diff options
| author |   itojun <itojun@openbsd.org> | 2002-10-09 03:52:10 +0000 |
|---|---|---|
| committer | itojun <itojun@openbsd.org> | 2002-10-09 03:52:10 +0000 |
| commit | 7498c5fc93ac82bff5bc14461ed17d575129a31c (patch) | |
| tree | c59c8af486f8a2270dcb095809ff40572f0b243a /bin/systrace/systrace.c | |
| parent | new message to track uid/gid changes (diff) | |
| download | wireguard-openbsd-7498c5fc93ac82bff5bc14461ed17d575129a31c.tar.xz wireguard-openbsd-7498c5fc93ac82bff5bc14461ed17d575129a31c.zip | |
predicates are part of the grammar now; in non-root case, predicates are
evaluated only once; in root case, predicates and variable expansion are
dynamic.
from provos
Diffstat (limited to 'bin/systrace/systrace.c')
| -rw-r--r-- | bin/systrace/systrace.c | 57 |
1 files changed, 42 insertions, 15 deletions
diff --git a/bin/systrace/systrace.c b/bin/systrace/systrace.c index 7f8002abcca..8913ce7fe79 100644 --- a/bin/systrace/systrace.c +++ b/bin/systrace/systrace.c @@ -1,4 +1,4 @@ -/* $OpenBSD: systrace.c,v 1.36 2002/10/08 03:13:23 itojun Exp $ */ +/* $OpenBSD: systrace.c,v 1.37 2002/10/09 03:52:10 itojun Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -44,6 +44,7 @@ #include <string.h> #include <err.h> #include <errno.h> +#include <pwd.h> #include "intercept.h" #include "systrace.h" @@ -57,13 +58,36 @@ int automatic = 0; /* Do not run interactively */ int allow = 0; /* Allow all and generate */ int userpolicy = 1; /* Permit user defined policies */ int noalias = 0; /* Do not do system call aliasing */ -char *username = NULL; /* Username in automatic mode */ -char cwd[MAXPATHLEN]; /* Current working directory of process */ +int iamroot = 0; /* Set if we are running as root */ +char cwd[MAXPATHLEN]; /* Current working directory */ +char home[MAXPATHLEN]; /* Home directory of user */ +char username[MAXLOGNAME]; /* Username: predicate match and expansion */ static void child_handler(int); static void usage(void); static int requestor_start(char *); +void +systrace_parameters(void) +{ + struct passwd *pw; + uid_t uid = getuid(); + + iamroot = getuid() == 0; + + /* Find out current username. */ + if ((pw = getpwuid(uid)) == NULL) + snprintf(username, sizeof(username), "uid %u", uid); + else + snprintf(username, sizeof(username), "%s", pw->pw_name); + + strlcpy(home, pw->pw_dir, sizeof(home)); + + /* Determine current working directory for filtering */ + if (getcwd(cwd, sizeof(cwd)) == NULL) + err(1, "getcwd"); +} + /* * Generate human readable output and setup replacements if available. */ @@ -150,7 +174,7 @@ trans_cb(int fd, pid_t pid, int policynr, if ((pflq = systrace_policyflq(policy, emulation, name)) == NULL) errx(1, "%s:%d: no filter queue", __func__, __LINE__); - action = filter_evaluate(tls, pflq, &ipid->uflags); + action = filter_evaluate(tls, pflq, ipid); if (action != ICPOLICY_ASK) goto replace; @@ -177,7 +201,7 @@ trans_cb(int fd, pid_t pid, int policynr, alias->aemul, alias->aname)) == NULL) errx(1, "%s:%d: no filter queue", __func__, __LINE__); - action = filter_evaluate(tls, pflq, &ipid->uflags); + action = filter_evaluate(tls, pflq, ipid); if (action != ICPOLICY_ASK) goto replace; @@ -193,7 +217,7 @@ trans_cb(int fd, pid_t pid, int policynr, } action = filter_ask(fd, tls, pflq, policynr, emulation, name, - output, &future, &ipid->uflags); + output, &future, ipid); if (future != ICPOLICY_ASK) filter_modifypolicy(fd, policynr, emulation, name, future); @@ -218,7 +242,7 @@ trans_cb(int fd, pid_t pid, int policynr, if (log) syslog(LOG_WARNING, "%s user: %s, prog: %s", action < ICPOLICY_NEVER ? "permit" : "deny", - username, output); + ipid->username, output); return (action); } @@ -230,6 +254,7 @@ gen_cb(int fd, pid_t pid, int policynr, const char *name, int code, char output[_POSIX2_LINE_MAX]; struct policy *policy; struct intercept_pid *ipid; + struct filterq *pflq = NULL; short action = ICPOLICY_PERMIT; short future; int len, off, log = 0; @@ -255,6 +280,13 @@ gen_cb(int fd, pid_t pid, int policynr, const char *name, int code, if (len > 0) snprintf(output + off, len, ", args: %d", argsize); + if ((pflq = systrace_policyflq(policy, emulation, name)) == NULL) + errx(1, "%s:%d: no filter queue", __func__, __LINE__); + + action = filter_evaluate(NULL, pflq, ipid); + if (action != ICPOLICY_ASK) + goto out; + if (policy->flags & POLICY_UNSUPERVISED) { action = ICPOLICY_NEVER; log = 1; @@ -262,7 +294,7 @@ gen_cb(int fd, pid_t pid, int policynr, const char *name, int code, } action = filter_ask(fd, NULL, NULL, policynr, emulation, name, - output, &future, &ipid->uflags); + output, &future, ipid); if (future != ICPOLICY_ASK) systrace_modifypolicy(fd, policynr, name, future); @@ -277,7 +309,7 @@ gen_cb(int fd, pid_t pid, int policynr, const char *name, int code, if (log) syslog(LOG_WARNING, "%s user: %s, prog: %s", action < ICPOLICY_NEVER ? "permit" : "deny", - username, output); + ipid->username, output); return (action); } @@ -470,12 +502,7 @@ main(int argc, char **argv) if (argc == 0 || (pidattach && *argv[0] != '/')) usage(); - /* Username for automatic mode, and policy predicates */ - username = uid_to_name(getuid()); - - /* Determine current working directory for filtering */ - if (getcwd(cwd, sizeof(cwd)) == NULL) - err(1, "getcwd"); + systrace_parameters(); /* Local initalization */ systrace_initalias(); |