On Saturday 02 September 2006 12:14, Julien TOUCHE wrote:
[cut]
>
> i don't get it ???
>
> "native-getuid: permit as root" doesn't work in a systrace policy
You should try "true then permit as root"
> $ sudo /bin/systrace -a -c 556:556 /usr/local/sbin/fping localhost
> syntax error
> /etc/systrace/usr_local_sbin_fping:24: syntax error.
> Segmentation fault
>
> and same for adding a return code to permit.
>
> nobody with systrace privilege evelation and fping ?
The following policy works for me:
Policy: /usr/local/sbin/fping, Emulation: native
native-geteuid: true then permit as root
native-getuid: true then permit as root
native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_RAW" then
permit as root
native-issetugid: permit
native-mprotect: prot eq "PROT_READ" then permit
native-mmap: prot eq "PROT_READ|PROT_WRITE" then permit
native-fsread: filename eq "/var/run/ld.so.hints" then permit
native-fstat: permit
native-mmap: prot eq "PROT_READ" then permit
native-close: permit
native-fsread: filename eq "/usr/lib/libc.so.39.2" then permit
native-read: permit
native-mmap: prot eq "PROT_NONE" then permit
native-mmap: prot eq "PROT_READ|PROT_EXEC" then permit
native-mprotect: prot eq "PROT_READ|PROT_WRITE" then permit
native-mprotect: prot eq "PROT_READ|PROT_WRITE|PROT_EXEC" then permit
native-mprotect: prot eq "PROT_READ|PROT_EXEC" then permit
native-munmap: permit
native-sigprocmask: permit
native-__sysctl: permit
native-fsread: filename eq "/etc/protocols" then permit
native-fsread: filename eq "/etc/malloc.conf" then permit
native-seteuid: uid eq "0" and uname eq "root" then permit
native-setuid: uid eq "0" and uname eq "root" then permit
native-getpid: permit
native-sigaction: permit
native-gettimeofday: permit
native-sendto: sockaddr match "inet-*:0" then permit
native-select: permit
native-recvfrom: permit
native-ioctl: permit
native-write: permit
native-exit: permit
