summaryrefslogtreecommitdiff
path: root/bin/systrace/policy.c
diff options
context:
space:
mode:
authorJun-ichiro itojun Hagino <itojun@cvs.openbsd.org>2002-12-09 07:22:54 +0000
committerJun-ichiro itojun Hagino <itojun@cvs.openbsd.org>2002-12-09 07:22:54 +0000
commit29b323982871faf2e7d4f49b6709cd1324d2980c (patch)
tree518013fe03311fa8b7bcc95aeea09bc2b3d77772 /bin/systrace/policy.c
parentbae2c518211f5874eed77d153d060b47942171bd (diff)
prevent the use of permit for aliases. from provos
Diffstat (limited to 'bin/systrace/policy.c')
-rw-r--r--bin/systrace/policy.c17
1 files changed, 15 insertions, 2 deletions
diff --git a/bin/systrace/policy.c b/bin/systrace/policy.c
index 2488d3c7b82..fbdb57e22d7 100644
--- a/bin/systrace/policy.c
+++ b/bin/systrace/policy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: policy.c,v 1.21 2002/10/09 03:52:10 itojun Exp $ */
+/* $OpenBSD: policy.c,v 1.22 2002/12/09 07:22:53 itojun Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
@@ -522,7 +522,7 @@ systrace_policyprocess(struct policy *policy, char *p)
char *name, *emulation, *rule;
struct filter *filter, *parsed;
short action, future;
- int resolved = 0, res;
+ int resolved = 0, res, isvalid;
/* Delay predicate evaluation if we are root */
@@ -536,6 +536,9 @@ systrace_policyprocess(struct policy *policy, char *p)
name = strsep(&p, ":");
if (p == NULL || *p != ' ')
return (-1);
+
+ isvalid = intercept_isvalidsystemcall(emulation, name);
+
p++;
rule = p;
@@ -551,6 +554,16 @@ systrace_policyprocess(struct policy *policy, char *p)
} else if (filter_parse_simple(rule, &action, &future) == 0)
resolved = 1;
+ /* For now, everything that does not seem to be a valid syscall
+ * does not get fast kernel policies even though the aliasing
+ * system supports it.
+ */
+ if (resolved && !isvalid) {
+ resolved = 0;
+ snprintf(line, sizeof(line), "true then %s", rule);
+ rule = line;
+ }
+
/* If the simple parser did not match, try real parser */
if (!resolved) {
if (parse_filter(rule, &parsed) == -1)