Policies for using Systrace under X11.
--------------------------------------

Originally by Dug Song <dugsong@monkey.org>.
Cleaned up by Niels Provos <provos@citi.umich.edu>.

It is suggested to create a xsterm shell script:

#!/bin/sh
exec systrace -d $HOME/.systrace/X11 xterm -rv -bg black $* -e /bin/stsh

Where /bin/stsh, is a wrapper that just executes the right shell.  Something
like this:

#include <sys/types.h>
#include <stdio.h>
#include <unistd.h>
#include <err.h>

int
main(int argc, char **argv, char **envp)
{
        if (getuid() == 0)
                err(1, "Not allowed for root");

        execve("/bin/ksh", argv, envp);

        err(1, "Execve failed");
}

Configure your window manager to execute /usr/local/bin/xsterm instead
of xterm.  And then have an "Unsecured button" that launches a xterm.  
Configure X resources such that the xterm background is red by default:

e.g. by adding

   XTerm*background: red

to $HOME/.Xdefaults

this will make any terminal that is not launched under systrace (for 
example by the "unsecured button" or other means) red so that it is
easily identified as not beign systraced.


Enjoy,
 Niels.
