diff options
author | Niels Provos <provos@cvs.openbsd.org> | 2002-08-04 04:15:51 +0000 |
---|---|---|
committer | Niels Provos <provos@cvs.openbsd.org> | 2002-08-04 04:15:51 +0000 |
commit | 74dbe94aa379dcac6f1418bf359acce1f10db1dd (patch) | |
tree | 6a942f52335b2471b91f40525b728465d24b5ece /bin | |
parent | d188110b1d5c38b87d32da7588a3d4cad0fd4f15 (diff) |
keep track of ppid and allow matching rules to be logged via syslog.
Diffstat (limited to 'bin')
-rw-r--r-- | bin/systrace/intercept.c | 5 | ||||
-rw-r--r-- | bin/systrace/intercept.h | 3 | ||||
-rw-r--r-- | bin/systrace/lex.l | 3 | ||||
-rw-r--r-- | bin/systrace/parse.y | 23 | ||||
-rw-r--r-- | bin/systrace/systrace.1 | 14 | ||||
-rw-r--r-- | bin/systrace/systrace.c | 57 | ||||
-rw-r--r-- | bin/systrace/systrace.h | 5 |
7 files changed, 83 insertions, 27 deletions
diff --git a/bin/systrace/intercept.c b/bin/systrace/intercept.c index 496505c2640..c450fa0ed9c 100644 --- a/bin/systrace/intercept.c +++ b/bin/systrace/intercept.c @@ -1,4 +1,4 @@ -/* $OpenBSD: intercept.c,v 1.23 2002/08/02 02:26:27 provos Exp $ */ +/* $OpenBSD: intercept.c,v 1.24 2002/08/04 04:15:50 provos Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -759,6 +759,9 @@ intercept_child_info(pid_t opid, pid_t npid) err(1, "%s:%d: strdup", __func__, __LINE__); } + /* Process tree */ + inpid->ppid = opid; + /* Copy some information */ inpid->flags = ipid->flags; inpid->uid = ipid->uid; diff --git a/bin/systrace/intercept.h b/bin/systrace/intercept.h index cbcd21b2eff..fdc7649eac0 100644 --- a/bin/systrace/intercept.h +++ b/bin/systrace/intercept.h @@ -1,4 +1,4 @@ -/* $OpenBSD: intercept.h,v 1.10 2002/08/01 20:16:45 provos Exp $ */ +/* $OpenBSD: intercept.h,v 1.11 2002/08/04 04:15:50 provos Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -75,6 +75,7 @@ struct intercept_system { struct intercept_pid { SPLAY_ENTRY(intercept_pid) next; pid_t pid; + pid_t ppid; /* parent pid */ short policynr; int execve_code; diff --git a/bin/systrace/lex.l b/bin/systrace/lex.l index 5200dbe1f31..e09d31df598 100644 --- a/bin/systrace/lex.l +++ b/bin/systrace/lex.l @@ -1,4 +1,4 @@ -/* $OpenBSD: lex.l,v 1.8 2002/07/30 05:39:31 itojun Exp $ */ +/* $OpenBSD: lex.l,v 1.9 2002/08/04 04:15:50 provos Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> @@ -81,6 +81,7 @@ neq { return NEQ; } sub { return SUB; } nsub { return NSUB; } inpath { return INPATH; } +log { return LOG; } true { return TRUE; } "->" { return THEN; } \( { return LBRACE; } diff --git a/bin/systrace/parse.y b/bin/systrace/parse.y index 3cd0ec25b87..a9f35888c58 100644 --- a/bin/systrace/parse.y +++ b/bin/systrace/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.8 2002/07/30 05:37:21 itojun Exp $ */ +/* $OpenBSD: parse.y,v 1.9 2002/08/04 04:15:50 provos Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> @@ -62,7 +62,7 @@ extern int myoff; %} %token AND OR NOT LBRACE RBRACE LSQBRACE RSQBRACE THEN MATCH PERMIT DENY -%token EQ NEQ TRUE SUB NSUB INPATH +%token EQ NEQ TRUE SUB NSUB INPATH LOG %token <string> STRING %token <string> CMDSTRING %token <number> NUMBER @@ -70,6 +70,7 @@ extern int myoff; %type <logic> symbol %type <action> action %type <number> typeoff +%type <number> logcode %type <string> errorcode %union { int number; @@ -79,10 +80,7 @@ extern int myoff; } %% -filter : fullexpression - ; - -fullexpression : expression THEN action errorcode +fullexpression : expression THEN action errorcode logcode { int flags = 0, errorcode = SYSTRACE_EPERM; @@ -106,6 +104,9 @@ fullexpression : expression THEN action errorcode break; } + if ($5) + flags |= SYSCALL_LOG; + if ($4 != NULL) free($4); @@ -131,6 +132,16 @@ errorcode : /* Empty */ } ; +logcode : /* Empty */ +{ + $$ = 0; +} + | LOG +{ + $$ = 1; +} +; + expression : symbol { $$ = $1; diff --git a/bin/systrace/systrace.1 b/bin/systrace/systrace.1 index 40894f6de13..32607626b7e 100644 --- a/bin/systrace/systrace.1 +++ b/bin/systrace/systrace.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: systrace.1,v 1.25 2002/07/31 00:26:06 itojun Exp $ +.\" $OpenBSD: systrace.1,v 1.26 2002/08/04 04:15:50 provos Exp $ .\" .\" Copyright 2002 Niels Provos <provos@citi.umich.edu> .\" All rights reserved. @@ -103,7 +103,7 @@ as .Ss POLICY The policy is specified via the following grammar: .Bd -literal -offset AAA -filter = expression "then" action errorcode +filter = expression "then" action errorcode logcode expression = symbol | "not" expression | "(" expression ")" | expression "and" expression | expression "or" expression symbol = string typeoff "match" cmdstring | @@ -113,6 +113,7 @@ symbol = string typeoff "match" cmdstring | typeoff = /* empty */ | "[" number "]" action = "permit" | "deny" errorcode = /* empty */ | "[" string "]" +logcode = /* empty */ | "log" .Ed .Pp The @@ -176,6 +177,15 @@ Evaluates to true if the system call argument is a subpath of .Va cmdstring . .El .Pp +By appending the +.Va log +statement to a rule, a matching system call and its arguments +is logged to +.Xr syslog 3 . +This is useful, for example, to log all invocations of the +.Va execve +system call. +.Pp Policy entries may contain an appended predicate. Predicates have the following format: .Bd -literal -offset AAA diff --git a/bin/systrace/systrace.c b/bin/systrace/systrace.c index e85a1693ae5..efe17cb5d5a 100644 --- a/bin/systrace/systrace.c +++ b/bin/systrace/systrace.c @@ -1,4 +1,4 @@ -/* $OpenBSD: systrace.c,v 1.30 2002/07/30 05:52:50 itojun Exp $ */ +/* $OpenBSD: systrace.c,v 1.31 2002/08/04 04:15:50 provos Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -69,7 +69,8 @@ static int requestor_start(char *); */ void -make_output(char *output, size_t outlen, const char *binname, pid_t pid, +make_output(char *output, size_t outlen, const char *binname, + pid_t pid, pid_t ppid, int policynr, const char *policy, int nfilters, const char *emulation, const char *name, int code, struct intercept_tlq *tls, struct intercept_replace *repl) @@ -79,8 +80,8 @@ make_output(char *output, size_t outlen, const char *binname, pid_t pid, int size; snprintf(output, outlen, - "%s, pid: %d(%d), policy: %s, filters: %d, syscall: %s-%s(%d)", - binname, pid, policynr, policy, nfilters, + "%s, pid: %d(%d)[%d], policy: %s, filters: %d, syscall: %s-%s(%d)", + binname, pid, policynr, ppid, policy, nfilters, emulation, name, code); p = output + strlen(output); @@ -88,6 +89,10 @@ make_output(char *output, size_t outlen, const char *binname, pid_t pid, if (repl != NULL) intercept_replace_init(repl); + + if (tls == NULL) + return; + TAILQ_FOREACH(tl, tls, next) { if (!tl->trans_valid) break; @@ -120,6 +125,8 @@ trans_cb(int fd, pid_t pid, int policynr, struct filterq *pflq = NULL; const char *binname = NULL; char output[_POSIX2_LINE_MAX]; + pid_t ppid; + int log = 0; action = ICPOLICY_PERMIT; @@ -133,9 +140,10 @@ trans_cb(int fd, pid_t pid, int policynr, ipid = intercept_getpid(pid); ipid->uflags = 0; binname = ipid->name != NULL ? ipid->name : policy->name; + ppid = ipid->ppid; /* Required to set up replacements */ - make_output(output, sizeof(output), binname, pid, policynr, + make_output(output, sizeof(output), binname, pid, ppid, policynr, policy->name, policy->nfilters, emulation, name, code, tls, &repl); @@ -173,14 +181,14 @@ trans_cb(int fd, pid_t pid, int policynr, if (action != ICPOLICY_ASK) goto replace; - make_output(output, sizeof(output), binname, pid, policynr, - policy->name, policy->nfilters, + make_output(output, sizeof(output), binname, pid, ppid, + policynr, policy->name, policy->nfilters, alias->aemul, alias->aname, code, tls, NULL); } if (policy->flags & POLICY_UNSUPERVISED) { action = ICPOLICY_NEVER; - syslog(LOG_WARNING, "user: %s, prog: %s", username, output); + log = 1; goto out; } @@ -198,12 +206,20 @@ trans_cb(int fd, pid_t pid, int policynr, return (ICPOLICY_NEVER); } replace: + if (ipid->uflags & SYSCALL_LOG) + log = 1; + if (action < ICPOLICY_NEVER) { /* If we can not rewrite the arguments, system call fails */ if (intercept_replace(fd, pid, &repl) == -1) action = ICPOLICY_NEVER; } out: + if (log) + syslog(LOG_WARNING, "%s user: %s, prog: %s", + action < ICPOLICY_NEVER ? "permit" : "deny", + username, output); + return (action); } @@ -216,6 +232,7 @@ gen_cb(int fd, pid_t pid, int policynr, const char *name, int code, struct intercept_pid *ipid; short action = ICPOLICY_PERMIT; short future; + int len, off, log = 0; if (policynr == -1) goto out; @@ -226,14 +243,21 @@ gen_cb(int fd, pid_t pid, int policynr, const char *name, int code, ipid = intercept_getpid(pid); ipid->uflags = 0; - snprintf(output, sizeof(output), - "%s, pid: %d(%d), policy: %s, filters: %d, syscall: %s-%s(%d), args: %d", - ipid->name != NULL ? ipid->name : policy->name, pid, policynr, - policy->name, policy->nfilters, emulation, name, code, argsize); + + make_output(output, sizeof(output), + ipid->name != NULL ? ipid->name : policy->name, + pid, ipid->ppid, policynr, + policy->name, policy->nfilters, emulation, name, code, + NULL, NULL); + + off = strlen(output); + len = sizeof(output) - off; + if (len > 0) + snprintf(output + off, len, ", args: %d", argsize); if (policy->flags & POLICY_UNSUPERVISED) { action = ICPOLICY_NEVER; - syslog(LOG_WARNING, "user: %s, prog: %s", username, output); + log = 1; goto out; } @@ -247,9 +271,14 @@ gen_cb(int fd, pid_t pid, int policynr, const char *name, int code, err(1, "intercept_detach"); } else if (action == ICPOLICY_KILL) { kill(pid, SIGKILL); - action = ICPOLICY_NEVER; + return (ICPOLICY_NEVER); } out: + if (log) + syslog(LOG_WARNING, "%s user: %s, prog: %s", + action < ICPOLICY_NEVER ? "permit" : "deny", + username, output); + return (action); } diff --git a/bin/systrace/systrace.h b/bin/systrace/systrace.h index e3bc74d16c1..ae1db702c31 100644 --- a/bin/systrace/systrace.h +++ b/bin/systrace/systrace.h @@ -1,4 +1,4 @@ -/* $OpenBSD: systrace.h,v 1.12 2002/07/30 06:07:06 itojun Exp $ */ +/* $OpenBSD: systrace.h,v 1.13 2002/08/04 04:15:50 provos Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -98,6 +98,7 @@ struct policy { #define PROCESS_INHERIT_POLICY 0x01 /* Process inherits policy */ #define PROCESS_DETACH 0x02 /* Process gets detached */ +#define SYSCALL_LOG 0x04 /* Log this system call */ int systrace_initpolicy(char *); void systrace_initcb(void); @@ -167,7 +168,7 @@ char *uid_to_name(uid_t); char *strrpl(char *, size_t, char *, char *); -void make_output(char *, size_t, const char *, pid_t, int, +void make_output(char *, size_t, const char *, pid_t, pid_t, int, const char *, int, const char *, const char *, int, struct intercept_tlq *, struct intercept_replace *); short trans_cb(int, pid_t, int, const char *, int, const char *, void *, |