Hello Niels,
do you still do any work on systrace, now that the clueless NetBSD®
developers have removed it? I’ve been pulling from OpenBSD, and I
hope they will not follow. We are using systrace in our ports frame-
work to confine buggy build systems, like OpenBSD optionally offers,
except we have enabled it by default. I’m also using it to confine
the base system (plus gcc and XFree86®) builds, although, there are
less problems than with especially unknown/new ports.
Since I’m also a developer at the FreeWRT project, I’d be interested
in systrace support on more recent GNU/Linux and Mac OSX systems.
While I do not have a Macintosh, if remote access were enough for
you I’m sure I can ask one of the many people I know who have one if
they can provide you access.
As for GNU/Linux, if you do not have access to a system, I’m sure
that could be arranged.
I’m not a kernel developer, so I probably can’t be of any help with
real implementation issues.
Lucas: do you plan on supporting systrace in MidnightBSD, for example
use it in mports similar to how we do in MirPorts?
Now to clean up some FUD for these on the Cc list: some sources state
that NetBSD® has removed systrace because of unpatched security prob-
lems: when using systrace to “jail” applications, they can break out
of it due to concurrency issues with threads or something. However,
systrace has many more uses, for example, sysjail (which was developed
to emulate FreeBSD® jails – which, for the record, are not 100% secure
either – originally) can emulate other OS kernels similar to the in-
kernel compat_linux(8) ABI emulation with systrace. I mostly use it to
confine build systems, for example, to prevent configure scripts from
phoning home, or Makefiles to wreck /usr/bin/ on installation and in-
stead write to ${DESTDIR}. So, if you know that systrace is no jail or
chroot tool, at least not 100% safe, you can see its other uses.
Interestingly enough, the sysjail homepage states that it should not
be used for security purposes but will be continued to be updated.
I wonder if TNF will some day see the light…
References:
• http://www.citi.umich.edu/u/provos/systrace/
• http://sysjail.bsd.lv/
bye,
//mirabilos
--
> Hi, does anyone sell openbsd stickers by themselves and not packaged
> with other products?
No, the only way I've seen them sold is for $40 with a free OpenBSD CD.
-- Haroon Khalid and Steve Shockley in gmane.os.openbsd.misc
_______________________________________________
freewrt-developers mailing list
[email protected]
https://www.freewrt.org/lists/listinfo/freewrt-developers
