summaryrefslogtreecommitdiff
path: root/bin/systrace/policy.c
diff options
context:
space:
mode:
authorJun-ichiro itojun Hagino <itojun@cvs.openbsd.org>2002-09-23 04:41:03 +0000
committerJun-ichiro itojun Hagino <itojun@cvs.openbsd.org>2002-09-23 04:41:03 +0000
commit09c0b4866ae6fb7cf0377ed10f227a559c499513 (patch)
treeaabb035a58ca92d373ff168a92200e281a0b6b43 /bin/systrace/policy.c
parentfc3f7ac53fdd251ee68c8bef6cb4ec19870fb7c3 (diff)
support for templates. they allow fast generation of new policies. an
appropriate template can be inserted during initial policy generation. from provos
Diffstat (limited to 'bin/systrace/policy.c')
-rw-r--r--bin/systrace/policy.c155
1 files changed, 153 insertions, 2 deletions
diff --git a/bin/systrace/policy.c b/bin/systrace/policy.c
index 8fb71897fed..e799d785b52 100644
--- a/bin/systrace/policy.c
+++ b/bin/systrace/policy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: policy.c,v 1.19 2002/09/17 05:10:58 itojun Exp $ */
+/* $OpenBSD: policy.c,v 1.20 2002/09/23 04:41:02 itojun Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
@@ -33,6 +33,7 @@
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/tree.h>
+#include <dirent.h>
#include <limits.h>
#include <stdlib.h>
#include <string.h>
@@ -103,6 +104,8 @@ static char policydir[MAXPATHLEN];
static char *groupnames[NGROUPS_MAX];
static int ngroups;
+struct tmplqueue templates;
+
void
systrace_setupdir(char *path)
{
@@ -159,8 +162,10 @@ systrace_initpolicy(char *file, char *path)
}
}
- if (userpolicy)
+ if (userpolicy) {
systrace_setupdir(path);
+ systrace_templatedir();
+ }
if (file != NULL)
return (systrace_readpolicy(file));
@@ -323,6 +328,152 @@ systrace_addpolicy(const char *name)
return (systrace_readpolicy(file));
}
+/*
+ * Reads policy templates from the template directory.
+ * These policies can be inserted during interactive policy
+ * generation.
+ */
+
+int
+systrace_templatedir(void)
+{
+ char filename[MAXPATHLEN];
+ DIR *dir = NULL;
+ struct stat sb;
+ struct dirent *dp;
+ struct template *template;
+ int off;
+
+ TAILQ_INIT(&templates);
+
+ if (userpolicy) {
+ if (strlcpy(filename, policydir, sizeof(filename)) >=
+ sizeof(filename))
+ goto error;
+ if (strlcat(filename, "/templates", sizeof(filename)) >=
+ sizeof(filename))
+ goto error;
+
+ /* Check if template directory exists */
+ if (stat(filename, &sb) != -1 && (sb.st_mode & S_IFDIR))
+ dir = opendir(filename);
+ }
+
+ /* Read global policy */
+ if (dir == NULL) {
+ strlcpy(filename, POLICY_PATH, sizeof(filename));
+ strlcat(filename, "/templates", sizeof(filename));
+ if (stat(filename, &sb) != -1 && (sb.st_mode & S_IFDIR))
+ dir = opendir(filename);
+ if (dir == NULL)
+ return (-1);
+ }
+
+ if (strlcat(filename, "/", sizeof(filename)) >= sizeof(filename))
+ goto error;
+ off = strlen(filename);
+
+ while ((dp = readdir(dir)) != NULL) {
+ filename[off] = '\0';
+ if (strlcat(filename, dp->d_name, sizeof(filename)) >=
+ sizeof(filename))
+ goto error;
+
+ if (stat(filename, &sb) == -1 || !(sb.st_mode & S_IFREG))
+ continue;
+
+ template = systrace_readtemplate(filename, NULL, NULL);
+ if (template == NULL)
+ continue;
+
+ TAILQ_INSERT_TAIL(&templates, template, next);
+ }
+ closedir(dir);
+
+ return (0);
+
+ error:
+ errx(1, "%s: template name too long", __func__);
+}
+
+struct template *
+systrace_readtemplate(char *filename, struct policy *policy,
+ struct template *template)
+{
+ FILE *fp;
+ char line[_POSIX2_LINE_MAX], *p;
+ char *emulation, *name, *description;
+ int linenumber = 0;
+
+ if ((fp = fopen(filename, "r")) == NULL)
+ return (NULL);
+
+ while (fgets(line, sizeof(line), fp)) {
+ linenumber++;
+
+ if ((p = systrace_policyline(line)) == NULL) {
+ fprintf(stderr, "%s:%d: input line too long.\n",
+ filename, linenumber);
+ template = NULL;
+ goto out;
+ }
+
+ if (strlen(p) == 0)
+ continue;
+
+ if (!strncasecmp(p, "Template: ", 10)) {
+ p += 10;
+ name = strsep(&p, ",");
+ if (p == NULL)
+ goto error;
+ if (strncasecmp(p, " Emulation: ", 12))
+ goto error;
+ p += 12;
+ emulation = strsep(&p, ", ");
+ if (p == NULL)
+ goto error;
+ if (strncasecmp(p, " Description: ", 14))
+ goto error;
+ p += 14;
+ description = p;
+
+ if (template != NULL)
+ continue;
+
+ template = calloc(1, sizeof(struct template));
+ if (template == NULL)
+ err(1, "calloc");
+
+ template->filename = strdup(filename);
+ template->name = strdup(name);
+ template->emulation = strdup(emulation);
+ template->description = strdup(description);
+
+ if (template->filename == NULL ||
+ template->name == NULL ||
+ template->emulation == NULL ||
+ template->description == NULL)
+ err(1, "strdup");
+
+ continue;
+ }
+
+ if (policy == NULL)
+ return (template);
+
+ if (systrace_policyprocess(policy, p) == -1)
+ goto error;
+ }
+
+ out:
+ fclose(fp);
+ return (template);
+
+ error:
+ fprintf(stderr, "%s:%d: syntax error.\n", filename, linenumber);
+ goto out;
+}
+
int
systrace_predicatematch(char *p)
{