29.6 Additional Uses for systrace
Beyond application sandbox enforcement, the systrace facility has other uses. These are just now starting to be explored.
29.6.1 Software Testing
One interesting use of systrace is to test the error-handling abilities of various applications. The systrace system can be used to reliably and predictably force failures with various error conditions on a per-system call level. For example, to examine how a process reacts if it is unable to read the conﬁguration ﬁle for malloc, a line such as the following would be integrated into a systrace policy for the process:
native-fsread: filename eq "/etc/malloc.conf" then deny[enoent]
This would return a “ﬁle not found” error for this ﬁle. The application’s handling of this error condition could then be tested to look for graceful handling of the error. Note that denying an application the right to peform a native-exit will force it to abort, which will produce a core dump.
29.6.2 IDS Logging
Another use of systrace is as an intrusion detection logging system. This is best done with the logging of native-exec entries. For example, to enable logging of all ﬁle openings by a network daemon process, the systrace policy for the daemon would include a line like this:
native-fsread: filename eq "*" then permit log
Now every ﬁle opening carried out by the process will be logged by the application. An otherwise complete policy will have to be created for the process as well.