diff options
author | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2002-09-23 04:41:03 +0000 |
---|---|---|
committer | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2002-09-23 04:41:03 +0000 |
commit | 09c0b4866ae6fb7cf0377ed10f227a559c499513 (patch) | |
tree | aabb035a58ca92d373ff168a92200e281a0b6b43 /bin/systrace/policy.c | |
parent | fc3f7ac53fdd251ee68c8bef6cb4ec19870fb7c3 (diff) |
support for templates. they allow fast generation of new policies. an
appropriate template can be inserted during initial policy generation.
from provos
Diffstat (limited to 'bin/systrace/policy.c')
-rw-r--r-- | bin/systrace/policy.c | 155 |
1 files changed, 153 insertions, 2 deletions
diff --git a/bin/systrace/policy.c b/bin/systrace/policy.c index 8fb71897fed..e799d785b52 100644 --- a/bin/systrace/policy.c +++ b/bin/systrace/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.19 2002/09/17 05:10:58 itojun Exp $ */ +/* $OpenBSD: policy.c,v 1.20 2002/09/23 04:41:02 itojun Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -33,6 +33,7 @@ #include <sys/param.h> #include <sys/stat.h> #include <sys/tree.h> +#include <dirent.h> #include <limits.h> #include <stdlib.h> #include <string.h> @@ -103,6 +104,8 @@ static char policydir[MAXPATHLEN]; static char *groupnames[NGROUPS_MAX]; static int ngroups; +struct tmplqueue templates; + void systrace_setupdir(char *path) { @@ -159,8 +162,10 @@ systrace_initpolicy(char *file, char *path) } } - if (userpolicy) + if (userpolicy) { systrace_setupdir(path); + systrace_templatedir(); + } if (file != NULL) return (systrace_readpolicy(file)); @@ -323,6 +328,152 @@ systrace_addpolicy(const char *name) return (systrace_readpolicy(file)); } +/* + * Reads policy templates from the template directory. + * These policies can be inserted during interactive policy + * generation. + */ + +int +systrace_templatedir(void) +{ + char filename[MAXPATHLEN]; + DIR *dir = NULL; + struct stat sb; + struct dirent *dp; + struct template *template; + int off; + + TAILQ_INIT(&templates); + + if (userpolicy) { + if (strlcpy(filename, policydir, sizeof(filename)) >= + sizeof(filename)) + goto error; + if (strlcat(filename, "/templates", sizeof(filename)) >= + sizeof(filename)) + goto error; + + /* Check if template directory exists */ + if (stat(filename, &sb) != -1 && (sb.st_mode & S_IFDIR)) + dir = opendir(filename); + } + + /* Read global policy */ + if (dir == NULL) { + strlcpy(filename, POLICY_PATH, sizeof(filename)); + strlcat(filename, "/templates", sizeof(filename)); + if (stat(filename, &sb) != -1 && (sb.st_mode & S_IFDIR)) + dir = opendir(filename); + if (dir == NULL) + return (-1); + } + + if (strlcat(filename, "/", sizeof(filename)) >= sizeof(filename)) + goto error; + off = strlen(filename); + + while ((dp = readdir(dir)) != NULL) { + filename[off] = '\0'; + if (strlcat(filename, dp->d_name, sizeof(filename)) >= + sizeof(filename)) + goto error; + + if (stat(filename, &sb) == -1 || !(sb.st_mode & S_IFREG)) + continue; + + template = systrace_readtemplate(filename, NULL, NULL); + if (template == NULL) + continue; + + TAILQ_INSERT_TAIL(&templates, template, next); + } + closedir(dir); + + return (0); + + error: + errx(1, "%s: template name too long", __func__); +} + +struct template * +systrace_readtemplate(char *filename, struct policy *policy, + struct template *template) +{ + FILE *fp; + char line[_POSIX2_LINE_MAX], *p; + char *emulation, *name, *description; + int linenumber = 0; + + if ((fp = fopen(filename, "r")) == NULL) + return (NULL); + + while (fgets(line, sizeof(line), fp)) { + linenumber++; + + if ((p = systrace_policyline(line)) == NULL) { + fprintf(stderr, "%s:%d: input line too long.\n", + filename, linenumber); + template = NULL; + goto out; + } + + if (strlen(p) == 0) + continue; + + if (!strncasecmp(p, "Template: ", 10)) { + p += 10; + name = strsep(&p, ","); + if (p == NULL) + goto error; + if (strncasecmp(p, " Emulation: ", 12)) + goto error; + p += 12; + emulation = strsep(&p, ", "); + if (p == NULL) + goto error; + if (strncasecmp(p, " Description: ", 14)) + goto error; + p += 14; + description = p; + + if (template != NULL) + continue; + + template = calloc(1, sizeof(struct template)); + if (template == NULL) + err(1, "calloc"); + + template->filename = strdup(filename); + template->name = strdup(name); + template->emulation = strdup(emulation); + template->description = strdup(description); + + if (template->filename == NULL || + template->name == NULL || + template->emulation == NULL || + template->description == NULL) + err(1, "strdup"); + + continue; + } + + if (policy == NULL) + return (template); + + if (systrace_policyprocess(policy, p) == -1) + goto error; + } + + out: + fclose(fp); + return (template); + + error: + fprintf(stderr, "%s:%d: syntax error.\n", filename, linenumber); + goto out; +} + int systrace_predicatematch(char *p) { |