i've read through all the docs that i can find on systrace policy generation and
enforcement and have hit a snag when trying to generate a working policy for vi
that restricts the files that can be read and written by a user. the policy is
generated by running "systrace -A vi test.txt" for an unprivileged user in their
home directory, performing some edits, quitting vi and editing the policy to
wildcard file paths where appropriate. running the same command with enforcement
of the auto-generated policy, "systrace -a vi test.txt", yields the following:
$ systrace -a vi test.txt
ex/vi: Error: Unable to create temporary file: Operation not permitted
when this occurs there is a corresponding series of log entries
Nov 12 08:29:36 served systrace: deny user: systest, prog: /usr/bin/vi, pid:
2684(0)[0], policy: /usr/bin/vi, filters: 60, syscall: native-fswrite(5),
filename: /tmp/bt.lP2684
Nov 12 08:29:36 served systrace: deny user: systest, prog: /usr/bin/vi, pid:
2684(0)[0], policy: /usr/bin/vi, filters: 60, syscall: native-fsread(291),
filename: /home/systest/test.txt
Nov 12 08:29:36 served systrace: deny user: systest, prog: /usr/bin/vi, pid:
2684(0)[0], policy: /usr/bin/vi, filters: 60, syscall: native-fswrite(5),
filename: /tmp/vi.HgVcdq2684
the denials of these syscalls is confusing to me since the systrace policy,
/etc/systrace/usr_bin_vi [0], contains wildcarded permit statements that should,
AFAICT, allow these syscalls. the two lines in usr_bin_vi that are meant to
allow these syscalls are marked with a ">>" in [0] below.
since systrace obviously works for other folks, i'm missing something here. i
suspect it has to with wildcarding or environment variables. clues appreciated.
cheers,
jake
[0] - /etc/systrace/usr_bin_vi
Policy: /usr/bin/vi, Emulation: native
native-issetugid: permit
native-mprotect: permit
native-mmap: permit
native-__sysctl: permit
native-fsread: filename eq "/var/run/ld.so.hints" then permit
native-fstat: permit
native-close: permit
native-fsread: filename eq "/usr/lib/libcurses.so.10.0" then permit
native-read: permit
native-mquery: permit
native-fsread: filename eq "/usr/lib/libc.so.39.0" then permit
native-munmap: permit
native-sigprocmask: permit
native-fsread: filename eq "/etc/malloc.conf" then permit
native-ioctl: permit
native-fsread: filename eq "$HOME/.terminfo.db" then permit
native-fsread: filename eq "$HOME/.terminfo" then permit
native-fsread: filename eq "/usr/share/misc/terminfo.db" then permit
native-fcntl: permit
native-pread: permit
native-sigaction: permit
native-fsread: filename eq "/usr/share/vi/catalog" then permit
native-getpid: permit
native-fsread: filename eq "/tmp" then permit
>> native-fswrite: filename eq "/tmp/*" then permit
native-lseek: permit
native-fsread: filename eq "/etc/vi.exrc" then permit
native-fsread: filename eq "$HOME/.nexrc" then permit
native-fsread: filename eq "$HOME/.exrc" then permit
>> native-fsread: filename eq "$HOME/*" then permit
native-fsread: filename eq "/var/tmp/vi.recover" then permit
native-fswrite: filename eq "/var/tmp/vi.recover/*" then permit
native-fchmod: fd eq "3" and mode eq "700" then permit
native-flock: permit
native-write: permit
native-poll: permit
native-select: permit
native-getuid: permit
native-fsread: filename eq "/etc/spwd.db" then permit
native-fsread: filename eq "/etc/pwd.db" then permit
native-fchmod: fd eq "6" and mode eq "600" then permit
native-gettimeofday: permit
native-fsread: filename eq "/usr/share/zoneinfo/US/Central" then permit
native-pwrite: permit
native-fsync: permit
native-chmod: filename eq "/var/tmp/vi.recover/vi.*" and mode eq "600"
then permit
native-fswrite: filename eq "$HOME/*" then permit
native-exit: permit
native-fchmod: fd eq "3" and mode eq "600" then permit
native-fsread: filename eq "/usr/share/nls/C/libc.cat" then permit
native-fsread: filename eq "/<non-existent filename>:
/usr/share/nls/libc/C" then permit
