diff options
| author | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2003-05-29 00:39:13 +0000 |
|---|---|---|
| committer | Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org> | 2003-05-29 00:39:13 +0000 |
| commit | 8b8ab4327b774ea66af3941fd57b1e16c6e0a868 (patch) | |
| tree | 8927c5a296316c6f98b6c6e771d13bbc1ec8c15d /bin | |
| parent | b420256ef32af4714b7678f09fab90aed7a10e41 (diff) | |
>permit numberic values for uid and gid; allow "<" and ">" for less and
>greate; requested by dugsong@,
strum ok
Diffstat (limited to 'bin')
| -rw-r--r-- | bin/systrace/filter.c | 33 | ||||
| -rw-r--r-- | bin/systrace/lex.l | 4 | ||||
| -rw-r--r-- | bin/systrace/parse.y | 40 | ||||
| -rw-r--r-- | bin/systrace/systrace.1 | 4 | ||||
| -rw-r--r-- | bin/systrace/systrace.h | 5 |
5 files changed, 70 insertions, 16 deletions
diff --git a/bin/systrace/filter.c b/bin/systrace/filter.c index 3737b722767..94f815dce92 100644 --- a/bin/systrace/filter.c +++ b/bin/systrace/filter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: filter.c,v 1.25 2003/04/24 09:49:06 mpech Exp $ */ +/* $OpenBSD: filter.c,v 1.26 2003/05/29 00:39:12 itojun Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -134,19 +134,36 @@ filter_match(struct intercept_pid *icpid, struct intercept_tlq *tls, int filter_predicate(struct intercept_pid *icpid, struct predicate *pdc) { - int negative; + int pidnr, pdcnr; int res = 0; if (!pdc->p_flags) return (1); - negative = pdc->p_flags & PREDIC_NEGATIVE; - if (pdc->p_flags & PREDIC_UID) - res = icpid->uid == pdc->p_uid; - else if (pdc->p_flags & PREDIC_GID) - res = icpid->gid == pdc->p_gid; + if (pdc->p_flags & PREDIC_UID) { + pidnr = icpid->uid; + pdcnr = pdc->p_uid; + } else { + pidnr = icpid->gid; + pdcnr = pdc->p_gid; + } + + switch (pdc->p_flags & PREDIC_MASK) { + case PREDIC_NEGATIVE: + res = pidnr != pdcnr; + break; + case PREDIC_LESSER: + res = pidnr < pdcnr; + break; + case PREDIC_GREATER: + res = pidnr > pdcnr; + break; + default: + res = pidnr == pdcnr; + break; + } - return (negative ? !res : res); + return (res); } short diff --git a/bin/systrace/lex.l b/bin/systrace/lex.l index a8920da93dd..c9b24b3d659 100644 --- a/bin/systrace/lex.l +++ b/bin/systrace/lex.l @@ -1,4 +1,4 @@ -/* $OpenBSD: lex.l,v 1.12 2002/12/09 07:24:56 itojun Exp $ */ +/* $OpenBSD: lex.l,v 1.13 2003/05/29 00:39:12 itojun Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> @@ -95,6 +95,8 @@ as { return AS; } "," { return COMMA; } "=" { return EQUAL; } "!=" { return NEQUAL; } +"<" { return LESSER; } +">" { return GREATER; } [\$A-Za-z][\.\(\)\/A-Za-z_\-0-9]* { yylval.string = strdup(yytext); return STRING; } [0-9]+ { yylval.number = atoi(yytext); return NUMBER; } \"[^\"]*\" { char line[1024]; diff --git a/bin/systrace/parse.y b/bin/systrace/parse.y index 849ffadc8b6..8173b8dce94 100644 --- a/bin/systrace/parse.y +++ b/bin/systrace/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.13 2002/12/09 07:24:56 itojun Exp $ */ +/* $OpenBSD: parse.y,v 1.14 2003/05/29 00:39:12 itojun Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> @@ -68,7 +68,7 @@ extern int iamroot; %token AND OR NOT LBRACE RBRACE LSQBRACE RSQBRACE THEN MATCH PERMIT DENY %token EQ NEQ TRUE SUB NSUB INPATH LOG COMMA IF USER GROUP EQUAL NEQUAL AS -%token COLON RE +%token COLON RE LESSER GREATER %token <string> STRING %token <string> CMDSTRING %token <number> NUMBER @@ -159,7 +159,11 @@ logcode : /* Empty */ ; -uid: STRING +uid : NUMBER +{ + $$ = $1; +} + | STRING { struct passwd *pw; if ((pw = getpwnam($1)) == NULL) { @@ -170,7 +174,11 @@ uid: STRING $$ = pw->pw_uid; } -gid: STRING +gid : NUMBER +{ + $$ = $1; +} + | STRING { struct group *gr; if ((gr = getgrnam($1)) == NULL) { @@ -233,6 +241,18 @@ predicate : /* Empty */ $$.p_uid = $5; $$.p_flags = PREDIC_UID | PREDIC_NEGATIVE; } + | COMMA IF USER LESSER uid +{ + memset(&$$, 0, sizeof($$)); + $$.p_uid = $5; + $$.p_flags = PREDIC_UID | PREDIC_LESSER; +} + | COMMA IF USER GREATER uid +{ + memset(&$$, 0, sizeof($$)); + $$.p_uid = $5; + $$.p_flags = PREDIC_UID | PREDIC_GREATER; +} | COMMA IF GROUP EQUAL gid { memset(&$$, 0, sizeof($$)); @@ -245,6 +265,18 @@ predicate : /* Empty */ $$.p_gid = $5; $$.p_flags = PREDIC_GID | PREDIC_NEGATIVE; } + | COMMA IF GROUP LESSER gid +{ + memset(&$$, 0, sizeof($$)); + $$.p_gid = $5; + $$.p_flags = PREDIC_GID | PREDIC_LESSER; +} + | COMMA IF GROUP GREATER gid +{ + memset(&$$, 0, sizeof($$)); + $$.p_gid = $5; + $$.p_flags = PREDIC_GID | PREDIC_GREATER; +} expression : symbol { diff --git a/bin/systrace/systrace.1 b/bin/systrace/systrace.1 index 08167915f72..09e057addfc 100644 --- a/bin/systrace/systrace.1 +++ b/bin/systrace/systrace.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: systrace.1,v 1.32 2003/03/28 09:56:06 jmc Exp $ +.\" $OpenBSD: systrace.1,v 1.33 2003/05/29 00:39:12 itojun Exp $ .\" .\" Copyright 2002 Niels Provos <provos@citi.umich.edu> .\" All rights reserved. @@ -224,7 +224,7 @@ system call. Policy entries may contain an appended predicate. Predicates have the following format: .Bd -literal -offset AAA -", if" {"user", "group"} {"=", "!="} string +", if" {"user", "group"} {"=", "!=", "<", ">" } {number, string} .Ed .Pp A rule is added to the configured policy only if its predicate diff --git a/bin/systrace/systrace.h b/bin/systrace/systrace.h index 4e4e2705b37..2a81d430ed8 100644 --- a/bin/systrace/systrace.h +++ b/bin/systrace/systrace.h @@ -1,4 +1,4 @@ -/* $OpenBSD: systrace.h,v 1.20 2002/12/09 07:24:56 itojun Exp $ */ +/* $OpenBSD: systrace.h,v 1.21 2003/05/29 00:39:12 itojun Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -69,6 +69,9 @@ struct filter { #define PREDIC_UID 0x01 #define PREDIC_GID 0x02 #define PREDIC_NEGATIVE 0x10 +#define PREDIC_LESSER 0x20 +#define PREDIC_GREATER 0x30 +#define PREDIC_MASK 0x30 int p_flags; uid_t p_uid; gid_t p_gid; |