Top

LinuxSidecarSystracePolicy

Place this in /etc/systrace/usr_local_bin_sidecar

########################### BEGIN ###############################
Policy: /usr/local/sbin/sidecar, Emulation: linux
   linux-accept: true then permit
   linux-bind: sockaddr eq "inet-[0.0.0.0]:0" then permit
   linux-bind: sockaddr eq "inet-[0.0.0.0]:913" then permit
   linux-brk: permit
   linux-close: permit
# you might change this to more specific nameservers
   linux-connect: sockaddr match "inet-\[*\]:53" then permit
   linux-connect: sockaddr eq "/var/run/.nscd_socket" then permit
   linux-dup: permit
   linux-fcntl64: permit
   linux-fork: permit
   linux-fsread: filename eq "/etc/host.conf" then permit
   linux-fsread: filename eq "/etc/hosts" then permit
   linux-fsread: filename eq "/etc/krb5.conf" then permit
   linux-fsread: filename eq "/etc/krb.conf" then permit
   linux-fsread: filename eq "/etc/ld.so.cache" then permit
   linux-fsread: filename eq "/etc/ld.so.preload" then permit
   linux-fsread: filename eq "/etc/localtime" then permit
   linux-fsread: filename eq "/etc/mandarin.conf" then permit
   linux-fsread: filename eq "/etc/nsswitch.conf" then permit
   linux-fsread: filename eq "/etc/passwd" then permit
   linux-fsread: filename eq "/etc/resolv.conf" then permit
   linux-fsread: filename eq "/etc/services" then permit
   linux-fsread: filename eq "/proc/net/tcp" then permit
   linux-fsread: filename match "/lib/*" then permit
   linux-fsread: filename match "/usr/kerberos/*" then permit
   linux-fsread: filename re "^/tmp/tkt[0-9]*$" then permit
   linux-fstat64: permit
   linux-fswrite: filename eq "/dev/null" then permit
   linux-fswrite: filename eq "/var/run/sidecar.log" then permit
   linux-fswrite: filename eq "/var/run/sidecar.pid" then permit
   linux-fswrite: filename re "^/tmp/tkt[0-9]*$" then permit
   linux-geteuid: permit
   linux-getpeername: true then permit
   linux-getpid: permit
   linux-getrlimit: permit
   linux-getsockname: true then permit
   linux-getsockopt: true then permit
   linux-gettimeofday: permit
   linux-getuid: permit
   linux-ioctl: permit
   linux-listen: true then permit
   linux-llseek: permit
   linux-munmap: permit
   linux-newuname: permit
   linux-ni_syscallexit: permit
   linux-old_mmap: permit
   linux-poll: permit
   linux-read: permit
   linux-recvfrom: true then permit
   linux-rt_sigaction: permit
   linux-select: permit
   linux-sendto: true then permit
   linux-send: true then permit
   linux-setsid: permit
   linux-setsockopt: true then permit
   linux-setuid: permit
   linux-socket: sockdom eq "AF_INET" and socktype eq "SOCK_DGRAM" then permit
   linux-socket: sockdom eq "AF_INET" and socktype eq "SOCK_STREAM" then permit
   linux-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_STREAM" then permit
   linux-time: permit
   linux-write: permit
######################END################################

See SystraceSidecard2 for a daemon script which will run sidecar under systrace

Other systrace policies are available, maybe, at LinuxSystracePolicies Enjoy.

AlexFerguson - 18 Mar 2003