remove systrace

8 files changed, 14 insertions, 651 deletions

diff --git a/share/man/man4/Makefile b/share/man/man4/Makefile
index b10c316b582..34f243587b3 100644
--- a/share/man/man4/Makefile
+++ b/share/man/man4/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.619 2016/04/14 11:28:10 dlg Exp $
+#	$OpenBSD: Makefile,v 1.620 2016/04/25 19:24:42 tedu Exp $
 
 MAN=	aac.4 ac97.4 acphy.4 \
 	acpi.4 acpiac.4 acpiasus.4 acpibat.4 acpibtn.4 acpicpu.4 acpidock.4 \
@@ -53,7 +53,7 @@ MAN=	aac.4 ac97.4 acphy.4 \
 	sf.4 sf2r.4 sfr.4 sili.4 siop.4 sis.4 sk.4 sli.4 \
 	sm.4 smsc.4 softraid.4 spdmem.4 sdtemp.4 speaker.4 sppp.4 sqphy.4 \
 	st.4 ste.4 stge.4 sti.4 \
-	stp.4 sv.4 sym.4 systrace.4 tcic.4 tcp.4 termios.4 tht.4 ti.4 tl.4 \
+	stp.4 sv.4 sym.4 tcic.4 tcp.4 termios.4 tht.4 ti.4 tl.4 \
 	tlphy.4 thmc.4 tqphy.4 trm.4 trunk.4 tsl.4 tty.4 tun.4 tap.4 twe.4 \
 	txp.4 txphy.4 ualea.4 uaudio.4 uark.4 uath.4 ubcmtp.4 uberry.4 ubsa.4 \
 	ubsec.4 \
diff --git a/share/man/man4/systrace.4 b/share/man/man4/systrace.4
deleted file mode 100644
index 0f6b5c5f267..00000000000
--- a/share/man/man4/systrace.4
+++ /dev/null
@@ -1,486 +0,0 @@
-.\"	$OpenBSD: systrace.4,v 1.25 2015/11/03 07:39:19 jmc Exp $
-.\"
-.\" Copyright (c) 2002, 2003 CubeSoft Communications, Inc.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
-.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-.\" (INCLUDING BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
-.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE
-.\" POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 3 2015 $
-.Dt SYSTRACE 4
-.Os
-.Sh NAME
-.Nm systrace
-.Nd enforce and generate policies for system calls
-.Sh SYNOPSIS
-.Cd "pseudo-device systrace" Op Ar count
-.Sh DESCRIPTION
-.Nm
-attaches to processes and enforces policies for system calls.
-A pseudo-device,
-.Pa /dev/systrace ,
-allows userland processes to control the behavior of
-.Nm
-through an
-.Xr ioctl 2
-interface.
-.Sh SYSTEM CALL POLICIES
-.Nm
-can assign the following policies to system calls:
-.Bl -tag -width SYSTR_POLICY_XXXXXX
-.It Dv SYSTR_POLICY_ASK
-Send a message of the type
-.Dv SYSTR_MSG_ASK ,
-and put the process to sleep until a
-.Dv STRIOCANSWER
-.Xr ioctl 2
-is made.
-.It Dv SYSTR_POLICY_PERMIT
-Immediately allow the system call.
-.It Dv SYSTR_POLICY_NEVER
-Immediately return an error code.
-.It Dv SYSTR_POLICY_KILL
-Sends
-.Dv SIGKILL
-to the traced process.
-.El
-.Sh SYSTRACE MESSAGES
-A
-.Xr read 2
-operation on the
-.Nm
-pseudo-device will block if there are no pending messages, or
-return the following structure:
-.Bd -literal
-struct str_message {
-	int msg_type;
-#define SYSTR_MSG_ASK		1
-#define SYSTR_MSG_RES		2
-#define SYSTR_MSG_EMUL		3
-#define SYSTR_MSG_CHILD		4
-#define SYSTR_MSG_UGID		5
-#define SYSTR_MSG_POLICYFREE	6
-#define SYSTR_MSG_EXECVE	7
-	pid_t msg_pid;
-	u_int16_t msg_seqnr;	/* answer has to match seqnr */
-	short msg_policy;
-	union {
-		struct str_msg_emul msg_emul;
-		struct str_msg_ugid msg_ugid;
-		struct str_msg_ask msg_ask;
-		struct str_msg_child msg_child;
-		struct str_msg_execve msg_execve;
-	} msg_data;
-};
-
-struct str_msg_emul {
-	char emul[SYSTR_EMULEN];
-};
-
-struct str_msg_ugid {
-	uid_t uid;
-	gid_t gid;
-};
-
-struct str_msg_execve {
-	char path[MAXPATHLEN];
-};
-
-struct str_msg_ask {
-	int code;
-	int argsize;
-	register_t args[SYSTR_MAXARGS];
-	register_t rval[2];
-	int result;
-};
-
-struct str_msg_child {
-	pid_t new_pid;		/* -1 if child exited */
-};
-.Ed
-.Pp
-These messages are all sent to the userland control process.
-.Bl -tag -width SYSTR_MSG_XXXXXXXXXX
-.It SYSTR_MSG_ASK
-This message is sent whenever the kernel does not have a cached
-simple policy for system call number
-.Va code
-within the currently set emulation.
-.It SYSTR_MSG_RES
-This message is sent whenever a system call is flagged with
-SYSTR_FLAGS_RESULT.
-.It SYSTR_MSG_EMUL
-This message is sent whenever the emulation of a process changes.
-.It SYSTR_MSG_CHILD
-This message is sent whenever a process gains or loses a child.
-In the latter case, the event is raised when the child exits, but
-not when it is reaped.
-.It SYSTR_MSG_UGID
-This message is sent whenever the effective UID or GID has changed
-during the execution of a system call.
-.It SYSTR_MSG_POLICYFREE
-This is sent whenever the kernel frees the policy identified by
-.Va msg_policy .
-.It SYSTR_MSG_EXECVE
-This message is sent whenever, before a call to
-.Xr execve 2
-a process is privileged (technically, the process has the PS_SUGID or
-PS_SUGIDEXEC flag set),
-but after the call these privileges have been dropped.
-The new image name is specified in the
-.Va path
-argument.
-.El
-.Sh IOCTL INTERFACE
-.Nm
-supports the following
-.Xr ioctl 2
-commands:
-.Bl -tag -width Ds
-.It Dv STRIOCCLONE Fa "int *"
-Return a
-.Nm
-file descriptor for
-further
-.Xr ioctl 2
-operations.
-The returned
-.Nm
-file descriptor is not inherited by a child created with
-.Xr fork 2 .
-Similarly, they cannot be passed across UNIX-domain sockets.
-.It Dv STRIOCATTACH Fa "pid_t *"
-Attach to a process, unless:
-.Bl -enum -compact -width 2n
-.It
-It's the process that's doing the attaching.
-.It
-It's a system process.
-.It
-It's being traced already.
-.It
-You do not own the process and you're not root.
-.It
-It's
-.Xr init 8 ,
-and the
-kernel was not compiled with
-.Cd option INSECURE .
-.El
-.It Dv STRIOCDETACH Fa "pid_t *"
-Wake up a process if it is waiting for an answer, and detach from it.
-.It Dv STRIOCANSWER Fa "struct systrace_answer *"
-Tell
-.Nm
-what to do with a system call that was assigned a policy of
-.Dv SYSTR_POLICY_ASK .
-.Bd -literal
-struct systrace_answer {
-	pid_t stra_pid;	    /* PID of process being traced */
-	u_int16_t stra_seqnr;
-	short reserved;
-	uid_t stra_seteuid; /* Elevated privileges for syscall */
-	uid_t stra_setegid;
-	int stra_policy;    /* Policy to assign */
-	int stra_error;	    /* Return value of denied syscall
-			       (will return EPERM if zero) */
-	int stra_flags;
-#define	SYSTR_FLAGS_RESULT  0x001    /* Report syscall result */
-#define SYSTR_FLAGS_SETEUID 0x002
-#define SYSTR_FLAGS_SETEGID 0x004
-};
-.Ed
-.It Dv STRIOCREPORT Fa "pid_t *"
-Report the current emulation a process is using inside the
-.Vt msg_emul
-structure.
-.It Dv STRIOCREPLACE Fa "struct systrace_replace *"
-Arrange for system call arguments to be replaced by arguments
-supplied by the monitoring process.
-.Bd -literal
-struct systrace_replace {
-	pid_t strr_pid;
-	u_int16_t strr_seqnr;
-	int16_t reserved;
-	int strr_nrepl;		/* # of arguments to replace */
-	caddr_t	strr_base;		/* Base user memory */
-	size_t strr_len;		/* Length of memory */
-	int strr_argind[SYSTR_MAXARGS];	/* Argument indexes */
-	size_t strr_off[SYSTR_MAXARGS];	/* Argument offsets */
-	size_t strr_offlen[SYSTR_MAXARGS]; /* Argument sizes */
-	int32_t strr_flags[SYSTR_MAXARGS];
-};
-.Ed
-.It Dv STRIOCIO Fa "struct systrace_io *"
-Copy data in/out of the process being traced.
-.Bd -literal
-struct systrace_io {
-	pid_t strio_pid;    /* PID of process being traced */
-	int strio_op;
-#define	SYSTR_READ	1
-#define	SYSTR_WRITE	2
-	void *strio_offs;
-	void *strio_addr;
-	size_t strio_len;
-};
-.Ed
-.It Dv STRIOCPOLICY Fa "struct systrace_policy *"
-Manipulate the set of policies.
-.Bd -literal
-struct systrace_policy {
-	int strp_op;
-#define	SYSTR_POLICY_NEW	1  /* Allocate a new policy */
-#define	SYSTR_POLICY_ASSIGN	2  /* Assign policy to process */
-#define	SYSTR_POLICY_MODIFY	3  /* Modify an entry */
-	int strp_num;
-	union {
-		struct {
-			short code;
-#define SYSTR_POLICY_ASK	0
-#define SYSTR_POLICY_PERMIT	1
-#define SYSTR_POLICY_NEVER	2
-#define SYSTR_POLICY_KILL	3
-			short policy;
-		} assign;
-		pid_t pid;
-		int maxents;
-	} strp_data;
-#define strp_pid	strp_data.pid
-#define strp_maxents	strp_data.maxents
-#define strp_code	strp_data.assign.code
-#define strp_policy	strp_data.assign.policy
-};
-.Ed
-.Pp
-The
-.Dv SYSTR_POLICY_NEW
-operation allocates a new policy of
-.Va strp_maxents
-entries with each initialized to
-.Dv SYSTR_POLICY_ASK ,
-and returns the new policy number into
-.Va strp_num .
-.Pp
-The
-.Dv SYSTR_POLICY_ASSIGN
-operation attaches the policy identified by
-.Va strp_num
-to
-.Va strp_pid ,
-with a maximum of
-.Va strp_maxents
-entries.
-.Pp
-The
-.Dv SYSTR_POLICY_MODIFY
-operation changes the entry indexed by
-.Va strp_code
-to
-.Va strp_policy .
-.It Dv STRIOCGETCWD Fa "struct systrace_getcwd *"
-Set the working directory of the calling process
-to the directory associated with file descriptor
-.Va strgd_atfd
-in the process named by
-.Va strgd_pid .
-If
-.Va strgd_atfd
-is set to the special value
-.Dv AT_FDCWD ,
-then the current working directory of the named process
-is used instead.
-.Bd -literal
-struct systrace_getcwd {
-	pid_t strgd_pid;
-	int   strgd_atfd;
-};
-.Ed
-.It Dv STRIOCRESCWD
-Restore the working directory of the current process.
-.It Dv STRIOCINJECT Fa "struct systrace_inject *"
-Inject a buffer into the stackgap of the traced process.
-This accommodates for the manipulation of non-scalar arguments.
-The actual replacement is not done until system call time,
-and its presence in the stackgap is only guaranteed
-for the duration of that system call.
-.Bd -literal
-struct systrace_inject {
-	/* On return, this contains the stackgap address. */
-	caddr_t stri_addr;
-	size_t  stri_len;
-	pid_t   stri_pid;
-};
-.Ed
-.It Dv STRIOCSCRIPTNAME Fa "struct systrace_scriptname *"
-Set the path of executed scripts to
-.Va sn_scriptname .
-.Bd -literal
-struct systrace_scriptname {
-	pid_t sn_pid;
-	char  sn_scriptname[MAXPATHLEN];
-};
-.Ed
-.El
-.Sh FILES
-.Bl -tag -width "/dev/systrace" -compact
-.It Pa /dev/systrace
-system call tracing facility
-.El
-.Sh EXAMPLES
-The following is an example program that traces another process,
-printing out the path to any
-.Xr open 2
-system calls it performs.
-.Bd -literal
-#include <sys/param.h>
-#include <sys/ioctl.h>
-#include <dev/systrace.h>
-
-#include <err.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <unistd.h>
-
-/*
- * Number of system calls that will be covered in our policy.
- */
-#define NSYSCALLS 512
-
-int
-main(int argc, char *argv[])
-{
-	struct systrace_policy strpol;
-	struct systrace_answer strans;
-	struct systrace_io strio;
-	struct str_message strmsg;
-	int fd, cfd, pid, i;
-	ssize_t n;
-	void *p;
-	char c;
-
-	if ((fd = open("/dev/systrace", O_RDONLY)) == -1)
-		err(1, "/dev/systrace");
-
-	/*
-	 * Get a systrace descriptor.
-	 */
-	if (ioctl(fd, STRIOCCLONE, &cfd) == -1)
-		err(1, "STRIOCCLONE");
-	close(fd);
-
-	/* Gather the PID of a process to systrace from somewhere. */
-	/* ... */
-
-	if (ioctl(cfd, STRIOCATTACH, &pid) == -1)
-		err(1, "STRIOCATTACH");
-
-	/* Install one policy. */
-	strpol.strp_op = SYSTR_POLICY_NEW;
-	strpol.strp_maxents = NSYSCALLS;
-
-	if (ioctl(cfd, STRIOCPOLICY, &strpol) == -1)
-		err(1, "STRIOCPOLICY NEW");
-
-	strpol.strp_op = SYSTR_POLICY_ASSIGN;
-	strpol.strp_pid = pid;
-
-	if (ioctl(cfd, STRIOCPOLICY, &strpol) == -1)
-		err(1, "STRIOCPOLICY ASSIGN");
-
-	/* Permit all system calls. */
-	for (i = 0; i < NSYSCALLS; i++) {
-		strpol.strp_op = SYSTR_POLICY_MODIFY;
-		strpol.strp_code = i;
-		strpol.strp_policy = SYSTR_POLICY_PERMIT;
-
-		if (ioctl(cfd, STRIOCPOLICY, &strpol) == -1)
-			err(1, "STRIOCPOLICY MODIFY");
-	}
-
-	/* Ask us about open(2) system calls. */
-	strpol.strp_op = SYSTR_POLICY_MODIFY;
-	strpol.strp_code = 5; /* open(2) */
-	strpol.strp_policy = SYSTR_POLICY_ASK;
-
-	if (ioctl(cfd, STRIOCPOLICY, &strpol) == -1)
-		err(1, "STRIOCPOLICY MODIFY");
-
-	/*
-	 * Now this process just answers requests for the operations the
-	 * traced process performs that we have requested systrace to ask
-	 * us about.
-	 */
-	while ((n = read(cfd, &strmsg, sizeof(strmsg))) ==
-	    sizeof(strmsg)) {
-		switch (strmsg.msg_type) {
-		case SYSTR_MSG_ASK:
-			/* Print out the path argument to open(2). */
-			memcpy(&p, &strmsg.msg_data.msg_ask.args,
-			    sizeof(p));
-			printf("open(");
-			do {
-				memset(&strio, 0, sizeof(strio));
-				strio.strio_pid = strmsg.msg_pid;
-				strio.strio_op = SYSTR_READ;
-				strio.strio_offs = p;
-				strio.strio_addr = &c;
-				strio.strio_len = 1;
-
-				if (ioctl(cfd, STRIOCIO, &strio) == -1)
-					err(1, "STRIOCIO");
-				putchar(c);
-				(unsigned char *)p += sizeof(char);
-			} while (c != '\e0');
-			printf(")\en");
-
-			memset(&strans, 0, sizeof(strans));
-			strans.stra_pid = strmsg.msg_pid;
-			strans.stra_seqnr = strmsg.msg_seqnr;
-			strans.stra_policy = SYSTR_POLICY_PERMIT;
-
-			if (ioctl(cfd, STRIOCANSWER, &strans) == -1)
-				err(1, "STRIOCANSWER");
-			break;
-		}
-	}
-	if (n == -1)
-		err(1, "read");
-	close(cfd);
-	exit(0);
-}
-.Ed
-.Sh SEE ALSO
-.Xr systrace 1 ,
-.Xr ioctl 2 ,
-.Xr read 2 ,
-.Xr options 4 ,
-.Xr securelevel 7
-.Sh HISTORY
-The
-.Nm
-facility first appeared in
-.Ox 3.2 .
-.\" .Sh BUGS
-.Sh CAVEATS
-When creating new policies, if
-.Va strp_maxents
-is not large enough to accommodate any system calls needed for
-fundamental process operations, the traced process will block forever.
diff --git a/share/man/man5/bsd.port.mk.5 b/share/man/man5/bsd.port.mk.5
index bb797a7be98..b520f932636 100644
--- a/share/man/man5/bsd.port.mk.5
+++ b/share/man/man5/bsd.port.mk.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: bsd.port.mk.5,v 1.434 2016/03/22 16:02:02 naddy Exp $
+.\" $OpenBSD: bsd.port.mk.5,v 1.435 2016/04/25 19:24:42 tedu Exp $
 .\"
 .\" Copyright (c) 2000-2008 Marc Espie
 .\"
@@ -24,7 +24,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 22 2016 $
+.Dd $Mdocdate: April 25 2016 $
 .Dt BSD.PORT.MK 5
 .Os
 .Sh NAME
@@ -2074,8 +2074,6 @@ It should be left alone for ports with empty regression tests, and for
 ports with failing tests.
 That way, if a subsequent update of a port acquires actual regression tests,
 they will be picked up automatically.
-.It Ev NO_SYSTRACE
-Port does not build with systrace-enabled build targets.
 .It Ev OLD_WRKDIR_NAME
 Base name for
 .Ev WRKDIR
@@ -2784,25 +2782,6 @@ from
 which defaults to
 .Pa /etc .
 Passed to gnu configure scripts and substituted in PLISTs.
-.It Ev SYSTRACE_FILTER
-Location of the systrace filter file which is the basis for a port's
-actual systrace policy file.
-Defaults to
-.Pa ${PORTSDIR}/infrastructure/db/systrace.filter .
-.It Ev SYSTRACE_FILTER_CCACHE
-Location of the supplementary systrace filter file which is used when
-.Ev USE_CCACHE
-is enabled.
-Defaults to
-.Pa ${PORTSDIR}/infrastructure/db/systrace.filter.ccache .
-.It Ev SYSTRACE_SUBST_VARS
-List of variables used in ${SYSTRACE_FILTER} that will be substituted
-by their real value when creating the systrace policy file.
-Always holds
-.Ev WRKOBJDIR ,
-.Ev PORTSDIR ,
-and
-.Ev DISTDIR .
 .It Ev TAR
 Name of the tar binary.
 .It Ev TARGETS
@@ -2936,11 +2915,6 @@ and not intended to be a user setting.
 See
 .Ev WRKOBJDIR_MFS
 for configuration.
-.It Ev USE_SYSTRACE
-User settings.
-Set to
-.Sq Yes
-to protect port building with systrace.
 .It Ev USE_X11
 Normally, presence of ${X11BASE} is enforced by default for building ports.
 But there is an experimental way to hook the xenocara build into
@@ -3310,10 +3284,6 @@ Extra directory used to store local ports before committing them.
 All depend targets will normally look there after the normal lookup fails.
 See
 .Ev PORTSDIR_PATH .
-.It Pa systrace.filter
-List of additional port specific filters, included automatically.
-.It Pa systrace.policy
-List of additional port specific policies, included automatically.
 .El
 .Sh THE FAKE FRAMEWORK
 The
diff --git a/share/man/man7/hier.7 b/share/man/man7/hier.7
index d57028dd440..7822780dd15 100644
--- a/share/man/man7/hier.7
+++ b/share/man/man7/hier.7
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: hier.7,v 1.151 2016/03/02 13:02:11 sthen Exp $
+.\"	$OpenBSD: hier.7,v 1.152 2016/04/25 19:24:42 tedu Exp $
 .\"	$NetBSD: hier.7,v 1.7 1994/11/30 19:07:10 jtc Exp $
 .\"
 .\" Copyright (c) 1990, 1993
@@ -30,7 +30,7 @@
 .\"
 .\"	@(#)hier.7	8.1 (Berkeley) 6/5/93
 .\"
-.Dd $Mdocdate: March 2 2016 $
+.Dd $Mdocdate: April 25 2016 $
 .Dt HIER 7
 .Os
 .Sh NAME
@@ -145,10 +145,6 @@ and
 .It ssl/
 OpenSSL configuration files (see
 .Xr openssl 1 ) .
-.It systrace/
-Sample
-.Xr systrace 1
-policies.
 .El
 .It /home/
 Default location for user home directories.
diff --git a/share/man/man7/ports.7 b/share/man/man7/ports.7
index e410ef9555e..54ec6e031e2 100644
--- a/share/man/man7/ports.7
+++ b/share/man/man7/ports.7
@@ -23,10 +23,10 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ports.7,v 1.108 2016/04/07 20:43:50 tb Exp $
+.\" $OpenBSD: ports.7,v 1.109 2016/04/25 19:24:42 tedu Exp $
 .\" $FreeBSD: ports.7,v 1.7 1998/06/23 04:38:50 hoek Exp $
 .\"
-.Dd $Mdocdate: April 7 2016 $
+.Dd $Mdocdate: April 25 2016 $
 .Dt PORTS 7
 .Os
 .Sh NAME
@@ -681,19 +681,6 @@ If defined, display verbose output when applying each patch.
 If defined, only operate on a port if it requires interaction.
 .It Ev BATCH
 If defined, only operate on a port if it can be installed 100% automatically.
-.It Ev USE_SYSTRACE
-Set to
-.Dv Yes
-to protect the
-.Cm configure , build ,
-and
-.Cm fake
-targets with
-.Xr systrace 1 .
-This way it is ensured that ports do not make any network connections
-during build or write outside some well defined directories.
-The filter list is stored in
-.Pa ${PORTSDIR}/infrastructure/db/systrace.filter .
 .El
 .Sh USING A READ-ONLY PORTS TREE
 Select read-write partition(s) that can accommodate working directories, the
@@ -723,8 +710,6 @@ The ports main engine.
 Network configuration defaults.
 .It Pa /usr/ports/infrastructure/db/network.conf
 Local network configuration.
-.It Pa /usr/ports/infrastructure/db/systrace.filter
-Filter list for systrace.
 .It Pa /usr/ports/infrastructure/db/user.list
 List of users and groups created by ports.
 .El
diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile
index f93215863e5..0edc0122a93 100644
--- a/share/man/man9/Makefile
+++ b/share/man/man9/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.275 2016/04/03 06:43:59 jsg Exp $
+#	$OpenBSD: Makefile,v 1.276 2016/04/25 19:24:42 tedu Exp $
 #	$NetBSD: Makefile,v 1.4 1996/01/09 03:23:01 thorpej Exp $
 
 #	Makefile for section 9 (kernel function and variable) manual pages.
@@ -30,7 +30,7 @@ MAN=	aml_evalnode.9 atomic_add_int.9 atomic_cas_uint.9 \
 	rssadapt.9 route.9 rt_ifa_add.9 rt_timer_add.9 rtalloc.9 rtable_add.9 \
 	rtlabel_id2name.9 rtrequest.9 rwlock.9 SipHash24.9 sensor_attach.9 \
 	spl.9 srp_enter.9 srpl_rc_init.9 startuphook_establish.9 \
-	socreate.9 sosplice.9 style.9 syscall.9 systrace.9 sysctl_int.9 \
+	socreate.9 sosplice.9 style.9 syscall.9 sysctl_int.9 \
 	task_add.9 tc_init.9 time_second.9 timeout.9 tsleep.9 tvtohz.9 \
 	uiomove.9 uvm.9 usbd_close_pipe.9 usbd_open_pipe.9 usbd_transfer.9 \
 	vfs.9 vfs_busy.9 \
diff --git a/share/man/man9/syscall.9 b/share/man/man9/syscall.9
index 0cd21950d55..6a20b052e5c 100644
--- a/share/man/man9/syscall.9
+++ b/share/man/man9/syscall.9
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: syscall.9,v 1.12 2016/03/02 15:04:20 naddy Exp $
+.\"	$OpenBSD: syscall.9,v 1.13 2016/04/25 19:24:42 tedu Exp $
 .\"
 .\" Copyright (c) 2003 Michael Shalayeff
 .\"
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 2 2016 $
+.Dd $Mdocdate: April 25 2016 $
 .Dt SYSCALL 9
 .Os
 .Sh NAME
@@ -130,12 +130,7 @@ else
 	if (KTRPOINT(p, KTR_SYSCALL))
 		ktrsyscall(p, code, argsize, args);
 #endif
-#if NSYSTRACE > 0
-	if (ISSET(p->p_flag, P_SYSTRACE))
-		error = systrace_redirect(code, p, args, rval);
-	else
-#endif
-		error = (*callp->sy_call)(p, args, rval);
+	error = (*callp->sy_call)(p, args, rval);
 
 	switch (error) {
 	case 0:
@@ -188,12 +183,6 @@ For the
 portions of the code refer to the
 .Xr ktrace 9
 document for further explanations.
-.Dq NSYSTRACE
-is a system call tracing facility and is explained in the
-.Xr systrace 9
-and
-.Xr systrace 4
-documents.
 .Ss Debugging
 For debugging purposes the line
 .Pp
@@ -247,10 +236,8 @@ Machine-independent syscall entry end return handling.
 .Sh SEE ALSO
 .Xr ktrace 2 ,
 .Xr syscall 2 ,
-.Xr systrace 4 ,
 .Xr ktrace 9 ,
-.Xr sysctl_int 9 ,
-.Xr systrace 9
+.Xr sysctl_int 9
 .Sh HISTORY
 The
 .Nm
diff --git a/share/man/man9/systrace.9 b/share/man/man9/systrace.9
deleted file mode 100644
index 51dc34df74f..00000000000
--- a/share/man/man9/systrace.9
+++ /dev/null
@@ -1,89 +0,0 @@
-.\"	$OpenBSD: systrace.9,v 1.9 2015/11/23 17:53:57 jmc Exp $
-.\"
-.\" Copyright (c) 2003 Michael Shalayeff
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 23 2015 $
-.Dt SYSTRACE_REDIRECT 9
-.Os
-.Sh NAME
-.Nm systrace_redirect ,
-.Nm systrace_fork ,
-.Nm systrace_exit
-.Nd enforce policies for system calls
-.Sh SYNOPSIS
-.In dev/systrace.h
-.Ft int
-.Fn systrace_redirect "int code" "struct proc *p" "void *args" "register_t *retval"
-.Ft void
-.Fn systrace_fork "struct proc *oldproc" "struct proc *p"
-.Ft void
-.Fn systrace_exit "struct proc *p"
-.Sh DESCRIPTION
-These functions are used to enforce policy on the system calls as described in
-.Xr systrace 1 .
-.Pp
-.Fn systrace_redirect
-should be used to perform a system call number
-.Fa code
-with arguments
-.Fa args
-for the process
-.Fa p .
-The result is then put into the
-.Fa retval
-pointer.
-A typical code sequence would be:
-.Bd -literal -offset indent
-#include "systrace.h"
-
-\&...
-
-#if NSYSTRACE > 0
-	if (ISSET(p->p_flag, P_SYSTRACE))
-		error = systrace_redirect(code, p, args, rval);
-	else
-#endif
-		error = (*callp->sy_call)(p, args, rval);
-.Ed
-.Pp
-.Fn systrace_fork
-is called from the
-.Xr fork1 9
-function to inherit policy for the child process.
-.Pp
-.Fn systrace_exit
-is called during the death cycle of the process to
-detach the policy from the exiting process.
-.Sh CODE REFERENCES
-A subsystem for enforcing system call policies is implemented in
-.Pa sys/dev/systrace.c .
-.Sh SEE ALSO
-.Xr systrace 1 ,
-.Xr systrace 4 ,
-.Xr syscall 9
-.Sh HISTORY
-The
-.Nm
-section manual page appeared in
-.Ox 3.4 .