./security/gtk-systrace, GTK interface to systrace(1)

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: pkgsrc-2009Q1, Version: 20021201nb4, Package name: gtk-systrace-20021201nb4, Maintainer: pkgsrc-users

GTK frontend for systrace.

Systrace enforces system call policies for applications by constraining
the application's access to the system. The policy is generated
interactively. Operations not covered by the policy raise an alarm
and allow an user to refine the currently configured policy.

For complicated applications, it is difficult to know the correct
policy before running them. Initially, Systrace notifies the user
about all system calls that an applications tries to execute. The
user configures a policy for the specific system call that caused
the warning. After a few minutes, a policy is generated that allows
the application to run without any warnings. However, events that
are not covered still generate a warning. Normally, that is an
indication of a security problem. Systrace improves cyber security
by providing intrusion prevention.

With systrace untrusted binary applications can be sandboxed.
Their access to the system can be restricted almost arbitrarily.
Sandboxing applications available only as binaries is only sensible
as it is not possible to directly analyze what they are designed
to do. However, constraining the system calls large open-source
applications are allowed to execute is useful too as it is very
difficult to determine their correctness.

System call arguments can be rewritten dynamically. This effects
a virtual chroot for the sandboxed application. It also prevents
race conditions in the argument evaluation.


Master sites:

SHA1: f59c9224ce6d1068feec7e5c1c03d65c2f65c1d1
RMD160: f0e70327ebeac920ab2d01cf2dedf385de8d4eac
Filesize: 71.396 KB

Version history: (Expand)