I'm beginning to think this is how systrace responds to 'mkdir -p' and 'install -d'. I did a
$ sudo umount /usr/ports/pobj
and tried a test by building the unzip package:
$ cd /usr/ports/archivers/unzip
$ make package
and got:
Code:
===> Faking installation for unzip-6.0p5
install -d -o root -g bin -m 755 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/bin
systrace: deny user: root, prog: /usr/bin/install, pid: 3283(0)[4291], policy: /usr/bin/env, filters: 246, syscall: native-fswrite(136), filename: /usr
systrace: deny user: root, prog: /usr/bin/install, pid: 3283(0)[4291], policy: /usr/bin/env, filters: 246, syscall: native-fswrite(136), filename: /usr/ports
systrace: deny user: root, prog: /usr/bin/install, pid: 3283(0)[4291], policy: /usr/bin/env, filters: 246, syscall: native-fswrite(136), filename: /usr/ports/pobj
install -c -s -o root -g bin -m 555 unzip funzip unzipsfx /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/bin
install -c -o root -g bin -m 555 unix/zipgrep /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/bin
rm -f /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/bin/zipinfo
ln -sf /usr/local/bin/unzip /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/bin/zipinfo
install -d -o root -g bin -m 755 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1
systrace: deny user: root, prog: /usr/bin/install, pid: 10058(0)[4291], policy: /usr/bin/env, filters: 246, syscall: native-fswrite(136), filename: /usr
systrace: deny user: root, prog: /usr/bin/install, pid: 10058(0)[4291], policy: /usr/bin/env, filters: 246, syscall: native-fswrite(136), filename: /usr/ports
systrace: deny user: root, prog: /usr/bin/install, pid: 10058(0)[4291], policy: /usr/bin/env, filters: 246, syscall: native-fswrite(136), filename: /usr/ports/pobj
install -c -o root -g bin -m 444 man/funzip.1 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1/funzip.1
install -c -o root -g bin -m 444 man/unzip.1 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1/unzip.1
install -c -o root -g bin -m 444 man/unzipsfx.1 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1/unzipsfx.1
install -c -o root -g bin -m 444 man/zipgrep.1 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1/zipgrep.1
install -c -o root -g bin -m 444 man/zipinfo.1 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1/zipinfo.1
install -d -o root -g bin -m 755 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/share/doc/unzip
systrace: deny user: root, prog: /usr/bin/install, pid: 1993(0)[5716], policy: /usr/bin/make, filters: 246, syscall: native-fswrite(136), filename: /usr
systrace: deny user: root, prog: /usr/bin/install, pid: 1993(0)[5716], policy: /usr/bin/make, filters: 246, syscall: native-fswrite(136), filename: /usr/ports
systrace: deny user: root, prog: /usr/bin/install, pid: 1993(0)[5716], policy: /usr/bin/make, filters: 246, syscall: native-fswrite(136), filename: /usr/ports/pobj
cd /usr/ports/pobj/unzip-6.0/unzip60; install -c -o root -g bin -m 444 COPYING.OLD LICENSE README WHERE /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/share/doc/unzip
===> Building package for unzip-6.0p5
Create /usr/ports/packages/i386/all/unzip-6.0p5.tgz
Link to /usr/ports/packages/i386/ftp/unzip-6.0p5.tgz
Link to /usr/ports/packages/i386/cdrom/unzip-6.0p5.tgz
Which is the same response as with
/usr/ports/pobj mounted on its own partition.
I modified the systrace policy file for the ports system
/usr/ports/infrastructure/db/systrace.filter to include rules for $WRKOBJDIR (which is set to
/usr/ports/pobj in
/etc/mk.conf) then:
$ sudo mount /usr/ports/pobj
$ cd /usr/ports/archivers/unzip
$ make package
and got:
Code:
===> Faking installation for unzip-6.0p5
install -d -o root -g bin -m 755 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/bin
systrace: deny user: root, prog: /usr/bin/install, pid: 24801(0)[25430], policy: /usr/bin/env, filters: 274, syscall: native-fswrite(136), filename: /usr
systrace: deny user: root, prog: /usr/bin/install, pid: 24801(0)[25430], policy: /usr/bin/env, filters: 274, syscall: native-fswrite(136), filename: /usr/ports
install -c -s -o root -g bin -m 555 unzip funzip unzipsfx /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/bin
install -c -o root -g bin -m 555 unix/zipgrep /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/bin
rm -f /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/bin/zipinfo
ln -sf /usr/local/bin/unzip /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/bin/zipinfo
install -d -o root -g bin -m 755 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1
systrace: deny user: root, prog: /usr/bin/install, pid: 12752(0)[25430], policy: /usr/bin/env, filters: 274, syscall: native-fswrite(136), filename: /usr
systrace: deny user: root, prog: /usr/bin/install, pid: 12752(0)[25430], policy: /usr/bin/env, filters: 274, syscall: native-fswrite(136), filename: /usr/ports
install -c -o root -g bin -m 444 man/funzip.1 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1/funzip.1
install -c -o root -g bin -m 444 man/unzip.1 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1/unzip.1
install -c -o root -g bin -m 444 man/unzipsfx.1 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1/unzipsfx.1
install -c -o root -g bin -m 444 man/zipgrep.1 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1/zipgrep.1
install -c -o root -g bin -m 444 man/zipinfo.1 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/man/man1/zipinfo.1
install -d -o root -g bin -m 755 /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/share/doc/unzip
systrace: deny user: root, prog: /usr/bin/install, pid: 20634(0)[7099], policy: /usr/bin/make, filters: 274, syscall: native-fswrite(136), filename: /usr
systrace: deny user: root, prog: /usr/bin/install, pid: 20634(0)[7099], policy: /usr/bin/make, filters: 274, syscall: native-fswrite(136), filename: /usr/ports
cd /usr/ports/pobj/unzip-6.0/unzip60; install -c -o root -g bin -m 444 COPYING.OLD LICENSE README WHERE /usr/ports/pobj/unzip-6.0/fake-i386/usr/local/share/doc/unzip
===> Building package for unzip-6.0p5
Create /usr/ports/packages/i386/all/unzip-6.0p5.tgz
Link to /usr/ports/packages/i386/ftp/unzip-6.0p5.tgz
Link to /usr/ports/packages/i386/cdrom/unzip-6.0p5.tgz
Slightly different - no denials on
/usr/ports/pobj, just the two parent directories. The -d option on
install(1) and the -p option on
mkdir(1) seem to trigger systrace.