diff options
| author | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2002-12-09 07:22:54 +0000 |
|---|---|---|
| committer | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2002-12-09 07:22:54 +0000 |
| commit | 29b323982871faf2e7d4f49b6709cd1324d2980c (patch) | |
| tree | 518013fe03311fa8b7bcc95aeea09bc2b3d77772 | |
| parent | bae2c518211f5874eed77d153d060b47942171bd (diff) | |
prevent the use of permit for aliases. from provos
| -rw-r--r-- | bin/systrace/filter.c | 20 | ||||
| -rw-r--r-- | bin/systrace/intercept.c | 17 | ||||
| -rw-r--r-- | bin/systrace/intercept.h | 4 | ||||
| -rw-r--r-- | bin/systrace/policy.c | 17 |
4 files changed, 49 insertions, 9 deletions
diff --git a/bin/systrace/filter.c b/bin/systrace/filter.c index 6525083f1db..3401ae1da38 100644 --- a/bin/systrace/filter.c +++ b/bin/systrace/filter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: filter.c,v 1.22 2002/11/15 22:33:27 itojun Exp $ */ +/* $OpenBSD: filter.c,v 1.23 2002/12/09 07:22:52 itojun Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -472,14 +472,17 @@ filter_ask(int fd, struct intercept_tlq *tls, struct filterq *fls, char *output, short *pfuture, struct intercept_pid *icpid) { char line[2*MAXPATHLEN], *p; + char compose[2*MAXPATHLEN]; struct filter *filter; struct policy *policy; short action; - int first = 1; + int first = 1, isalias; *pfuture = ICPOLICY_ASK; icpid->uflags = 0; + isalias = systrace_find_reverse(emulation, name) != NULL; + if ((policy = systrace_findpolnr(policynr)) == NULL) errx(1, "%s:%d: no policy %d", __func__, __LINE__, policynr); @@ -489,8 +492,7 @@ filter_ask(int fd, struct intercept_tlq *tls, struct filterq *fls, /* Automatically allow */ if (tls != NULL) { struct intercept_translate *tl; - char compose[2*MAXPATHLEN], *l; - char *lst = NULL; + char *l, *lst = NULL; int set = 0; /* Explicitly match every component */ @@ -591,7 +593,15 @@ filter_ask(int fd, struct intercept_tlq *tls, struct filterq *fls, if (filter_parse_simple(line, &action, pfuture) != -1) { if (*pfuture == ICPOLICY_ASK) goto out; - break; + /* We have a policy decision */ + if (!isalias) + break; + + /* No in-kernel policy for aliases */ + strlcpy(compose, line, sizeof(compose)); + + /* Change into userland rule */ + snprintf(line, sizeof(line), "true then %s", compose); } if (fls == NULL) { diff --git a/bin/systrace/intercept.c b/bin/systrace/intercept.c index 2775407a283..a2076cf1d4c 100644 --- a/bin/systrace/intercept.c +++ b/bin/systrace/intercept.c @@ -1,4 +1,4 @@ -/* $OpenBSD: intercept.c,v 1.36 2002/11/26 03:48:07 itojun Exp $ */ +/* $OpenBSD: intercept.c,v 1.37 2002/12/09 07:22:53 itojun Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -873,3 +873,18 @@ intercept_ugid(struct intercept_pid *icpid, uid_t uid, gid_t gid) icpid->uid = uid; icpid->gid = gid; } + +/* + * Checks if the given emulation has a certain system call. + * This is a very slow function. + */ + +int +intercept_isvalidsystemcall(char *emulation, char *name) +{ + int res; + + res = intercept.getsyscallnumber(emulation, name); + + return (res != -1); +} diff --git a/bin/systrace/intercept.h b/bin/systrace/intercept.h index e0d4101ea82..f6f38c69761 100644 --- a/bin/systrace/intercept.h +++ b/bin/systrace/intercept.h @@ -1,4 +1,4 @@ -/* $OpenBSD: intercept.h,v 1.14 2002/11/26 03:48:07 itojun Exp $ */ +/* $OpenBSD: intercept.h,v 1.15 2002/12/09 07:22:53 itojun Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -190,4 +190,6 @@ void intercept_syscall_result(int, pid_t, u_int16_t, int, const char *, int, void intercept_ugid(struct intercept_pid *, uid_t, gid_t); void intercept_setpid(struct intercept_pid *, uid_t, gid_t); +int intercept_isvalidsystemcall(char *, char *); + #endif /* _INTERCEPT_H_ */ diff --git a/bin/systrace/policy.c b/bin/systrace/policy.c index 2488d3c7b82..fbdb57e22d7 100644 --- a/bin/systrace/policy.c +++ b/bin/systrace/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.21 2002/10/09 03:52:10 itojun Exp $ */ +/* $OpenBSD: policy.c,v 1.22 2002/12/09 07:22:53 itojun Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -522,7 +522,7 @@ systrace_policyprocess(struct policy *policy, char *p) char *name, *emulation, *rule; struct filter *filter, *parsed; short action, future; - int resolved = 0, res; + int resolved = 0, res, isvalid; /* Delay predicate evaluation if we are root */ @@ -536,6 +536,9 @@ systrace_policyprocess(struct policy *policy, char *p) name = strsep(&p, ":"); if (p == NULL || *p != ' ') return (-1); + + isvalid = intercept_isvalidsystemcall(emulation, name); + p++; rule = p; @@ -551,6 +554,16 @@ systrace_policyprocess(struct policy *policy, char *p) } else if (filter_parse_simple(rule, &action, &future) == 0) resolved = 1; + /* For now, everything that does not seem to be a valid syscall + * does not get fast kernel policies even though the aliasing + * system supports it. + */ + if (resolved && !isvalid) { + resolved = 0; + snprintf(line, sizeof(line), "true then %s", rule); + rule = line; + } + /* If the simple parser did not match, try real parser */ if (!resolved) { if (parse_filter(rule, &parsed) == -1) |