systrace(1) is removed for OpenBSD 6.0

[jggimi]

The systrace() toolkit was a system call policy implementation tool. A policy of allowed syscalls could be devised and applied to a specific application.

In practice, this was difficult to manage universally because the policy implementation was external to the application. Every application change required a review and revision of the permitted system calls. At one time, there was a central repository of user-suggested policies -- called the "Hairy Eyeball Project" -- but each user had to conduct their own audit, and once the project ceased operations (2004? 2005?), users became completely responsible for their own policy development, and usage waned.

In addition, a carefully crafted application could circumvent systrace() policy enforcement, and when that was discovered and published, the use of systrace() as a security tool ended.

OpenBSD continued to keep systrace() available because it was valuable during port development of 3rd party applications. The ports(7) system had a knob, USE_SYSTRACE, which would enable a standard policy for what any port was allowed to do during building of the application and installing into the ports() fake infrastructure. Generally, that policy would prevent the port from writing to any component of the filesystem outside the ports object tree, or opening network sockets during building.

Was. Had. Would. These policies became unneeded once it was possible for unprivileged users to build a port except for the final pkg_add(1) used during the make install step.

OpenBSD's bulk port building tool dpb(1) has a security model that provides granularity of access, simply by using different unprivileged users for different parts of the build. As an example, there can be a BUILD_USER and a FETCH_USER with different authorizations.

Finally, a much simpler and more deployable system call policy management tool has replaced systrace(): pledge(2).

---

The OpenBSD project works hard to remove facilities which aren't being actively used or maintained. Old code that is retained without constant testing can become a security problem. Removal eliminates that risk.

---

The first of many commits: http://marc.info/?l=openbsd-cvs&m=146161167911029&w=2