[Systrace] what mean is "true then" ?
Ray Lai
ray at cyth.net
Sun Mar 18 17:50:58 EDT 2007
On Sat, Mar 17, 2007 at 09:49:35PM +0800, John Wong wrote:
> what is different both
> native-XYZ: permit
This skips all further systrace evaluation.
> and
> native-XYZ: true then permit
This always evaluates the system call and permits it.
> when you do/don't want to use it?
> thank you
Using just "permit" may be faster, since "true" is never evaluated.
However be careful when using this for execve: since the system
call is never evaluated, systrace never figures out that the program
has changed, and so will act as though you had specified "true then
permit[inherit]".
"true then permit" also allows adding predicates; "true then permit,
if user = 1000" is valid but "permit, if user = 1000" is invalid.
-Ray-
More information about the systrace
mailing list