summaryrefslogtreecommitdiff
path: root/bin/systrace/parse.y
diff options
context:
space:
mode:
authorJun-ichiro itojun Hagino <itojun@cvs.openbsd.org>2002-10-16 15:01:09 +0000
committerJun-ichiro itojun Hagino <itojun@cvs.openbsd.org>2002-10-16 15:01:09 +0000
commit53b5fc5bded7381e9b2c1867c9ac08b7d77b944f (patch)
tree27171f6bdd77dd43fb3237b94729e02800c7fb4d /bin/systrace/parse.y
parente0a16d26d6e3fd1b83b87e2e312caed5b59a3258 (diff)
support for privilege elevation.
with privilege elevation no suid or sgid binaries are necessary any longer. Applications can be executed completely unprivileged. Systrace raises the privileges for a single system call depending on the configured policy. Idea from discussions with Perry Metzger, Dug Song and Marcus Watts. from provos
Diffstat (limited to 'bin/systrace/parse.y')
-rw-r--r--bin/systrace/parse.y113
1 files changed, 78 insertions, 35 deletions
diff --git a/bin/systrace/parse.y b/bin/systrace/parse.y
index b18c3204293..c7fcd90aeb5 100644
--- a/bin/systrace/parse.y
+++ b/bin/systrace/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.10 2002/10/09 03:52:10 itojun Exp $ */
+/* $OpenBSD: parse.y,v 1.11 2002/10/16 15:01:08 itojun Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -61,11 +61,13 @@ int errors = 0;
struct filter *myfilter;
extern char *mystring;
extern int myoff;
+extern int iamroot;
%}
%token AND OR NOT LBRACE RBRACE LSQBRACE RSQBRACE THEN MATCH PERMIT DENY
-%token EQ NEQ TRUE SUB NSUB INPATH LOG COMMA IF USER GROUP EQUAL NEQUAL
+%token EQ NEQ TRUE SUB NSUB INPATH LOG COMMA IF USER GROUP EQUAL NEQUAL AS
+%token COLON
%token <string> STRING
%token <string> CMDSTRING
%token <number> NUMBER
@@ -74,18 +76,24 @@ extern int myoff;
%type <action> action
%type <number> typeoff
%type <number> logcode
+%type <uid> uid
+%type <gid> gid
%type <string> errorcode
%type <predicate> predicate
+%type <elevate> elevate;
%union {
int number;
char *string;
short action;
struct logic *logic;
struct predicate predicate;
+ struct elevate elevate;
+ uid_t uid;
+ gid_t gid;
}
%%
-fullexpression : expression THEN action errorcode logcode predicate
+fullexpression : expression THEN action errorcode logcode elevate predicate
{
int flags = 0, errorcode = SYSTRACE_EPERM;
@@ -124,7 +132,8 @@ fullexpression : expression THEN action errorcode logcode predicate
myfilter->match_action = $3;
myfilter->match_error = errorcode;
myfilter->match_flags = flags;
- myfilter->match_predicate = $6;
+ myfilter->match_predicate = $7;
+ myfilter->elevate = $6;
}
;
@@ -148,56 +157,91 @@ logcode : /* Empty */
}
;
-predicate : /* Empty */
+
+uid: STRING
{
- memset(&$$, 0, sizeof($$));
+ struct passwd *pw;
+ if ((pw = getpwnam($1)) == NULL) {
+ yyerror("Unknown user %s", $1);
+ break;
+ }
+
+ $$ = pw->pw_uid;
}
- | COMMA IF USER EQUAL STRING
+
+gid: STRING
{
- struct passwd *pw;
+ struct group *gr;
+ if ((gr = getgrnam($1)) == NULL) {
+ yyerror("Unknown group %s", $1);
+ break;
+ }
+ $$ = gr->gr_gid;
+}
+
+elevate: /* Empty */
+{
memset(&$$, 0, sizeof($$));
- if ((pw = getpwnam($5)) == NULL) {
- yyerror("Unknown user %s", $5);
+}
+ | AS uid
+{
+ if (!iamroot) {
+ yyerror("Privilege elevation not allowed.");
break;
}
- $$.p_uid = pw->pw_uid;
- $$.p_flags = PREDIC_UID;
+
+ $$.e_flags = ELEVATE_UID;
+ $$.e_uid = $2;
}
- | COMMA IF USER NEQUAL STRING
+ | AS uid COLON gid
{
- struct passwd *pw;
+ if (!iamroot) {
+ yyerror("Privilege elevation not allowed.");
+ break;
+ }
- memset(&$$, 0, sizeof($$));
- if ((pw = getpwnam($5)) == NULL) {
- yyerror("Unknown user %s", $5);
+ $$.e_flags = ELEVATE_UID|ELEVATE_GID;
+ $$.e_uid = $2;
+ $$.e_gid = $4;
+}
+ | AS COLON gid
+{
+ if (!iamroot) {
+ yyerror("Privilege elevation not allowed.");
break;
}
- $$.p_uid = pw->pw_uid;
+
+ $$.e_flags = ELEVATE_GID;
+ $$.e_gid = $3;
+}
+
+predicate : /* Empty */
+{
+ memset(&$$, 0, sizeof($$));
+}
+ | COMMA IF USER EQUAL uid
+{
+ memset(&$$, 0, sizeof($$));
+ $$.p_uid = $5;
+ $$.p_flags = PREDIC_UID;
+}
+ | COMMA IF USER NEQUAL uid
+{
+ memset(&$$, 0, sizeof($$));
+ $$.p_uid = $5;
$$.p_flags = PREDIC_UID | PREDIC_NEGATIVE;
}
- | COMMA IF GROUP EQUAL STRING
+ | COMMA IF GROUP EQUAL gid
{
- struct group *gr;
-
memset(&$$, 0, sizeof($$));
- if ((gr = getgrnam($5)) == NULL) {
- yyerror("Unknown group %s", $5);
- break;
- }
- $$.p_gid = gr->gr_gid;
+ $$.p_gid = $5;
$$.p_flags = PREDIC_GID;
}
- | COMMA IF GROUP NEQUAL STRING
+ | COMMA IF GROUP NEQUAL gid
{
- struct group *gr;
-
memset(&$$, 0, sizeof($$));
- if ((gr = getgrnam($5)) == NULL) {
- yyerror("Unknown group %s", $5);
- break;
- }
- $$.p_gid = gr->gr_gid;
+ $$.p_gid = $5;
$$.p_flags = PREDIC_GID | PREDIC_NEGATIVE;
}
@@ -361,7 +405,6 @@ struct logic *
parse_newsymbol(char *type, int typeoff, char *data)
{
struct logic *node;
- int iamroot = getuid() == 0;
node = calloc(1, sizeof(struct logic));