diff options
author | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2002-10-16 15:01:09 +0000 |
---|---|---|
committer | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2002-10-16 15:01:09 +0000 |
commit | 53b5fc5bded7381e9b2c1867c9ac08b7d77b944f (patch) | |
tree | 27171f6bdd77dd43fb3237b94729e02800c7fb4d /bin/systrace/parse.y | |
parent | e0a16d26d6e3fd1b83b87e2e312caed5b59a3258 (diff) |
support for privilege elevation.
with privilege elevation no suid or sgid binaries are necessary any
longer. Applications can be executed completely
unprivileged. Systrace raises the privileges for a single system call
depending on the configured policy.
Idea from discussions with Perry Metzger, Dug Song and Marcus Watts.
from provos
Diffstat (limited to 'bin/systrace/parse.y')
-rw-r--r-- | bin/systrace/parse.y | 113 |
1 files changed, 78 insertions, 35 deletions
diff --git a/bin/systrace/parse.y b/bin/systrace/parse.y index b18c3204293..c7fcd90aeb5 100644 --- a/bin/systrace/parse.y +++ b/bin/systrace/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.10 2002/10/09 03:52:10 itojun Exp $ */ +/* $OpenBSD: parse.y,v 1.11 2002/10/16 15:01:08 itojun Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> @@ -61,11 +61,13 @@ int errors = 0; struct filter *myfilter; extern char *mystring; extern int myoff; +extern int iamroot; %} %token AND OR NOT LBRACE RBRACE LSQBRACE RSQBRACE THEN MATCH PERMIT DENY -%token EQ NEQ TRUE SUB NSUB INPATH LOG COMMA IF USER GROUP EQUAL NEQUAL +%token EQ NEQ TRUE SUB NSUB INPATH LOG COMMA IF USER GROUP EQUAL NEQUAL AS +%token COLON %token <string> STRING %token <string> CMDSTRING %token <number> NUMBER @@ -74,18 +76,24 @@ extern int myoff; %type <action> action %type <number> typeoff %type <number> logcode +%type <uid> uid +%type <gid> gid %type <string> errorcode %type <predicate> predicate +%type <elevate> elevate; %union { int number; char *string; short action; struct logic *logic; struct predicate predicate; + struct elevate elevate; + uid_t uid; + gid_t gid; } %% -fullexpression : expression THEN action errorcode logcode predicate +fullexpression : expression THEN action errorcode logcode elevate predicate { int flags = 0, errorcode = SYSTRACE_EPERM; @@ -124,7 +132,8 @@ fullexpression : expression THEN action errorcode logcode predicate myfilter->match_action = $3; myfilter->match_error = errorcode; myfilter->match_flags = flags; - myfilter->match_predicate = $6; + myfilter->match_predicate = $7; + myfilter->elevate = $6; } ; @@ -148,56 +157,91 @@ logcode : /* Empty */ } ; -predicate : /* Empty */ + +uid: STRING { - memset(&$$, 0, sizeof($$)); + struct passwd *pw; + if ((pw = getpwnam($1)) == NULL) { + yyerror("Unknown user %s", $1); + break; + } + + $$ = pw->pw_uid; } - | COMMA IF USER EQUAL STRING + +gid: STRING { - struct passwd *pw; + struct group *gr; + if ((gr = getgrnam($1)) == NULL) { + yyerror("Unknown group %s", $1); + break; + } + $$ = gr->gr_gid; +} + +elevate: /* Empty */ +{ memset(&$$, 0, sizeof($$)); - if ((pw = getpwnam($5)) == NULL) { - yyerror("Unknown user %s", $5); +} + | AS uid +{ + if (!iamroot) { + yyerror("Privilege elevation not allowed."); break; } - $$.p_uid = pw->pw_uid; - $$.p_flags = PREDIC_UID; + + $$.e_flags = ELEVATE_UID; + $$.e_uid = $2; } - | COMMA IF USER NEQUAL STRING + | AS uid COLON gid { - struct passwd *pw; + if (!iamroot) { + yyerror("Privilege elevation not allowed."); + break; + } - memset(&$$, 0, sizeof($$)); - if ((pw = getpwnam($5)) == NULL) { - yyerror("Unknown user %s", $5); + $$.e_flags = ELEVATE_UID|ELEVATE_GID; + $$.e_uid = $2; + $$.e_gid = $4; +} + | AS COLON gid +{ + if (!iamroot) { + yyerror("Privilege elevation not allowed."); break; } - $$.p_uid = pw->pw_uid; + + $$.e_flags = ELEVATE_GID; + $$.e_gid = $3; +} + +predicate : /* Empty */ +{ + memset(&$$, 0, sizeof($$)); +} + | COMMA IF USER EQUAL uid +{ + memset(&$$, 0, sizeof($$)); + $$.p_uid = $5; + $$.p_flags = PREDIC_UID; +} + | COMMA IF USER NEQUAL uid +{ + memset(&$$, 0, sizeof($$)); + $$.p_uid = $5; $$.p_flags = PREDIC_UID | PREDIC_NEGATIVE; } - | COMMA IF GROUP EQUAL STRING + | COMMA IF GROUP EQUAL gid { - struct group *gr; - memset(&$$, 0, sizeof($$)); - if ((gr = getgrnam($5)) == NULL) { - yyerror("Unknown group %s", $5); - break; - } - $$.p_gid = gr->gr_gid; + $$.p_gid = $5; $$.p_flags = PREDIC_GID; } - | COMMA IF GROUP NEQUAL STRING + | COMMA IF GROUP NEQUAL gid { - struct group *gr; - memset(&$$, 0, sizeof($$)); - if ((gr = getgrnam($5)) == NULL) { - yyerror("Unknown group %s", $5); - break; - } - $$.p_gid = gr->gr_gid; + $$.p_gid = $5; $$.p_flags = PREDIC_GID | PREDIC_NEGATIVE; } @@ -361,7 +405,6 @@ struct logic * parse_newsymbol(char *type, int typeoff, char *data) { struct logic *node; - int iamroot = getuid() == 0; node = calloc(1, sizeof(struct logic)); |