./security/gtk-systrace, GTK interface to systrace(1)

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: pkgsrc-2015Q1, Version: 20021201nb5, Package name: gtk-systrace-20021201nb5, Maintainer: pkgsrc-users

Systrace enforces system call policies for applications by constraining the
application's access to the system. The policy is generated interactively.
Operations not covered by the policy raise an alarm and allow an user to refine
the currently configured policy.

For complicated applications, it is difficult to know the correct policy before
running them. Initially, Systrace notifies the user about all system calls that
an applications tries to execute. The user configures a policy for the specific
system call that caused the warning. After a few minutes, a policy is generated
that allows the application to run without any warnings. However, events that
are not covered still generate a warning. Normally, that is an indication of a
security problem. Systrace improves cyber security by providing intrusion
prevention.

With systrace untrusted binary applications can be sandboxed. Their access to
the system can be restricted almost arbitrarily. Sandboxing applications
available only as binaries is only sensible as it is not possible to directly
analyze what they are designed to do. However, constraining the system calls
large open-source applications are allowed to execute is useful too as it is
very difficult to determine their correctness.

System call arguments can be rewritten dynamically. This effects a virtual
chroot for the sandboxed application. It also prevents race conditions in the
argument evaluation.


Master sites:

SHA1: f59c9224ce6d1068feec7e5c1c03d65c2f65c1d1
RMD160: f0e70327ebeac920ab2d01cf2dedf385de8d4eac
Filesize: 71.396 KB

Version history: (Expand)