29.5 System Coverage with systrace
Achieving total system coverage with systrace, where no avenue remains in which to execute arbitrary commands or handle user-supplied data, is the ultimate goal for a system protected by systrace. It is best accomplished by performing three actions. The ﬁrst action is to ensure that complete, up-to-date policies have been generated for the applications. It is perhaps best to run the system using systrace -A for a short while to fully exercise applications. The second action is to start any network daemons that are
launched from processes such as /etc/rc using systrace, which requires minor amounts of script editing. The third action is to give users shells wrapped in systrace. Any executable that the users will run will require a policy, as systrace also wraps child processes.
This difﬁcult-to-achieve process requires an in-depth understanding of the system as well as the implications of system calls. For most users, running systrace on their network daemons will sufﬁce.