From 128fdc9ce0e44590049f7a2c649b37dd77d21054 Mon Sep 17 00:00:00 2001 From: "B. Watson" Date: Tue, 4 Jun 2013 17:15:44 -0400 Subject: [PATCH] system/systrace: Added (interactive policy gen. for system calls) Signed-off-by: dsomero --- system/systrace/README | 12 +++ system/systrace/slack-desc | 19 ++++ system/systrace/systrace.SlackBuild | 147 ++++++++++++++++++++++++++++ system/systrace/systrace.info | 12 +++ 4 files changed, 190 insertions(+) create mode 100644 system/systrace/README create mode 100644 system/systrace/slack-desc create mode 100644 system/systrace/systrace.SlackBuild create mode 100644 system/systrace/systrace.info diff --git a/system/systrace/README b/system/systrace/README new file mode 100644 index 0000000000..ed5bd49364 --- /dev/null +++ b/system/systrace/README @@ -0,0 +1,12 @@ +systrace (interactive policy generation for system calls) + +Systrace enforces system call policies for applications by constraining +the application's access to the system. The policy is generated +interactively. Operations not covered by the policy raise an alarm, +allowing an user to refine the currently configured policy. + +By default, this build includes a GTK+ GUI frontend (gtk-systrace), which +will be started by systrace as needed. To build without the GUI (e.g. for +use on headless servers), set GUI=no in the script's environment. In +this case, you'll have to run systrace with the -t option to prevent it +trying to start the nonexistant GUI. diff --git a/system/systrace/slack-desc b/system/systrace/slack-desc new file mode 100644 index 0000000000..8a7d0f5e45 --- /dev/null +++ b/system/systrace/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. +# Line up the first '|' above the ':' following the base package name, and +# the '|' on the right side marks the last column you can put a character in. +# You must make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':' except on otherwise blank lines. + + |-----handy-ruler------------------------------------------------------| +systrace: systrace (interactive policy generation for system calls) +systrace: +systrace: Systrace enforces system call policies for applications by constraining +systrace: the application's access to the system. The policy is generated +systrace: interactively. Operations not covered by the policy raise an alarm, +systrace: allowing an user to refine the currently configured policy. +systrace: +systrace: +systrace: +systrace: +systrace: diff --git a/system/systrace/systrace.SlackBuild b/system/systrace/systrace.SlackBuild new file mode 100644 index 0000000000..1b6f54ec8a --- /dev/null +++ b/system/systrace/systrace.SlackBuild @@ -0,0 +1,147 @@ +#!/bin/bash + +# Slackware build script for systrace + +# Written by B. Watson (yalhcru@gmail.com) + +# Licensed under the WTFPL. See http://www.wtfpl.net/txt/copying/ for details. + +PRGNAM=systrace +VERSION=${VERSION:-1.6g} +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} + +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) ARCH=i486 ;; + arm*) ARCH=arm ;; + *) ARCH=$( uname -m ) ;; + esac +fi + +CWD=$(pwd) +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +if [ "$ARCH" = "i486" ]; then + SLKCFLAGS="-O2 -march=i486 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "i686" ]; then + SLKCFLAGS="-O2 -march=i686 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +set -e + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $PRGNAM-$VERSION +tar xvf $CWD/$PRGNAM-$VERSION.tar.gz +cd $PRGNAM-$VERSION +chown -R root:root . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \; + +## First, systrace itself (backend + textmode UI): + +CFLAGS="$SLKCFLAGS" \ +CXXFLAGS="$SLKCFLAGS" \ +./configure \ + --prefix=/usr \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --mandir=/usr/man \ + --docdir=/usr/doc/$PRGNAM-$VERSION \ + --build=$ARCH-slackware-linux + +# Fix some issues with includes in modern glibc. +sed -i -e '/in_addr_t/d' -e '/HAVE_SCHED_H/d' config.h + +# The regression test's uniq.policy.* are outdated, just disable the test. +rm -f regress/uniq.policy.* + +# Fix the hard-coded path to xsystrace. +# Right now this isn't 100% necessary, but it might be in future: +sed -i 's,/usr/X11R6,/usr,' systrace.h + +make +make install-strip DESTDIR=$PKG + +gzip $PKG/usr/man/man?/*.? + +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION +cp -a README ChangeLog $PKG/usr/doc/$PRGNAM-$VERSION + +mkdir -p $PKG/install + +## Now, the GTK frontend, unless disabled with GUI=no +if [ "${GUI:-yes}" = "yes" ]; then + TARDIR=notification-0.1 + TARVER=2003-06-23 + GTKPRGNAM="gtk-systrace" + + cd $TMP + rm -rf $TARDIR + tar xvf $CWD/$GTKPRGNAM-$TARVER.tar.gz + cd $TARDIR + chown -R root:root . + find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \; + + autoreconf -if + + CFLAGS="$SLKCFLAGS" \ + CXXFLAGS="$SLKCFLAGS" \ + ./configure \ + --prefix=/usr \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --mandir=/usr/man \ + --docdir=/usr/doc/$PRGNAM-$VERSION/$GTKPRGNAM \ + --build=$ARCH-slackware-linux + + # Get rid of bad prototypes for strlcpy/strlcat, and make + # the pixmaps live in /usr/share/$GTKPRGNAM + sed -i \ + -e '/^unsigned int strl/d' \ + -e "/PACKAGE_DATA_DIR/s,notification,$GTKPRGNAM," \ + config.h + + sed -i \ + -e "/^pkgdatadir/s,notification,$GTKPRGNAM," \ + Makefile + + make + make install-strip DESTDIR=$PKG + mv $PKG/usr/bin/notification $PKG/usr/bin/$GTKPRGNAM + ln -s $GTKPRGNAM $PKG/usr/bin/xsystrace + + mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION/$GTKPRGNAM + cp -a AUTHORS COPYING README $PKG/usr/doc/$PRGNAM-$VERSION/$GTKPRGNAM + cat $CWD/slack-desc > $PKG/install/slack-desc +else + # remind the user there's no GUI, if it's disabled in the build + sed '16s/$/ This package built without GTK GUI, use "systrace -t" for textmode./' \ + < $CWD/slack-desc > $PKG/install/slack-desc +fi + +cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild + +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} diff --git a/system/systrace/systrace.info b/system/systrace/systrace.info new file mode 100644 index 0000000000..80b3ed5a84 --- /dev/null +++ b/system/systrace/systrace.info @@ -0,0 +1,12 @@ +PRGNAM="systrace" +VERSION="1.6g" +HOMEPAGE="http://www.citi.umich.edu/u/provos/systrace/" +DOWNLOAD="http://www.provos.org/uploads/systrace-1.6g.tar.gz \ + http://www.citi.umich.edu/u/provos/systrace/gtk-systrace-2003-06-23.tar.gz" +DOWNLOAD_x86_64="" +MD5SUM="c4c0af2127af33e1b53c7aa07a970c5a \ + 4073ae27ec31a6c66e16f134bdd37929" +MD5SUM_x86_64="" +REQUIRES="libevent" +MAINTAINER="B. Watson" +EMAIL="yalhcru@gmail.com"