Systrace


Based on functionality created for OpenBSD
Runs on OpenBSD, NetBSD, Mac OS X

All systraced-processes need to be run via the systrace binary

Systrace analyses all system calls and decides if they should be allowed

Can grant capabilites to non-root binaries

Great way to 'sandbox' a program, potential trojan, etc

Systrace can 'learn' what system calls are needed and generate policy

Can block system call and provide you ability to grant or deny