Hi guys, I use gentoo-sources-2.4.20-r1 (because r2 won't work if you use IPSec and IPv6 - I posted a bug about this). I just saw that we have systrace ebuilds (for the userland-tools) - but it also needs to be in the kernel, so I manually patched the latest v1.2 patch with my gentoo-sources kernel - and it works beautifully - just booted up on it - and it runs as its suppose to (and f.ex. systrace -d /root/ -A ethereal) generates what it's suppose to. In case you're wondering why including systrace in the standard gentoo-sources patch would be a good idea (afterall we have GRSecurity in there) then read this short article: http://www.onlamp.com/pub/a/bsd/2003/01/30/Big_Scary_Daemons.html - it has many features GRSecurity doesn't have - and it's a lot easier to configure what it does - and we ofcourse still need GRSecurity as it has many features systrace hasn't got). Also an added feature of using systrace is that it uses the exact same userland binaries and configuration as the OpenBSD one - ie. if you become good at using systrace for Linux - you're automagically also a competent OpenBSD systrace user :) Reproducible: Always Steps to Reproduce: 1. 2. 3.
Created attachment 10155 [details] patch for gentoo-sources-2.4.20-r1
we have a hardened-sources which has systrace, i've planned on adding additional security/stability patches, mattjf will eventually take over development of that, i'll get these patches and see which ones are relavent to the hardened-sources kernel, gentoo-sources can add these if it wants...
i've added systrace 1.2 to my base patches in pfeifer-sources. should appear in 2.4.20pre8. if all looks good, then i'll include them in the next gentoo-sources as well. Jay
this is now in pfeifer-sources-2.4.20_pre8 and will be in the next bump of gentoo-sources. Jay
