burn down the systrace

8 years ago · dfb3f10f6b
--- a/src/etc/Makefile
+++ b/src/etc/Makefile
@ -1,4 +1,4 @@
 #	$OpenBSD: Makefile,v 1.421 2016/03/09 16:28:46 deraadt Exp $
 #	$OpenBSD: Makefile,v 1.422 2016/04/25 20:38:10 tedu Exp $

 TZDIR=		/usr/share/zoneinfo
 LOCALTIME=	Canada/Mountain
@ -154,9 +154,6 @@ distribution-etc-root-var: distrib-dirs
 	cd signify; \
 		${INSTALL} -c -o root -g wheel -m 644 *.pub \
 		    ${DESTDIR}/etc/signify
 	cd systrace; \
 		${INSTALL} -c -o root -g wheel -m 600 usr_sbin_lpd \
 		    ${DESTDIR}/etc/systrace; \
 	ln -fs ${TZDIR}/${LOCALTIME} ${DESTDIR}/etc/localtime
 	ln -fs /usr/sbin/rmt ${DESTDIR}/etc/rmt
 	${INSTALL} -c -o root -g wheel -m 644 minfree \
--- a/src/etc/etc.alpha/MAKEDEV.md
+++ b/src/etc/etc.alpha/MAKEDEV.md
@ -1,6 +1,6 @@
 define(MACHINE,alpha)dnl
 vers(__file__,
 	{-$OpenBSD: MAKEDEV.md,v 1.65 2015/10/23 15:14:11 claudio Exp $-},
 	{-$OpenBSD: MAKEDEV.md,v 1.66 2016/04/25 20:38:10 tedu Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@ -74,7 +74,6 @@ _DEV(radio, 59)
 _DEV(rnd, 34)
 _DEV(rmidi, 41)
 _DEV(speak, 40)
 _DEV(systrace, 50)
 _DEV(tun, 7)
 _DEV(tap, 68)
 _DEV(tuner, 58)
--- a/src/etc/etc.amd64/MAKEDEV.md
+++ b/src/etc/etc.amd64/MAKEDEV.md
@ -1,6 +1,6 @@
 define(MACHINE,amd64)dnl
 vers(__file__,
 	{-$OpenBSD: MAKEDEV.md,v 1.64 2016/02/05 06:29:45 uebayasi Exp $-},
 	{-$OpenBSD: MAKEDEV.md,v 1.65 2016/04/25 20:38:10 tedu Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@ -85,7 +85,6 @@ _DEV(radio, 76)
 _DEV(rnd, 45)
 _DEV(rmidi, 52)
 _DEV(speak, 27)
 _DEV(systrace, 78)
 _DEV(tun, 40)
 _DEV(tap, 93)
 _DEV(tuner, 49)
--- a/src/etc/etc.armish/MAKEDEV.md
+++ b/src/etc/etc.armish/MAKEDEV.md
@ -1,6 +1,6 @@
 define(MACHINE,armish)dnl
 vers(__file__,
 	{-$OpenBSD: MAKEDEV.md,v 1.35 2015/10/23 15:14:11 claudio Exp $-},
 	{-$OpenBSD: MAKEDEV.md,v 1.36 2016/04/25 20:38:10 tedu Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2004 Todd T. Fries <todd@OpenBSD.org>
@ -81,7 +81,6 @@ _DEV(rmidi, 57)
 _DEV(tun, 33)
 _DEV(tap, 104)
 _DEV(uk, 28)
 _DEV(systrace, 50)
 _DEV(tuner, 75)
 _DEV(vi, 38)
 _DEV(vscsi, 100)
--- a/src/etc/etc.armv7/MAKEDEV.md
+++ b/src/etc/etc.armv7/MAKEDEV.md
@ -1,6 +1,6 @@
 define(MACHINE,armv7)dnl
 vers(__file__,
 	{-$OpenBSD: MAKEDEV.md,v 1.9 2015/10/23 15:14:11 claudio Exp $-},
 	{-$OpenBSD: MAKEDEV.md,v 1.10 2016/04/25 20:38:10 tedu Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2004 Todd T. Fries <todd@OpenBSD.org>
@ -82,7 +82,6 @@ _DEV(rmidi, 57)
 _DEV(tun, 33)
 _DEV(tap, 104)
 _DEV(uk, 28)
 _DEV(systrace, 50)
 _DEV(tuner, 75)
 _DEV(vi, 38)
 _DEV(vscsi, 100)
--- a/src/etc/etc.hppa/MAKEDEV.md
+++ b/src/etc/etc.hppa/MAKEDEV.md
@ -1,6 +1,6 @@
 define(MACHINE,hppa)dnl
 vers(__file__,
 	{-$OpenBSD: MAKEDEV.md,v 1.56 2015/10/23 15:14:11 claudio Exp $-},
 	{-$OpenBSD: MAKEDEV.md,v 1.57 2016/04/25 20:38:10 tedu Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@ -69,7 +69,6 @@ _DEV(pdc, 22)
 _DEV(pf, 21)
 _DEV(pppx,57)
 _DEV(rnd, 20)
 _DEV(systrace, 34)
 _DEV(tun, 18)
 _DEV(tap, 59)
 _DEV(uk, 15)
--- a/src/etc/etc.hppa64/MAKEDEV.md
+++ b/src/etc/etc.hppa64/MAKEDEV.md
@ -1,6 +1,6 @@
 define(MACHINE,hppa64)dnl
 vers(__file__,
 	{-$OpenBSD: MAKEDEV.md,v 1.32 2015/10/23 15:14:11 claudio Exp $-},
 	{-$OpenBSD: MAKEDEV.md,v 1.33 2016/04/25 20:38:10 tedu Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@ -68,7 +68,6 @@ _DEV(pdc, 22)
 _DEV(pf, 21)
 _DEV(pppx,57)
 _DEV(rnd, 20)
 _DEV(systrace, 34)
 _DEV(tun, 18)
 _DEV(tap, 59)
 _DEV(uk, 15)
--- a/src/etc/etc.i386/MAKEDEV.md
+++ b/src/etc/etc.i386/MAKEDEV.md
@ -1,6 +1,6 @@
 define(MACHINE,i386)dnl
 vers(__file__,
 	{-$OpenBSD: MAKEDEV.md,v 1.78 2016/02/05 06:29:45 uebayasi Exp $-},
 	{-$OpenBSD: MAKEDEV.md,v 1.79 2016/04/25 20:38:11 tedu Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@ -87,7 +87,6 @@ _DEV(radio, 76)
 _DEV(rnd, 45)
 _DEV(rmidi, 52)
 _DEV(speak, 27)
 _DEV(systrace, 78)
 _DEV(tun, 40)
 _DEV(tap, 94)
 _DEV(tuner, 49)
--- a/src/etc/etc.landisk/MAKEDEV.md
+++ b/src/etc/etc.landisk/MAKEDEV.md
@ -1,6 +1,6 @@
 define(MACHINE,landisk)dnl
 vers(__file__,
 	{-$OpenBSD: MAKEDEV.md,v 1.38 2015/10/23 15:14:11 claudio Exp $-},
 	{-$OpenBSD: MAKEDEV.md,v 1.39 2016/04/25 20:38:11 tedu Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2004 Todd T. Fries <todd@OpenBSD.org>
@ -82,7 +82,6 @@ _DEV(pppx,102)
 _DEV(radio, 97)
 _DEV(rnd, 40)
 _DEV(rmidi, 57)
 _DEV(systrace, 50)
 _DEV(tun, 33)
 _DEV(tap, 104)
 dnl _DEV(tuner, 75)
--- a/src/etc/etc.loongson/MAKEDEV.md
+++ b/src/etc/etc.loongson/MAKEDEV.md
@ -1,6 +1,6 @@
 define(MACHINE,loongson)dnl
 vers(__file__,
 	{-$OpenBSD: MAKEDEV.md,v 1.22 2015/10/23 15:14:11 claudio Exp $-},
 	{-$OpenBSD: MAKEDEV.md,v 1.23 2016/04/25 20:38:11 tedu Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@ -74,7 +74,6 @@ _DEV(pci, 29)
 _DEV(pf, 31)
 _DEV(pppx, 71)
 _DEV(rnd, 33)
 _DEV(systrace, 50)
 _DEV(tun, 13)
 _DEV(tap, 74)
 _DEV(uk, 32)
--- a/src/etc/etc.luna88k/MAKEDEV.md
+++ b/src/etc/etc.luna88k/MAKEDEV.md
@ -1,6 +1,6 @@
 define(MACHINE,luna88k)dnl
 vers(__file__,
 	{-$OpenBSD: MAKEDEV.md,v 1.26 2015/10/23 15:14:11 claudio Exp $-},
 	{-$OpenBSD: MAKEDEV.md,v 1.27 2016/04/25 20:38:11 tedu Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@ -105,7 +105,6 @@ _DEV(pcex, 25)
 _DEV(pf, 39)
 _DEV(pppx, 55)
 _DEV(rnd, 40)
 _DEV(systrace, 50)
 _DEV(tun, 23)
 _DEV(tap, 56)
 _DEV(uk, 41)
--- a/src/etc/etc.macppc/MAKEDEV.md
+++ b/src/etc/etc.macppc/MAKEDEV.md
@ -1,6 +1,6 @@
 define(MACHINE,macppc)dnl
 vers(__file__,
 	{-$OpenBSD: MAKEDEV.md,v 1.65 2015/10/23 15:14:12 claudio Exp $-},
 	{-$OpenBSD: MAKEDEV.md,v 1.66 2016/04/25 20:38:11 tedu Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@ -89,7 +89,6 @@ _DEV(pppx, 85)
 _DEV(radio, 76)
 _DEV(rnd, 40)
 _DEV(rmidi, 52)
 _DEV(systrace, 50)
 _DEV(tun, 23)
 _DEV(tap, 86)
 _DEV(tuner, 75)
--- a/src/etc/etc.octeon/MAKEDEV.md
+++ b/src/etc/etc.octeon/MAKEDEV.md
@ -1,6 +1,6 @@
 define(MACHINE,octeon)dnl
 vers(__file__,
 	{-$OpenBSD: MAKEDEV.md,v 1.8 2015/10/23 15:14:12 claudio Exp $-},
 	{-$OpenBSD: MAKEDEV.md,v 1.9 2016/04/25 20:38:11 tedu Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@ -77,7 +77,6 @@ _DEV(pci, 29)
 _DEV(pf, 31)
 _DEV(pppx, 71)
 _DEV(rnd, 33)
 _DEV(systrace, 50)
 _DEV(tun, 13)
 _DEV(tap, 74)
 _DEV(uk, 32)
--- a/src/etc/etc.sgi/MAKEDEV.md
+++ b/src/etc/etc.sgi/MAKEDEV.md
@ -1,6 +1,6 @@
 define(MACHINE,sgi)dnl
 vers(__file__,
 	{-$OpenBSD: MAKEDEV.md,v 1.44 2015/10/23 15:14:12 claudio Exp $-},
 	{-$OpenBSD: MAKEDEV.md,v 1.45 2016/04/25 20:38:11 tedu Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@ -82,7 +82,6 @@ _DEV(pci, 29)
 _DEV(pf, 31)
 _DEV(pppx, 70)
 _DEV(rnd, 33)
 _DEV(systrace, 50)
 _DEV(tun, 13)
 _DEV(tap, 74)
 _DEV(uk, 32)
--- a/src/etc/etc.socppc/MAKEDEV.md
+++ b/src/etc/etc.socppc/MAKEDEV.md
@ -1,6 +1,6 @@
 define(MACHINE,socppc)dnl
 vers(__file__,
 	{-$OpenBSD: MAKEDEV.md,v 1.27 2015/10/23 15:14:12 claudio Exp $-},
 	{-$OpenBSD: MAKEDEV.md,v 1.28 2016/04/25 20:38:11 tedu Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@ -69,7 +69,6 @@ _DEV(pf, 39)
 _DEV(pppx, 83)
 dnl _DEV(radio, 76)
 _DEV(rnd, 40)
 _DEV(systrace, 50)
 _DEV(tun, 23)
 _DEV(tap, 86)
 dnl _DEV(tuner, 75)
--- a/src/etc/etc.sparc/MAKEDEV.md
+++ b/src/etc/etc.sparc/MAKEDEV.md
@ -1,6 +1,6 @@
 define(MACHINE,sparc)dnl
 vers(__file__,
 	{-$OpenBSD: MAKEDEV.md,v 1.56 2015/10/23 15:14:12 claudio Exp $-},
 	{-$OpenBSD: MAKEDEV.md,v 1.57 2016/04/25 20:38:11 tedu Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@ -102,7 +102,6 @@ _DEV(oppr)
 _DEV(pf, 59)
 _DEV(pppx, 130)
 _DEV(rnd, 119)
 _DEV(systrace, 50)
 _DEV(tun, 111)
 _DEV(tap, 132)
 _DEV(uk, 120)
--- a/src/etc/etc.sparc64/MAKEDEV.md
+++ b/src/etc/etc.sparc64/MAKEDEV.md
@ -1,6 +1,6 @@
 define(MACHINE,sparc64)dnl
 vers(__file__,
 	{-$OpenBSD: MAKEDEV.md,v 1.82 2015/10/23 15:14:12 claudio Exp $-},
 	{-$OpenBSD: MAKEDEV.md,v 1.83 2016/04/25 20:38:11 tedu Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2006 Todd T. Fries <todd@OpenBSD.org>
@ -120,7 +120,6 @@ _DEV(pf, 73)
 _DEV(pppx, 131)
 _DEV(rmidi, 68)
 _DEV(rnd, 119)
 _DEV(systrace, 50)
 _DEV(tun, 111)
 _DEV(tap, 135)
 _DEV(uk, 60)
--- a/src/etc/etc.zaurus/MAKEDEV.md
+++ b/src/etc/etc.zaurus/MAKEDEV.md
@ -1,6 +1,6 @@
 define(MACHINE,zaurus)dnl
 vers(__file__,
 	{-$OpenBSD: MAKEDEV.md,v 1.41 2015/10/23 15:14:12 claudio Exp $-},
 	{-$OpenBSD: MAKEDEV.md,v 1.42 2016/04/25 20:38:11 tedu Exp $-},
 etc.MACHINE)dnl
 dnl
 dnl Copyright (c) 2001-2004 Todd T. Fries <todd@OpenBSD.org>
@ -77,7 +77,6 @@ _DEV(pppx, 103)
 _DEV(radio, 97)
 _DEV(rnd, 40)
 _DEV(rmidi, 57)
 _DEV(systrace, 50)
 _DEV(tun, 33)
 _DEV(tap, 104)
 _DEV(tuner, 75)
--- a/src/etc/mtree/4.4BSD.dist
+++ b/src/etc/mtree/4.4BSD.dist
@ -1,4 +1,4 @@
 #	$OpenBSD: 4.4BSD.dist,v 1.280 2016/03/09 16:28:46 deraadt Exp $
 #	$OpenBSD: 4.4BSD.dist,v 1.281 2016/04/25 20:38:11 tedu Exp $

 /set type=dir uname=root gname=wheel mode=0755

@ -111,9 +111,6 @@ etc
        ..
    ..

    # ./etc/systrace
    systrace
    ..
 ..

 # ./home
--- a/src/etc/mtree/special
+++ b/src/etc/mtree/special
@ -1,4 +1,4 @@
 #	$OpenBSD: special,v 1.118 2016/04/20 21:14:44 schwarze Exp $
 #	$OpenBSD: special,v 1.119 2016/04/25 20:38:11 tedu Exp $
 #
 # Hand-crafted mtree specification for the dangerous files.
 #
@ -108,8 +108,6 @@ ssh_host_rsa_key	type=file mode=0600 uname=root gname=wheel optional
 ssh_host_rsa_key.pub	type=file mode=0644 uname=root gname=wheel optional
 sshd_config	type=file mode=0644 uname=root gname=wheel
 ..	#ssh
 systrace	type=dir mode=0755 uname=root gname=wheel optional
 ..	#systrace
 syslog.conf	type=file mode=0644 uname=root gname=wheel
 ttys		type=file mode=0644 uname=root gname=wheel
 weekly		type=file mode=0644 uname=root gname=wheel
--- a/src/etc/systrace/usr_sbin_lpd
+++ b/src/etc/systrace/usr_sbin_lpd
@ -1,88 +0,0 @@
 # $OpenBSD: usr_sbin_lpd,v 1.9 2015/09/13 17:08:04 guenther Exp $
 #
 # Policy for lpd.
 # This policy works for the default configuration of lpd.
 #
 Policy: /usr/sbin/lpd, Emulation: native
 	native-accept: permit
 	native-bind: sockaddr eq "/var/run/printer" then permit
 	native-bind: sockaddr eq "inet-[0.0.0.0]:0" then permit
 	native-bind: sockaddr match "inet-*:515" then permit
 	native-break: permit
 	native-chdir: permit
 	native-chmod: filename eq "/var/run/printer" then permit
 	native-chown: filename eq "/var/run/printer" then permit
 	native-close: permit
 	native-connect: sockaddr match "inet-*:53" then permit
 	native-connect: sockaddr sub ":515" then permit
 	native-dup2: permit
 	native-exit: permit
 	native-fchmod: permit
 	native-fcntl: permit
 	native-fork: permit
 	native-fsread: filename eq "/etc/hosts" then permit
 	native-fsread: filename eq "/etc/malloc.conf" then permit
 	native-fsread: filename eq "/etc/printcap" then permit
 	native-fsread: filename eq "/etc/printcap.db" then permit
 	native-fsread: filename eq "/etc/pwd.db" then permit
 	native-fsread: filename eq "/etc/resolv.conf" then permit
 	native-fsread: filename eq "/etc/services" then permit
 	native-fsread: filename eq "/etc/spwd.db" then deny[eperm]
 	native-fsread: filename eq "/usr/libexec/ld.so" then permit
 	native-fsread: filename eq "/var/run/ld.so.hints" then permit
 	native-fsread: filename eq "<non-existent filename>" then deny[enoent]
 	native-fsread: filename match "/usr/lib" then permit
 	native-fsread: filename match "/usr/share/nls" then permit
 	native-fsread: filename match "/usr/share/zoneinfo" then permit
 	native-fsread: filename match "/var/spool/lpd" then permit
 	native-fsread: filename match "/var/spool/output" then permit
 	native-fstat: permit
 	native-fstatfs: permit
 	native-fswrite: filename eq "/dev/console" then permit
 	native-fswrite: filename eq "/dev/null" then permit
 	native-fswrite: filename eq "/var/log/lpd-errs" then permit
 	native-fswrite: filename eq "/var/run/lpd.pid" then permit
 	native-fswrite: filename eq "/var/run/printer" then permit
 	native-fswrite: filename match "/var/spool/lpd/*" then permit
 	native-fswrite: filename match "/var/spool/output/*" then permit
 	native-ftruncate: permit
 	native-getdirentries: permit
 	native-getegid: permit
 	native-getentropy: permit
 	native-geteuid: permit
 	native-getpid: permit
 	native-getsockname: permit
 	native-getsockopt: permit
 	native-gettimeofday: permit
 	native-issetugid: permit
 	native-kbind: permit
 	native-kill: permit
 	native-listen: permit
 	native-lseek: permit
 	native-minherit: permit
 	native-mmap: permit
 	native-mprotect: permit
 	native-mquery: permit
 	native-munmap: permit
 	native-nanosleep: permit
 	native-pread: permit
 	native-read: permit
 	native-recvfrom: permit
 	native-select: permit
 	native-sendsyslog: permit
 	native-sendto: permit
 	native-setegid: gid eq "1" then permit
 	native-seteuid: uid eq "0" then permit
 	native-seteuid: uid eq "1" then permit
 	native-setitimer: permit
 	native-setpgid: permit
 	native-setsid: permit
 	native-setsockopt: permit
 	native-sigaction: permit
 	native-sigprocmask: permit
 	native-sigreturn: permit
 	native-socket: permit
 	native-sysctl: permit
 	native-umask: permit
 	native-wait4: permit
 	native-write: permit