addpredict is one of the commands I hate. There are many reasons for
this. First of all it’s not a real fix, just a hack. If an
addpredict, it usually means the package needs fixing.
Second reason is it’s really difficult to implement and it’s error prone.
ptrace is especially difficult for system calls
that return a file descriptor.
For predict you have to deny access to the system call but still return a valid
file descriptor. To do this we change the string argument of the system call
/dev/null. This is very dangerous because we’re writing to child’s
The only use case we have for
addpredict currently in
Exherbo is spurious
access violations. Thinking about this and after discussing in
decided that adding access violation filters is the easiest and most secure way
to solve this problem. I added two magic commands to sydbox, namely
addfilter takes a
pattern as argument and sydbox doesn’t generate access violations for
paths that match this given pattern. The access to the system call is still
rmfilter also takes a pattern as argument and removes
it from the list of patterns. More than one pattern can be added/removed this way.