summaryrefslogtreecommitdiff
path: root/bin/systrace/policy.c
diff options
context:
space:
mode:
authorNiels Provos <provos@cvs.openbsd.org>2002-06-05 20:52:48 +0000
committerNiels Provos <provos@cvs.openbsd.org>2002-06-05 20:52:48 +0000
commitb4968a2c33a5a437e009ad812bceea07762b8c1e (patch)
tree84f6b30f77819b740901fd058266e867eaa1137a /bin/systrace/policy.c
parent114dacee4351bfaaf38db4c543eb37de556a690d (diff)
support simple predicates to prefix rules. Allows global policies to be
different for different users.
Diffstat (limited to 'bin/systrace/policy.c')
-rw-r--r--bin/systrace/policy.c95
1 files changed, 93 insertions, 2 deletions
diff --git a/bin/systrace/policy.c b/bin/systrace/policy.c
index c75fb4d6c4d..187be64a906 100644
--- a/bin/systrace/policy.c
+++ b/bin/systrace/policy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: policy.c,v 1.5 2002/06/04 23:05:26 provos Exp $ */
+/* $OpenBSD: policy.c,v 1.6 2002/06/05 20:52:47 provos Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
@@ -37,6 +37,7 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <grp.h>
#include <stdio.h>
#include <fcntl.h>
#include <ctype.h>
@@ -87,7 +88,9 @@ SPLAY_GENERATE(polnrtree, policy, nrnode, polnrcompare);
extern int userpolicy;
-char policydir[MAXPATHLEN];
+static char policydir[MAXPATHLEN];
+static char *groupnames[NGROUPS_MAX];
+static int ngroups;
void
systrace_setupdir(void)
@@ -116,9 +119,25 @@ systrace_setupdir(void)
int
systrace_initpolicy(char *file)
{
+ gid_t groups[NGROUPS_MAX];
+ int i;
+
SPLAY_INIT(&policyroot);
SPLAY_INIT(&polnrroot);
+ /* Find out group names for current user */
+ if ((ngroups = getgroups(NGROUPS_MAX, groups)) == -1)
+ err(1, "getgroups");
+
+ for (i = 0; i < ngroups; i++) {
+ struct group *gr;
+
+ if ((gr = getgrgid(groups[i])) == NULL)
+ err(1, "getgrgid(%d)", groups[i]);
+ if ((groupnames[i] = strdup(gr->gr_name)) == NULL)
+ err(1, "strdup(%s)", gr->gr_name);
+ }
+
if (userpolicy)
systrace_setupdir();
@@ -283,6 +302,59 @@ systrace_addpolicy(char *name)
}
int
+systrace_predicatematch(char *p)
+{
+ extern char *username;
+ int i, res, neg;
+
+ res = 0;
+ neg = 0;
+
+ if (!strncasecmp(p, "user", 4)) {
+ /* Match against user name */
+ p += 4;
+ p += strspn(p, " \t");
+ if (!strncmp(p, "=", 1)) {
+ p += 1;
+ neg = 0;
+ } else if (!strncmp(p, "!=", 2)) {
+ p += 2;
+ neg = 1;
+ } else
+ return (-1);
+ p += strspn(p, " \t");
+
+ res = (!strcmp(p, username));
+ } else if (!strncasecmp(p, "group", 5)) {
+ /* Match against group list */
+ p += 5;
+ p += strspn(p, " \t");
+ if (!strncmp(p, "=", 1)) {
+ p += 1;
+ neg = 0;
+ } else if (!strncmp(p, "!=", 2)) {
+ p += 2;
+ neg = 1;
+ } else
+ return (-1);
+ p += strspn(p, " \t");
+
+ for (i = 0; i < ngroups; i++) {
+ if (!strcmp(p, groupnames[i])) {
+ res = 1;
+ break;
+ }
+ }
+ } else
+ return (-1);
+
+ if (neg)
+ res = !res;
+
+ return (res);
+}
+
+int
systrace_readpolicy(char *filename)
{
FILE *fp;
@@ -338,6 +410,25 @@ systrace_readpolicy(char *filename)
policy->flags |= POLICY_DETACHED;
policy = NULL;
continue;
+ } else if (!strncasecmp(p, "if", 2)) {
+ int match;
+ char *predicate;
+
+ /* Process predicates */
+ p += 2;
+ p += strspn(p, " \t");
+ predicate = strsep(&p, ",");
+ if (p == NULL)
+ goto error;
+
+ match = systrace_predicatematch(predicate);
+ if (match == -1)
+ goto error;
+ /* If the predicate does not match skip rule */
+ if (!match)
+ continue;
+
+ p += strspn(p, " \t");
}
emulation = strsep(&p, "-");