DOSC TWiki snapshot as of mid-2005
Place this in your ~/.systrace directory as usr_bin_gaim and be sure to invoke gaim as systrace gaim
#######################BEGIN############################### Policy: /usr/bin/gaim, Emulation: linux linux-accept: true then permit linux-alarm: permit linux-bind: sockaddr re "^/tmp/gaim_$USER.[0-9]*$" then permit linux-brk: permit linux-chmod: filename match "$HOME/.gaim/*" and mode eq "600" then permit linux-chmod: filename eq "$HOME/.gaimrc" and mode eq "600" then permit linux-close: permit #msn linux-connect: sockaddr match "inet-\[207.46.*\]:1863" then permit #nameservers, you might wish to restrict this linux-connect: sockaddr match "inet-*:53" then permit #aim linux-connect: sockaddr match "inet-\[64.12.*\]:5190" then permit linux-connect: sockaddr eq "/tmp/.esd/socket" then permit linux-connect: sockaddr re "^/tmp/gaim_$USER.[0-9]*$" then permit linux-connect: sockaddr match "/tmp/.X11-unix/X[0-9]" then permit linux-connect: sockaddr eq "/var/run/.nscd_socket" then permit linux-fcntl64: permit linux-fork: permit linux-fsread: filename match "/etc/gtk/gtkrc*" then permit linux-fsread: filename eq "/etc/host.conf" then permit linux-fsread: filename eq "/etc/hosts" then permit linux-fsread: filename eq "/etc/ld.so.cache" then permit linux-fsread: filename eq "/etc/ld.so.preload" then permit linux-fsread: filename eq "/etc/localtime" then permit linux-fsread: filename eq "/etc/nsswitch.conf" then permit linux-fsread: filename eq "/etc/passwd" then permit linux-fsread: filename eq "/etc/resolv.conf" then permit linux-fsread: filename eq "$HOME/.esd_auth" then permit linux-fsread: filename match "$HOME/.gaim/*" then permit linux-fsread: filename eq "$HOME/.gaimrc" then permit linux-fsread: filename eq "$HOME/.gaim" then permit linux-fsread: filename match "$HOME/.gtkrc*" then permit linux-fsread: filename eq "$HOME/.Xauthority" then permit linux-fsread: filename match "/lib/*" then permit linux-fsread: filename eq "/tmp/.esd/socket" then permit linux-fsread: filename match "/usr/lib/*" then permit linux-fsread: filename match "/usr/share/locale/*" then permit linux-fsread: filename match "/usr/share/themes/*" then permit linux-fsread: filename match "/usr/X11R6/lib/*" then permit linux-fsread: filename eq "/var/nis/NIS_COLD_START" then permit linux-fstat64: permit linux-fswrite: filename match "$HOME/.gaim/*" then permit linux-fswrite: filename eq "$HOME/.gaimrc" then permit linux-fswrite: filename match "/tmp/gaim*" then permit linux-getpid: permit linux-getresgid: permit linux-getresuid: permit linux-getsockopt: true then permit linux-gettimeofday: permit linux-getuid: permit linux-ioctl: permit linux-ipc: permit linux-listen: true then permit linux-llseek: permit linux-mmap2: permit linux-mprotect: permit linux-munmap: permit linux-newuname: permit linux-ni_syscallexit: permit linux-old_mmap: permit linux-pipe: permit linux-poll: permit linux-read: permit linux-readv: permit linux-recvfrom: true then permit linux-recv: true then permit linux-rt_sigaction: permit linux-rt_sigprocmask: permit linux-select: permit linux-send: true then permit linux-setsockopt: true then permit linux-shutdown: true then permit linux-sigreturn: permit linux-socket: sockdom eq "AF_INET" and socktype eq "SOCK_DGRAM" then permit linux-socket: sockdom eq "AF_INET" and socktype eq "SOCK_STREAM" then permit linux-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_STREAM" then permit linux-time: permit linux-umask: permit linux-wait4: permit linux-write: permit linux-writev: permit linux-getpeername: true then permit ####################END#################################The policy covers only basic aiming and msn; you might want to extend it. Just use the gtk-systrace prompts :) You might also find that you connect to a server not covered here. AlexFerguson - 18 Mar 2003