summaryrefslogtreecommitdiff
path: root/bin/systrace/systrace.1
diff options
context:
space:
mode:
Diffstat (limited to 'bin/systrace/systrace.1')
-rw-r--r--bin/systrace/systrace.1117
1 files changed, 59 insertions, 58 deletions
diff --git a/bin/systrace/systrace.1 b/bin/systrace/systrace.1
index 09e057addfc..5dc55a8d915 100644
--- a/bin/systrace/systrace.1
+++ b/bin/systrace/systrace.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: systrace.1,v 1.33 2003/05/29 00:39:12 itojun Exp $
+.\" $OpenBSD: systrace.1,v 1.34 2003/07/19 11:48:58 sturm Exp $
.\"
.\" Copyright 2002 Niels Provos <provos@citi.umich.edu>
.\" All rights reserved.
@@ -30,7 +30,7 @@
.\"
.\" Manual page, using -mandoc macros
.\"
-.Dd June 3, 2002
+.Dd May 21, 2003
.Dt SYSTRACE 1
.Os
.Sh NAME
@@ -38,15 +38,13 @@
.Nd generate and enforce system call policies
.Sh SYNOPSIS
.Nm systrace
-.Bk -words
-.Op Fl aAituU
+.Op Fl AaitUu
+.Op Fl c Ar uid:gid
.Op Fl d Ar policydir
-.Op Fl g Ar gui
.Op Fl f Ar file
-.Op Fl c Ar uid:gid
+.Op Fl g Ar gui
.Op Fl p Ar pid
.Ar command ...
-.Ek
.Sh DESCRIPTION
The
.Nm
@@ -65,63 +63,50 @@ system calls require root privilege.
.Pp
The access policy can be generated interactively or obtained from a
policy file.
-Interactive policy generation will be performed by the ``notification
-user agent'', normally
+Interactive policy generation will be performed by the
+.Dq notification user agent ,
+normally
.Xr xsystrace 1 ,
unless text mode is specified via
.Fl t .
.Pp
-When running in ``automatic enforcement'' mode,
-operations not covered by the policy raise an alarm and
+When running in
+.Dq automatic enforcement
+mode, operations not covered by the policy raise an alarm and
allow an user to refine the currently configured policy.
.Pp
The options are as follows:
.Bl -tag -width Dfxfile
-.It Fl a
-Enables automatic enforcement of configured policies.
-An operation not covered by policy is denied and logged via
-.Xr syslog 3 .
.It Fl A
Automatically generate a policy that allows every operation the
application executes.
The created policy functions as a base that can be refined.
-.It Fl u
-Do not perform aliasing on system call names.
-Aliasing is enabled by default to group similar system calls into a
-single compound name.
-For example, system calls that read from the file system
-like
-.Fn lstat
-and
-.Fn access
-are translated to
-.Fn fsread .
-.It Fl i
-Inherits the policy - child processes inherit policy of the parent binary.
-.It Fl t
-Uses text mode to ask for interactive policy generation.
-.It Fl U
-Ignore user configured policies and use only global system policies.
-.It Fl d Ar policydir
-Specifies an alternative location for the user's directory from
-which policies are loaded and to which changed policies are stored.
-.It Fl g Ar gui
-Specifies an alternative location for the notification user interface.
+.It Fl a
+Enables automatic enforcement of configured policies.
+An operation not covered by policy is denied and logged via
+.Xr syslog 3 .
.It Fl c Ar uid:gid
Specifies the
.Va uid
and
.Va gid
that the monitored application should be executed with,
-which must be specified as non-negative integers (not as names).
+which must be specified as nonnegative integers (not as names).
This is useful in conjunction with privilege elevation and requires
root privilege.
+.It Fl d Ar policydir
+Specifies an alternative location for the user's directory from
+which policies are loaded and to which changed policies are stored.
.It Fl f Ar file
The policies specified in
.Ar file
are added to the policies that
.Nm
knows about.
+.It Fl g Ar gui
+Specifies an alternative location for the notification user interface.
+.It Fl i
+Inherits the policy - child processes inherit policy of the parent binary.
.It Fl p Ar pid
Specifies the pid of a process that
.Nm
@@ -129,10 +114,24 @@ should attach to.
The full path name of the corresponding binary has to be specified
as
.Ar command .
+.It Fl t
+Uses text mode to ask for interactive policy generation.
+.It Fl U
+Ignore user configured policies and use only global system policies.
+.It Fl u
+Do not perform aliasing on system call names.
+Aliasing is enabled by default to group similar system calls into a
+single compound name.
+For example, system calls that read from the file system like
+.Fn lstat
+and
+.Fn access
+are translated to
+.Fn fsread .
.El
.Ss POLICY
The policy is specified via the following grammar:
-.Bd -literal -offset AAA
+.Bd -literal -offset 4
filter = expression "then" action errorcode logcode
expression = symbol | "not" expression | "(" expression ")" |
expression "and" expression | expression "or" expression
@@ -142,7 +141,7 @@ symbol = string typeoff "match" cmdstring |
string typeoff "inpath" cmdstring | string typeoff "re" cmdstring |
"true"
typeoff = /* empty */ | "[" number "]"
-action = "permit" | "deny"
+action = "permit" | "deny" | "ask"
errorcode = /* empty */ | "[" string "]"
logcode = /* empty */ | "log"
.Ed
@@ -168,7 +167,7 @@ detach
have special meanings when used with a
.Va permit
rule for the
-.Xr execve 2
+.Va execve
system call.
When using
.Do
@@ -183,9 +182,14 @@ detach,
detaches from a process after successfully
completing
the
-.Xr execve 2
+.Va execve
system call.
.Pp
+The
+.Va ask
+action specifies that the user should be prompted for a decision
+every time that the rule matches.
+.Pp
The filter operations have the following meaning:
.Bl -hang -width Dinpath -offset AAA
.It match
@@ -215,28 +219,25 @@ the specified regular expression.
By appending the
.Va log
statement to a rule, a matching system call and its arguments
-are logged to
+is logged to
.Xr syslog 3 .
This is useful, for example, to log all invocations of the
-.Xr execve 2
+.Va execve
system call.
.Pp
Policy entries may contain an appended predicate.
Predicates have the following format:
-.Bd -literal -offset AAA
-", if" {"user", "group"} {"=", "!=", "<", ">" } {number, string}
+.Bd -literal -offset 4
+", if" {"user", "group"} {"=", "!=", "\*[Lt]", "\*[Gt]" } {number, string}
.Ed
.Pp
A rule is added to the configured policy only if its predicate
evaluates to true.
.Pp
-The environment variables
-.Ev $HOME , $USER
-and
-.Ev $CWD
-are substituted in rules.
-Comments, begun by an unquoted '#' character and
-continuing to the end of the line, are ignored.
+The environment variables $HOME, $USER and $CWD are substituted in rules.
+Comments, begun by an unquoted
+.Sq \&#
+character and continuing to the end of the line, are ignored.
.Sh PRIVILEGE ELEVATION
With
.Nm
@@ -260,7 +261,7 @@ in a policy to elevate the privileges for the matching system call:
.Bd -literal -offset 4
as user
as user:group
-as group
+as :group
.Ed
.Pp
The effective
@@ -269,9 +270,9 @@ and
.Va gid
are elevated only for the duration of the system call, and are restored
to the old values afterwards (except for the
-.Xr seteuid 2
-and
-.Xr setegid 2
+.Va seteuid
+or
+.Va setegid
system calls).
.Sh FILES
.Bl -tag -width xHOME/xsystrace -compact
@@ -287,7 +288,7 @@ replaced by the underscore character.
An excerpt from a sample
.Xr ls 1
policy might look as follows:
-.Bd -literal -offset AAA
+.Bd -literal -offset 4
Policy: /bin/ls, Emulation: native
[...]
native-fsread: filename eq "$HOME" then permit
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-14 23:10:17 +0000