From johnw.mail at gmail.com  Sat Mar 17 09:49:35 2007
From: johnw.mail at gmail.com (John Wong)
Date: Sat Mar 17 09:49:51 2007
Subject: [Systrace] what mean is "true then" ?
Message-ID: <d702dc4a0703170649l698fce0evc47d37fb08774d10@mail.gmail.com>

what is different both
native-XYZ: permit
and
native-XYZ: true then permit

when you do/don't want to use it?
thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://monkeymail.org/archives/systrace/attachments/20070317/b8d29099/attachment.htm
From ray at cyth.net  Sun Mar 18 17:50:58 2007
From: ray at cyth.net (Ray Lai)
Date: Sun Mar 18 17:50:29 2007
Subject: [Systrace] what mean is "true then" ?
In-Reply-To: <d702dc4a0703170649l698fce0evc47d37fb08774d10@mail.gmail.com>
References: <d702dc4a0703170649l698fce0evc47d37fb08774d10@mail.gmail.com>
Message-ID: <20070318215021.GO12761@cybertron.cyth.net>

On Sat, Mar 17, 2007 at 09:49:35PM +0800, John Wong wrote:
> what is different both
> native-XYZ: permit

This skips all further systrace evaluation.

> and
> native-XYZ: true then permit

This always evaluates the system call and permits it.

> when you do/don't want to use it?
> thank you

Using just "permit" may be faster, since "true" is never evaluated.
However be careful when using this for execve: since the system
call is never evaluated, systrace never figures out that the program
has changed, and so will act as though you had specified "true then
permit[inherit]".

"true then permit" also allows adding predicates; "true then permit,
if user = 1000" is valid but "permit, if user = 1000" is invalid.

-Ray-