Skip to content
Snippets Groups Projects

SystracePolicy

Last edited by Alexander Færøy

Systrace Policy for OpenBSD

Note: that the native-shutdown refers to the function call shutdown(2) to shut down part of a full-duplex connection and not the command shutdown.

If you didn't use the configure line above, you will have to add more native-fsread statements for the extra libraries.

This also assumes that you have dsocks' tor-dns-proxy.py setup to handle DNS requests on 127.0.0.1:53.

Policy: /usr/local/opt/bin/socat, Emulation: native
        native-__sysctl: permit
        native-issetugid: permit
        native-mmap: permit
        native-munmap: permit
        native-mprotect: permit
        native-mquery: permit
        native-break: permit
        native-write: permit
        native-close: permit
        native-exit: permit
        native-fcntl: permit
        native-fsread: filename eq "/etc/malloc.conf" then permit
        native-fsread: filename eq "/home/$USER" then deny
        native-fsread: filename eq "/home/$USER/." then deny
        native-fsread: filename eq "/var/mail/$USER" then deny
        native-fsread: filename eq "/var/run/ld.so.hints" then permit
        native-fsread: filename eq "/usr/lib" then permit
        native-fsread: filename match "/usr/lib/libssl.so.*" then permit
        native-fsread: filename match "/usr/lib/libcrypto.so.*" then permit
        native-fsread: filename match "/usr/lib/libutil.so.*" then permit
        native-fsread: filename match "/usr/lib/libc.so.*" then permit
        native-fsread: filename eq "/usr/share/nls/C/libc.cat" then permit
        native-fsread: filename eq "/usr/share/zoneinfo/US/Eastern" then permit
        native-fsread: filename eq "/usr/share/zoneinfo/GMT" then permit
        native-fsread: filename eq "/usr/share/zoneinfo/posixrules" then permit
        native-fsread: filename eq "/etc/resolv.conf" then permit
        native-fsread: filename eq "/etc/hosts" then permit
        native-fsread: filename eq "/etc/pwd.db" then permit
        native-fsread: filename eq "/etc/group" then permit
        native-fstat: permit
        native-getegid: permit
        native-geteuid: permit
        native-getgid: permit
        native-getpid: permit
        native-getppid: permit
        native-gettimeofday: permit
        native-getsockname: permit
        native-getuid: permit
        native-sigaction: permit
        native-sigprocmask: permit
        native-read: permit
        native-fsread: filename eq "/" then permit
        native-execve: filename eq "/usr/local/opt/bin/socat" and argv eq "/usr/local/bin/irssi" then permit
        native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_STREAM" then permit
        native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_DGRAM" then permit
        native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_DGRAM" then permit
        native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_STREAM" then permit
        native-connect: sockaddr eq "inet-[127.0.0.1]:9050" then permit
        native-connect: sockaddr eq "inet-[127.0.0.1]:53" then permit
        native-bind: sockaddr eq "inet-[127.0.0.1]:6677" then permit
        native-bind: sockaddr eq "inet-[127.0.0.1]:6777" then permit
        native-listen: permit
        native-accept: permit
        native-getpeername: permit
        native-fork: permit
        native-chroot: filename eq "/var/empty" then permit
        native-wait4: permit
        native-wait: permit
        native-sigreturn: permit
        native-pread: permit
        native-setgroups: permit
        native-select: permit
        native-shutdown: permit

Comments

    Please register or sign in to add a comment.