diff options
| author | Niels Provos <provos@cvs.openbsd.org> | 2002-06-04 20:13:20 +0000 |
|---|---|---|
| committer | Niels Provos <provos@cvs.openbsd.org> | 2002-06-04 20:13:20 +0000 |
| commit | fd96d52ef86ed4ddd35308b053812515f45bb9d4 (patch) | |
| tree | 09d31359d8b854f2a05287e11afea9de5f41d3ad | |
| parent | c8a0b1b77378512152d042659d38ce01c722fae9 (diff) | |
add flag to ignore user specified policies
| -rw-r--r-- | bin/systrace/policy.c | 18 | ||||
| -rw-r--r-- | bin/systrace/systrace.1 | 6 | ||||
| -rw-r--r-- | bin/systrace/systrace.c | 8 |
3 files changed, 22 insertions, 10 deletions
diff --git a/bin/systrace/policy.c b/bin/systrace/policy.c index 951623bad32..6fd08493356 100644 --- a/bin/systrace/policy.c +++ b/bin/systrace/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.3 2002/06/04 19:15:54 deraadt Exp $ */ +/* $OpenBSD: policy.c,v 1.4 2002/06/04 20:13:19 provos Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -260,12 +260,18 @@ systrace_policyfilename(char *dirname, char *name) int systrace_addpolicy(char *name) { - char *file; + char *file = NULL; + extern int userpolicy; + + if (userpolicy) { + file = systrace_policyfilename(policydir, name); + /* Check if the user policy file exists */ + if (file != NULL && access(file, R_OK) == -1) + file = NULL; + } - if ((file = systrace_policyfilename(policydir, name)) == NULL) - return (-1); - /* Check if the user policy file exists */ - if (access(file, R_OK) == -1) { + /* Read global policy */ + if (file == NULL) { file = systrace_policyfilename(POLICY_PATH, name); if (file == NULL) return (-1); diff --git a/bin/systrace/systrace.1 b/bin/systrace/systrace.1 index 6d3620eba4d..430fd9be3de 100644 --- a/bin/systrace/systrace.1 +++ b/bin/systrace/systrace.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: systrace.1,v 1.3 2002/06/04 19:52:47 todd Exp $ +.\" $OpenBSD: systrace.1,v 1.4 2002/06/04 20:13:19 provos Exp $ .\" .\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> .\" All rights reserved. @@ -38,7 +38,7 @@ .Nd generates and enforces system call policies .Sh SYNOPSIS .Nm systrace -.Op Fl ait +.Op Fl aitU .Op Fl g Ar gui .Op Fl f Ar file .Ar command ... @@ -59,6 +59,8 @@ not covered by policy is denied. Uses text mode to ask for interactive policy generation. .It Fl i Inherits the policy of the first executed binary to all children. +.It Fl U +Ignore user configured policies and use only global system policies. .It Fl g Ar gui Specifies an alternative location for the notification user interface. .It Fl f Ar file diff --git a/bin/systrace/systrace.c b/bin/systrace/systrace.c index 37671b5f1e4..6c9a32800c7 100644 --- a/bin/systrace/systrace.c +++ b/bin/systrace/systrace.c @@ -1,4 +1,4 @@ -/* $OpenBSD: systrace.c,v 1.7 2002/06/04 19:58:46 provos Exp $ */ +/* $OpenBSD: systrace.c,v 1.8 2002/06/04 20:13:19 provos Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -49,6 +49,7 @@ int fd; int connected = 0; /* Connected to GUI */ int inherit = 0; /* Inherit policy to childs */ int automatic = 0; /* Do not run interactively */ +int userpolicy = 1; /* Permit user defined policies */ short trans_cb(int fd, pid_t pid, int policynr, @@ -386,7 +387,7 @@ main(int argc, char **argv) char *guipath = _PATH_XSYSTRACE; int usex11 = 1; - while ((c = getopt(argc, argv, "aitg:f:")) != -1) { + while ((c = getopt(argc, argv, "aitUg:f:")) != -1) { switch (c) { case 'a': automatic = 1; @@ -403,6 +404,9 @@ main(int argc, char **argv) case 't': usex11 = 0; break; + case 'U': + userpolicy = 0; + break; default: usage(); break; |