
.Ss POLICY
The policy is specified via the following grammar:
-.Bd -literal -offset 4
+.Bd -literal -offset 3n
filter = expression "then" action errorcode logcode
expression = symbol | "not" expression | "(" expression ")" |
expression "and" expression | expression "or" expression
@@ -227,14 +229,19 @@ system call.
.Pp
Policy entries may contain an appended predicate.
Predicates have the following format:
-.Bd -literal -offset 4
+.Bd -literal -offset 3n
", if" {"user", "group"} {"=", "!=", "\*[Lt]", "\*[Gt]" } {number, string}
.Ed
.Pp
A rule is added to the configured policy only if its predicate
evaluates to true.
.Pp
-The environment variables $HOME, $USER and $CWD are substituted in rules.
+The environment variables
+.Ev $HOME ,
+.Ev $USER
+and
+.Ev $CWD
+are substituted in rules.
Comments, begun by an unquoted
.Sq \&#
character and continuing to the end of the line, are ignored.
@@ -246,7 +253,7 @@ privilege elevation feature instead.
Single system calls can be executed with higher privileges if
specified by the policy.
For example,
-.Bd -literal -offset 4
+.Bd -literal -offset 3n
native-bind: sockaddr eq "inet-[0.0.0.0]:22" then permit as root
.Ed
.Pp
@@ -258,7 +265,7 @@ process is executed as root.
The following statements can be appended after the
.Va permit
in a policy to elevate the privileges for the matching system call:
-.Bd -literal -offset 4
+.Bd -literal -offset 3n
as user
as user:group
as :group
@@ -288,7 +295,7 @@ replaced by the underscore character.
An excerpt from a sample
.Xr ls 1
policy might look as follows:
-.Bd -literal -offset 4
+.Bd -literal -offset 2n
Policy: /bin/ls, Emulation: native
[...]
native-fsread: filename eq "$HOME" then permit