summaryrefslogtreecommitdiff
path: root/bin
diff options
context:
space:
mode:
authorNiels Provos <provos@cvs.openbsd.org>2002-08-04 04:15:51 +0000
committerNiels Provos <provos@cvs.openbsd.org>2002-08-04 04:15:51 +0000
commit74dbe94aa379dcac6f1418bf359acce1f10db1dd (patch)
tree6a942f52335b2471b91f40525b728465d24b5ece /bin
parentd188110b1d5c38b87d32da7588a3d4cad0fd4f15 (diff)
keep track of ppid and allow matching rules to be logged via syslog.
Diffstat (limited to 'bin')
-rw-r--r--bin/systrace/intercept.c5
-rw-r--r--bin/systrace/intercept.h3
-rw-r--r--bin/systrace/lex.l3
-rw-r--r--bin/systrace/parse.y23
-rw-r--r--bin/systrace/systrace.114
-rw-r--r--bin/systrace/systrace.c57
-rw-r--r--bin/systrace/systrace.h5
7 files changed, 83 insertions, 27 deletions
diff --git a/bin/systrace/intercept.c b/bin/systrace/intercept.c
index 496505c2640..c450fa0ed9c 100644
--- a/bin/systrace/intercept.c
+++ b/bin/systrace/intercept.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: intercept.c,v 1.23 2002/08/02 02:26:27 provos Exp $ */
+/* $OpenBSD: intercept.c,v 1.24 2002/08/04 04:15:50 provos Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
@@ -759,6 +759,9 @@ intercept_child_info(pid_t opid, pid_t npid)
err(1, "%s:%d: strdup", __func__, __LINE__);
}
+ /* Process tree */
+ inpid->ppid = opid;
+
/* Copy some information */
inpid->flags = ipid->flags;
inpid->uid = ipid->uid;
diff --git a/bin/systrace/intercept.h b/bin/systrace/intercept.h
index cbcd21b2eff..fdc7649eac0 100644
--- a/bin/systrace/intercept.h
+++ b/bin/systrace/intercept.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: intercept.h,v 1.10 2002/08/01 20:16:45 provos Exp $ */
+/* $OpenBSD: intercept.h,v 1.11 2002/08/04 04:15:50 provos Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
@@ -75,6 +75,7 @@ struct intercept_system {
struct intercept_pid {
SPLAY_ENTRY(intercept_pid) next;
pid_t pid;
+ pid_t ppid; /* parent pid */
short policynr;
int execve_code;
diff --git a/bin/systrace/lex.l b/bin/systrace/lex.l
index 5200dbe1f31..e09d31df598 100644
--- a/bin/systrace/lex.l
+++ b/bin/systrace/lex.l
@@ -1,4 +1,4 @@
-/* $OpenBSD: lex.l,v 1.8 2002/07/30 05:39:31 itojun Exp $ */
+/* $OpenBSD: lex.l,v 1.9 2002/08/04 04:15:50 provos Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -81,6 +81,7 @@ neq { return NEQ; }
sub { return SUB; }
nsub { return NSUB; }
inpath { return INPATH; }
+log { return LOG; }
true { return TRUE; }
"->" { return THEN; }
\( { return LBRACE; }
diff --git a/bin/systrace/parse.y b/bin/systrace/parse.y
index 3cd0ec25b87..a9f35888c58 100644
--- a/bin/systrace/parse.y
+++ b/bin/systrace/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.8 2002/07/30 05:37:21 itojun Exp $ */
+/* $OpenBSD: parse.y,v 1.9 2002/08/04 04:15:50 provos Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -62,7 +62,7 @@ extern int myoff;
%}
%token AND OR NOT LBRACE RBRACE LSQBRACE RSQBRACE THEN MATCH PERMIT DENY
-%token EQ NEQ TRUE SUB NSUB INPATH
+%token EQ NEQ TRUE SUB NSUB INPATH LOG
%token <string> STRING
%token <string> CMDSTRING
%token <number> NUMBER
@@ -70,6 +70,7 @@ extern int myoff;
%type <logic> symbol
%type <action> action
%type <number> typeoff
+%type <number> logcode
%type <string> errorcode
%union {
int number;
@@ -79,10 +80,7 @@ extern int myoff;
}
%%
-filter : fullexpression
- ;
-
-fullexpression : expression THEN action errorcode
+fullexpression : expression THEN action errorcode logcode
{
int flags = 0, errorcode = SYSTRACE_EPERM;
@@ -106,6 +104,9 @@ fullexpression : expression THEN action errorcode
break;
}
+ if ($5)
+ flags |= SYSCALL_LOG;
+
if ($4 != NULL)
free($4);
@@ -131,6 +132,16 @@ errorcode : /* Empty */
}
;
+logcode : /* Empty */
+{
+ $$ = 0;
+}
+ | LOG
+{
+ $$ = 1;
+}
+;
+
expression : symbol
{
$$ = $1;
diff --git a/bin/systrace/systrace.1 b/bin/systrace/systrace.1
index 40894f6de13..32607626b7e 100644
--- a/bin/systrace/systrace.1
+++ b/bin/systrace/systrace.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: systrace.1,v 1.25 2002/07/31 00:26:06 itojun Exp $
+.\" $OpenBSD: systrace.1,v 1.26 2002/08/04 04:15:50 provos Exp $
.\"
.\" Copyright 2002 Niels Provos <provos@citi.umich.edu>
.\" All rights reserved.
@@ -103,7 +103,7 @@ as
.Ss POLICY
The policy is specified via the following grammar:
.Bd -literal -offset AAA
-filter = expression "then" action errorcode
+filter = expression "then" action errorcode logcode
expression = symbol | "not" expression | "(" expression ")" |
expression "and" expression | expression "or" expression
symbol = string typeoff "match" cmdstring |
@@ -113,6 +113,7 @@ symbol = string typeoff "match" cmdstring |
typeoff = /* empty */ | "[" number "]"
action = "permit" | "deny"
errorcode = /* empty */ | "[" string "]"
+logcode = /* empty */ | "log"
.Ed
.Pp
The
@@ -176,6 +177,15 @@ Evaluates to true if the system call argument is a subpath of
.Va cmdstring .
.El
.Pp
+By appending the
+.Va log
+statement to a rule, a matching system call and its arguments
+is logged to
+.Xr syslog 3 .
+This is useful, for example, to log all invocations of the
+.Va execve
+system call.
+.Pp
Policy entries may contain an appended predicate.
Predicates have the following format:
.Bd -literal -offset AAA
diff --git a/bin/systrace/systrace.c b/bin/systrace/systrace.c
index e85a1693ae5..efe17cb5d5a 100644
--- a/bin/systrace/systrace.c
+++ b/bin/systrace/systrace.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: systrace.c,v 1.30 2002/07/30 05:52:50 itojun Exp $ */
+/* $OpenBSD: systrace.c,v 1.31 2002/08/04 04:15:50 provos Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
@@ -69,7 +69,8 @@ static int requestor_start(char *);
*/
void
-make_output(char *output, size_t outlen, const char *binname, pid_t pid,
+make_output(char *output, size_t outlen, const char *binname,
+ pid_t pid, pid_t ppid,
int policynr, const char *policy, int nfilters, const char *emulation,
const char *name, int code, struct intercept_tlq *tls,
struct intercept_replace *repl)
@@ -79,8 +80,8 @@ make_output(char *output, size_t outlen, const char *binname, pid_t pid,
int size;
snprintf(output, outlen,
- "%s, pid: %d(%d), policy: %s, filters: %d, syscall: %s-%s(%d)",
- binname, pid, policynr, policy, nfilters,
+ "%s, pid: %d(%d)[%d], policy: %s, filters: %d, syscall: %s-%s(%d)",
+ binname, pid, policynr, ppid, policy, nfilters,
emulation, name, code);
p = output + strlen(output);
@@ -88,6 +89,10 @@ make_output(char *output, size_t outlen, const char *binname, pid_t pid,
if (repl != NULL)
intercept_replace_init(repl);
+
+ if (tls == NULL)
+ return;
+
TAILQ_FOREACH(tl, tls, next) {
if (!tl->trans_valid)
break;
@@ -120,6 +125,8 @@ trans_cb(int fd, pid_t pid, int policynr,
struct filterq *pflq = NULL;
const char *binname = NULL;
char output[_POSIX2_LINE_MAX];
+ pid_t ppid;
+ int log = 0;
action = ICPOLICY_PERMIT;
@@ -133,9 +140,10 @@ trans_cb(int fd, pid_t pid, int policynr,
ipid = intercept_getpid(pid);
ipid->uflags = 0;
binname = ipid->name != NULL ? ipid->name : policy->name;
+ ppid = ipid->ppid;
/* Required to set up replacements */
- make_output(output, sizeof(output), binname, pid, policynr,
+ make_output(output, sizeof(output), binname, pid, ppid, policynr,
policy->name, policy->nfilters, emulation, name, code,
tls, &repl);
@@ -173,14 +181,14 @@ trans_cb(int fd, pid_t pid, int policynr,
if (action != ICPOLICY_ASK)
goto replace;
- make_output(output, sizeof(output), binname, pid, policynr,
- policy->name, policy->nfilters,
+ make_output(output, sizeof(output), binname, pid, ppid,
+ policynr, policy->name, policy->nfilters,
alias->aemul, alias->aname, code, tls, NULL);
}
if (policy->flags & POLICY_UNSUPERVISED) {
action = ICPOLICY_NEVER;
- syslog(LOG_WARNING, "user: %s, prog: %s", username, output);
+ log = 1;
goto out;
}
@@ -198,12 +206,20 @@ trans_cb(int fd, pid_t pid, int policynr,
return (ICPOLICY_NEVER);
}
replace:
+ if (ipid->uflags & SYSCALL_LOG)
+ log = 1;
+
if (action < ICPOLICY_NEVER) {
/* If we can not rewrite the arguments, system call fails */
if (intercept_replace(fd, pid, &repl) == -1)
action = ICPOLICY_NEVER;
}
out:
+ if (log)
+ syslog(LOG_WARNING, "%s user: %s, prog: %s",
+ action < ICPOLICY_NEVER ? "permit" : "deny",
+ username, output);
+
return (action);
}
@@ -216,6 +232,7 @@ gen_cb(int fd, pid_t pid, int policynr, const char *name, int code,
struct intercept_pid *ipid;
short action = ICPOLICY_PERMIT;
short future;
+ int len, off, log = 0;
if (policynr == -1)
goto out;
@@ -226,14 +243,21 @@ gen_cb(int fd, pid_t pid, int policynr, const char *name, int code,
ipid = intercept_getpid(pid);
ipid->uflags = 0;
- snprintf(output, sizeof(output),
- "%s, pid: %d(%d), policy: %s, filters: %d, syscall: %s-%s(%d), args: %d",
- ipid->name != NULL ? ipid->name : policy->name, pid, policynr,
- policy->name, policy->nfilters, emulation, name, code, argsize);
+
+ make_output(output, sizeof(output),
+ ipid->name != NULL ? ipid->name : policy->name,
+ pid, ipid->ppid, policynr,
+ policy->name, policy->nfilters, emulation, name, code,
+ NULL, NULL);
+
+ off = strlen(output);
+ len = sizeof(output) - off;
+ if (len > 0)
+ snprintf(output + off, len, ", args: %d", argsize);
if (policy->flags & POLICY_UNSUPERVISED) {
action = ICPOLICY_NEVER;
- syslog(LOG_WARNING, "user: %s, prog: %s", username, output);
+ log = 1;
goto out;
}
@@ -247,9 +271,14 @@ gen_cb(int fd, pid_t pid, int policynr, const char *name, int code,
err(1, "intercept_detach");
} else if (action == ICPOLICY_KILL) {
kill(pid, SIGKILL);
- action = ICPOLICY_NEVER;
+ return (ICPOLICY_NEVER);
}
out:
+ if (log)
+ syslog(LOG_WARNING, "%s user: %s, prog: %s",
+ action < ICPOLICY_NEVER ? "permit" : "deny",
+ username, output);
+
return (action);
}
diff --git a/bin/systrace/systrace.h b/bin/systrace/systrace.h
index e3bc74d16c1..ae1db702c31 100644
--- a/bin/systrace/systrace.h
+++ b/bin/systrace/systrace.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: systrace.h,v 1.12 2002/07/30 06:07:06 itojun Exp $ */
+/* $OpenBSD: systrace.h,v 1.13 2002/08/04 04:15:50 provos Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
* All rights reserved.
@@ -98,6 +98,7 @@ struct policy {
#define PROCESS_INHERIT_POLICY 0x01 /* Process inherits policy */
#define PROCESS_DETACH 0x02 /* Process gets detached */
+#define SYSCALL_LOG 0x04 /* Log this system call */
int systrace_initpolicy(char *);
void systrace_initcb(void);
@@ -167,7 +168,7 @@ char *uid_to_name(uid_t);
char *strrpl(char *, size_t, char *, char *);
-void make_output(char *, size_t, const char *, pid_t, int,
+void make_output(char *, size_t, const char *, pid_t, pid_t, int,
const char *, int, const char *, const char *, int, struct intercept_tlq *,
struct intercept_replace *);
short trans_cb(int, pid_t, int, const char *, int, const char *, void *,