diff options
| author | Niels Provos <provos@cvs.openbsd.org> | 2002-07-16 01:22:49 +0000 |
|---|---|---|
| committer | Niels Provos <provos@cvs.openbsd.org> | 2002-07-16 01:22:49 +0000 |
| commit | 51f0a9193eb831223c413223c7a880382b37af72 (patch) | |
| tree | e592e613664cdb015ce46879c2adf0db7583ad45 /bin/systrace | |
| parent | 26e2b293859a559593aded9335120e9e0c1d295e (diff) | |
internal uid/gid tracking. permit can not detach systrace, useful for
sshd.
Diffstat (limited to 'bin/systrace')
| -rw-r--r-- | bin/systrace/intercept.c | 31 | ||||
| -rw-r--r-- | bin/systrace/intercept.h | 13 | ||||
| -rw-r--r-- | bin/systrace/parse.y | 6 | ||||
| -rw-r--r-- | bin/systrace/systrace.1 | 35 | ||||
| -rw-r--r-- | bin/systrace/systrace.c | 9 | ||||
| -rw-r--r-- | bin/systrace/systrace.h | 3 |
6 files changed, 81 insertions, 16 deletions
diff --git a/bin/systrace/intercept.c b/bin/systrace/intercept.c index 44c2accf41e..4dcfb126a39 100644 --- a/bin/systrace/intercept.c +++ b/bin/systrace/intercept.c @@ -1,4 +1,4 @@ -/* $OpenBSD: intercept.c,v 1.15 2002/07/12 12:26:29 provos Exp $ */ +/* $OpenBSD: intercept.c,v 1.16 2002/07/16 01:22:48 provos Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -223,6 +223,7 @@ sigusr1_handler(int signum) pid_t intercept_run(int bg, int fd, char *path, char *const argv[]) { + struct intercept_pid *icpid; sigset_t none, set, oset; sig_t ohandler; pid_t pid, cpid; @@ -283,6 +284,14 @@ intercept_run(int bg, int fd, char *path, char *const argv[]) /* Choose the pid of the systraced process */ pid = bg ? pid : cpid; + if ((icpid = intercept_getpid(pid)) == NULL) + err(1, "intercept_getpid"); + + /* Set uid and gid information */ + icpid->uid = getuid(); + icpid->gid = getgid(); + icpid->flags |= ICFLAGS_UIDKNOWN | ICFLAGS_GIDKNOWN; + /* Setup done, restore signal handling state */ if (signal(SIGUSR1, ohandler) == SIG_ERR) { kill(pid, SIGKILL); @@ -568,6 +577,8 @@ intercept_syscall(int fd, pid_t pid, int policynr, char *name, int code, /* We need to know the result from this system call */ flags = ICFLAGS_RESULT; + } else if (!strcmp(name, "setuid") || !strcmp(name, "setgid")) { + flags = ICFLAGS_RESULT; } sc = intercept_sccb_find(emulation, name); @@ -602,12 +613,13 @@ intercept_syscall_result(int fd, pid_t pid, int policynr, { struct intercept_pid *icpid; + if (result) + goto out; + + icpid = intercept_getpid(pid); if (!strcmp("execve", name)) { - if (result) - goto out; /* Commit the name of the new image */ - icpid = intercept_getpid(pid); if (icpid->name) free(icpid->name); icpid->name = icpid->newname; @@ -617,6 +629,12 @@ intercept_syscall_result(int fd, pid_t pid, int policynr, (*intercept_newimagecb)(fd, pid, policynr, emulation, icpid->name, intercept_newimagecbarg); + } else if (!strcmp("setuid", name)) { + intercept.getarg(0, args, argsize, (void **)&icpid->uid); + icpid->flags |= ICFLAGS_UIDKNOWN; + } else if (!strcmp("setgid", name)) { + intercept.getarg(0, args, argsize, (void **)&icpid->gid); + icpid->flags |= ICFLAGS_GIDKNOWN; } out: /* Resume execution of the process */ @@ -677,6 +695,11 @@ intercept_child_info(pid_t opid, pid_t npid) err(1, "%s:%d: strdup", __func__, __LINE__); } + /* Copy some information */ + inpid->flags = ipid->flags; + inpid->uid = ipid->uid; + inpid->gid = ipid->gid; + /* XXX - keeps track of emulation */ intercept.clonepid(ipid, inpid); } diff --git a/bin/systrace/intercept.h b/bin/systrace/intercept.h index 137ba307c9d..2c1fb96421b 100644 --- a/bin/systrace/intercept.h +++ b/bin/systrace/intercept.h @@ -1,4 +1,4 @@ -/* $OpenBSD: intercept.h,v 1.6 2002/07/12 12:26:29 provos Exp $ */ +/* $OpenBSD: intercept.h,v 1.7 2002/07/16 01:22:48 provos Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -75,8 +75,15 @@ struct intercept_pid { short policynr; int execve_code; short execve_policy; - char *name; - char *newname; + char *name; /* name of current process image */ + char *newname; /* image name to be committed by execve */ + +#define ICFLAGS_UIDKNOWN 0x01 +#define ICFLAGS_GIDKNOWN 0x02 + int flags; + + uid_t uid; /* current uid */ + gid_t gid; /* current gid */ void *data; diff --git a/bin/systrace/parse.y b/bin/systrace/parse.y index d95d47f490d..a7bb313dce6 100644 --- a/bin/systrace/parse.y +++ b/bin/systrace/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.4 2002/06/05 17:22:38 mickey Exp $ */ +/* $OpenBSD: parse.y,v 1.5 2002/07/16 01:22:48 provos Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> @@ -103,6 +103,10 @@ fullexpression : expression THEN action errorcode break; if (!strcasecmp($4, "inherit")) flags = PROCESS_INHERIT_POLICY; + else if (!strcasecmp($4, "detach")) + flags = PROCESS_DETACH; + else + yyerror("Unknown flag: %s", $4); break; } diff --git a/bin/systrace/systrace.1 b/bin/systrace/systrace.1 index e28abe64c31..741a8e812c0 100644 --- a/bin/systrace/systrace.1 +++ b/bin/systrace/systrace.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: systrace.1,v 1.21 2002/07/09 15:22:27 provos Exp $ +.\" $OpenBSD: systrace.1,v 1.22 2002/07/16 01:22:48 provos Exp $ .\" .\" Copyright 2002 Niels Provos <provos@citi.umich.edu> .\" All rights reserved. @@ -63,7 +63,15 @@ Automatically generate a policy that allows every operation the application executes. The created policy functions as a base that can be refined. .It Fl u -Do not perform aliasing on system call names. +Do not perform aliasing on system call names. Aliasing is enabled +by default to group similar system calls into a single compound +name. For example, system calls that read from the file system +like +.Fn lstat +and +.Fn access +are translated to +.Fn fsread . .It Fl i Inherits the policy of the first executed binary to all children. .It Fl t @@ -110,16 +118,33 @@ is used to return an .Xr errno 2 value to the system call when using a .Va deny -action. The value +action. The values .Do inherit .Dc -has a special meaning when used with a +and +.Do +detach +.Dc +have special meanings when used with a .Va permit rule for the .Va execve system call. -In that case, the current policy is inherited for the new binary. +When using +.Do +inherit, +.Dc +the current policy is inherited for the new binary. +With +.Do +detach, +.Dc +systrace detaches from a process after successfully +completing +the +.Va execve +system call. .Pp The filter operations have the following meaning: .Bl -hang -width Dinpath -offset AAA diff --git a/bin/systrace/systrace.c b/bin/systrace/systrace.c index cd0b4830a40..a6610531283 100644 --- a/bin/systrace/systrace.c +++ b/bin/systrace/systrace.c @@ -1,4 +1,4 @@ -/* $OpenBSD: systrace.c,v 1.26 2002/07/12 12:26:29 provos Exp $ */ +/* $OpenBSD: systrace.c,v 1.27 2002/07/16 01:22:48 provos Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -254,10 +254,15 @@ execres_cb(int fd, pid_t pid, int policynr, char *emulation, char *name, void *a if (policynr != -1) { struct intercept_pid *ipid; + ipid = intercept_getpid(pid); + if (ipid->uflags & PROCESS_DETACH) { + if (intercept_detach(fd, pid) == -1) + err(1, "%s: intercept_detach", __func__); + return; + } if (inherit) return; - ipid = intercept_getpid(pid); if (ipid->uflags & PROCESS_INHERIT_POLICY) return; } diff --git a/bin/systrace/systrace.h b/bin/systrace/systrace.h index 423af432b11..b4ed66f0519 100644 --- a/bin/systrace/systrace.h +++ b/bin/systrace/systrace.h @@ -1,4 +1,4 @@ -/* $OpenBSD: systrace.h,v 1.9 2002/07/14 22:34:55 provos Exp $ */ +/* $OpenBSD: systrace.h,v 1.10 2002/07/16 01:22:48 provos Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -97,6 +97,7 @@ struct policy { #define POLICY_CHANGED 0x04 #define PROCESS_INHERIT_POLICY 0x01 /* Process inherits policy */ +#define PROCESS_DETACH 0x02 /* Process gets detached */ int systrace_initpolicy(char *); void systrace_initcb(void); |