DOSC TWiki snapshot as of mid-2005
As a trained-paranoid OpenBSD user, my first qualm with my new Redhat installation was its lack of systrace. My first major linux task was therefore to get systrace functioning.
Systrace is a tool which lets you monitor running processes on a per system call basis. You may configure policies to restrict untrusted programs to a certain set of system calls and certain parts of the filesystem. You may also elevate priveleges for certain syscalls, e.g. bind to a low numbered port. [ **Update: the linux systrace does not seem to allow this feature. AlexFerguson Mar18 ] When systrace sees a program attempting to execute a system call not in its list, it denies it with a configurable error number or pops up an X application prompting for what to do. Obvious applications of this are to network daemons and desktop networking applications. Programs like xmms, xpdf, and ghostscript might also benefit. Read more about all this on the systrace page, http://www.citi.umich.edu/u/provos/systrace/index.html.
I will attempt to describe what I did to enable systrace in Redhat 8.0. Actually generating policies given the slightly weakened systrace and some uncooperative X apps may still be a challenge; I hope to post what I do generate on the wiki. [ **Update: look at LinuxSystracePolicies AlexFerguson ]
This procedure involves an unofficial patch to the linux kernel, and plenty of experimental code. I've already managed to hang my kernel once :) I wrote this only after I had finished installing everything, and I did not take notes while installing, so blindly executing the commands I'm going to supply would be a Bad Idea(TM).
Beware of dog.
libacl-devel, libattr-devel, tk, glibc, tcl, and XFree86-libs. You might also want to get redhat's kernel source for the sake of its config files; this goes by the name of kernel-source.
Go to /usr/src and unpack the bz2ball you got from kernel.org. Following redhat's lead I symlinked /usr/src/linux-2.4 to the new directory, but this probably doesn't matter. Now cd to this directory, I'll call it /usr/src/linux-2.4 from now on, and apply the patch.
cd /usr/src
tar xjf /path/to/linux-xxxxxx.tar.bz2
ln -s /usr/src/linux-xxxxxx linux-2.4
cd linux-2.4
patch -p1 < /path/to/systrace-linux-xxxxxx-v1.1.diff
You now need to build yourself a new kernel from the source you made. Writing a complete guide to compiling the linux kernel is a job for a better man than me, and wouldn't you know it he's already done the task: http://tldp.org/HOWTO/Kernel-HOWTO.html. You may find it useful to copy a configuration file from the redhat kernel sources; they are in the configs/ directory and you copy one of your choosing to /usr/src/linux-2.4/.config. Be sure to enable Systrace support in General setup.
The general steps for compiling a kernel are listed here for convenience, but this is not sufficient to guide someone who has not done it before. In particular, see the HOWTO for notes on clean vs mrproper.
make clean; make mrproper
make xconfig
make dep
vi Makefile
make bzImage
make modules
make modules_install
make install
After you make install, don't forget to configure your boot loader! make install makes an attempt to configure grub automatically, for people who use grub, but I had to fix the entry for the root device. (It will look like /dev/hdb2, depending on where you are installed. Type mount and look for where / is mounted if you aren't sure.) Again, see the Kernel-HOWTO or other docs on http://tldp.org for more information.
This one is easy.
su -c 'mknod -m600 /dev/systrace c 10 223'
This is easy if and only if you were a good girl/boy and read http://www.citi.umich.edu/u/provos/systrace/linux.html completely. (Oops.) There is a header in the patched kernel source which the userland utility needs, but doesn't take much effort to find. You can either copy systrace.h from the kernel source to /usr/include/linux/, or edit the Makefile in the systrace userland source so that
CFLAGS = -Wall $(AM_CFLAGS)
becomes
CFLAGS = -I/usr/src/linux-2.4/include -Wall $(AM_CFLAGS)
Asside from this glitch, the compile is standard.
tar xzf usr-systrace-snapshot.tar.gz
cd systrace-1.0
./configure
vi Makefile # see note above
make
su -c 'make install'
If you want normal users to be able to use systrace,
su -c 'chmod 666 /dev/systrace'
tar xzf gtk-systrace-2002-12-01.tar.gz
cd notification-0.1
./configure
make
su -c 'make install'
This installs a program called notification in /usr/local/bin. systrace expects its gui to be called /usr/X11R6/bin/xsystrace, so
su -c 'ln -s /usr/local/bin/notification /usr/X11R6/bin/xsystrace'
You should now be primed and ready to, um, trace :) If there is interest and existing documents (rtfm ;) aren't sufficient, I'll try and write some sort of usage guide for systrace.