[Systrace] Odd Behavior under Debian Linux
jimd at starshine.org
jimd at starshine.org
Thu Jan 15 03:55:35 EST 2004
Thorsten, et al.:
I installed systrace on a Debian box. First I applied the Linux
version of the kernel patch to a pristine 2.4.24 kernel source tree
and built a kernel therefrom. I did not apply any other patches to
this kernel (no FreeS/WAN, International crypto, LIDS, GRSecurity, or
any of that).
Then I used apt-get -f install systrace ("unstable")
(Version: 1:20030623-3)
Then I touched up the permissions and group association of the
/dev/systrace device node.
Then I tried running systrace -A /usr/bin/bitchx, ran it for a bit
and tried running systrace /usr/bin/bitchx; systrace -t -a
/usr/bin/bitchx, etc.
I then tried all this with simpler commands like /bin/ls and
/bin/uname. I tried these under a test account (which did have write
access to /dev/systrace), and under the root account.
In all cases the behavior was consistent.
The -A consistently created ~/.systrace/ policy file, which looked
reasonable to my perusal. However, any subsequent use of systrace on
these binaries resulted in an immediate "Killed." message. This even
happens if I try another systrace -A on the same binary (unless I
remove the ~/.systrace file. There are no /etc/systrace files or
directories.
The really odd part is that it seems like I CAN run any of these
commands under strace systrace! In other words, if I use a command
like:
strace -o /dev/null systrace /bin/ls ...
... it works! (But maybe the systrace isn't actually working?)
Trying a command like: systrace -t -A ls -l
... blocked? ... Killing the systrace process then led to a pair
of "D"-state (wedged) processes (systrace and ls -l).
So, what's wrong? What else should I try?
(BTW: my Debian box had "snoopy" installed --- that's a
little shared object/library that is put in /etc/ld.so.preload to log
every execution of any binary on the system. However, I removed that
/etc/ld.so.preload file for testing).
I did install a copy of OpenBSD 3.4 (shipped with the currently copy of
Linux User & Developer from the U.K.) Systrace behaves as I'd expect
on that system. systrace -A and then systrace or systrace -a just
works.
Is the systrace port for Linux out of date? Are there known problems
with it?
--
Jim Dennis
More information about the systrace
mailing list