diff options
| author | Niels Provos <provos@cvs.openbsd.org> | 2002-06-05 21:09:03 +0000 |
|---|---|---|
| committer | Niels Provos <provos@cvs.openbsd.org> | 2002-06-05 21:09:03 +0000 |
| commit | 7bd57261c7d93a1f815813d58639a52f4c59eedb (patch) | |
| tree | 329d5c222e3b04896a1f813b081e1c3ad5262a92 /bin | |
| parent | f99479c4660de1aa46826aa9f6bc3ddf453883aa (diff) | |
append predicate, instead of prepending. makes rules sortable again.
pointed out by dugsong@
Diffstat (limited to 'bin')
| -rw-r--r-- | bin/systrace/policy.c | 39 | ||||
| -rw-r--r-- | bin/systrace/systrace.1 | 8 |
2 files changed, 23 insertions, 24 deletions
diff --git a/bin/systrace/policy.c b/bin/systrace/policy.c index 187be64a906..c2b50df0b02 100644 --- a/bin/systrace/policy.c +++ b/bin/systrace/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.6 2002/06/05 20:52:47 provos Exp $ */ +/* $OpenBSD: policy.c,v 1.7 2002/06/05 21:09:02 provos Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -410,25 +410,6 @@ systrace_readpolicy(char *filename) policy->flags |= POLICY_DETACHED; policy = NULL; continue; - } else if (!strncasecmp(p, "if", 2)) { - int match; - char *predicate; - - /* Process predicates */ - p += 2; - p += strspn(p, " \t"); - predicate = strsep(&p, ","); - if (p == NULL) - goto error; - - match = systrace_predicatematch(predicate); - if (match == -1) - goto error; - /* If the predicate does not match skip rule */ - if (!match) - continue; - - p += strspn(p, " \t"); } emulation = strsep(&p, "-"); @@ -444,6 +425,24 @@ systrace_readpolicy(char *filename) p++; rule = p; + if ((p = strrchr(p, ',')) != NULL && + !strncasecmp(p, ", if", 4)) { + int match; + + *p = '\0'; + + /* Process predicates */ + p += 4; + p += strspn(p, " \t"); + + match = systrace_predicatematch(p); + if (match == -1) + goto error; + /* If the predicate does not match skip rule */ + if (!match) + continue; + } + if (filter_parse_simple(rule, &action, &future) == -1) { if (parse_filter(rule, &parsed) == -1) goto error; diff --git a/bin/systrace/systrace.1 b/bin/systrace/systrace.1 index 2148effc982..a7ff669b38b 100644 --- a/bin/systrace/systrace.1 +++ b/bin/systrace/systrace.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: systrace.1,v 1.11 2002/06/05 20:52:47 provos Exp $ +.\" $OpenBSD: systrace.1,v 1.12 2002/06/05 21:09:02 provos Exp $ .\" .\" Copyright 2002 Niels Provos <provos@citi.umich.edu> .\" All rights reserved. @@ -96,10 +96,10 @@ The .Va cmd-string is an arbitrary string enclosed with quotation marks. .Pp -Policy entries can be prefixed with a predicate. +Policy entries may contain an appended predicate. Predicates have the following format: .Bd -literal -offset AAA -"if" {"user", "group"} {"=", "!="} string "," +", if" {"user", "group"} {"=", "!="} string .Ed .Pp A rule is added to the configured policy only if its predicate @@ -119,7 +119,7 @@ Policy: /bin/ls, Emulation: native native-open: filename match "$HOME/*" and oflags sub "ro" then permit native-open: filename eq "/etc/pwd.db" and oflags sub "ro" then permit [...] - if group != wheel, native-open: filename eq "/etc" then deny[eperm] + native-open: filename eq "/etc" then deny[eperm], if group != wheel .Ed .Sh FILES .Bl -tag -width xHOME/xsystrace -compact |