diff options
| author | Niels Provos <provos@cvs.openbsd.org> | 2002-06-05 16:51:09 +0000 |
|---|---|---|
| committer | Niels Provos <provos@cvs.openbsd.org> | 2002-06-05 16:51:09 +0000 |
| commit | cb1557c30ccf75e03417493c8a59435f93e5f960 (patch) | |
| tree | 47220336766f11ed7feaef2ddd43ba43a396e586 /bin | |
| parent | b6bf98984be14e9144bddc3a352435ff99ed97c1 (diff) | |
introduce an automatic policy generation mode. it creates a policy based
on what the application tries to do. the policy can be refined further on.
Diffstat (limited to 'bin')
| -rw-r--r-- | bin/systrace/filter.c | 60 | ||||
| -rw-r--r-- | bin/systrace/systrace.1 | 8 | ||||
| -rw-r--r-- | bin/systrace/systrace.c | 10 |
3 files changed, 62 insertions, 16 deletions
diff --git a/bin/systrace/filter.c b/bin/systrace/filter.c index 6dbfe3ed65c..f5742820167 100644 --- a/bin/systrace/filter.c +++ b/bin/systrace/filter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: filter.c,v 1.5 2002/06/05 16:09:20 provos Exp $ */ +/* $OpenBSD: filter.c,v 1.6 2002/06/05 16:51:08 provos Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -44,6 +44,7 @@ #include "intercept.h" #include "systrace.h" +extern int allow; extern int connected; extern char cwd[]; @@ -291,7 +292,7 @@ filter_ask(struct intercept_tlq *tls, struct filterq *fls, int policynr, char *emulation, char *name, char *output, short *pfuture, int *pflags) { - char line[1024], *p; + char line[2*MAXPATHLEN], *p; struct filter *filter; struct policy *policy; short action; @@ -304,22 +305,59 @@ filter_ask(struct intercept_tlq *tls, struct filterq *fls, errx(1, "%s:%d: no policy %d\n", __func__, __LINE__, policynr); - printf("%s\n", output); + if (!allow) + printf("%s\n", output); while (1) { filter = NULL; - if (!connected) - printf("Answer: "); - else { - /* Do not prompt the first time */ - if (first) { - printf("WRONG\n"); + if (!allow) { + /* Ask for a policy */ + if (!connected) + printf("Answer: "); + else { + /* Do not prompt the first time */ + if (first) { + printf("WRONG\n"); + } + first = 1; } - first = 1; + + fgets(line, sizeof(line), stdin); + } else { + /* Automatically allow */ + if (strcmp(name, "execve") == 0) { + strlcpy(line,"true then permit", sizeof(line)); + } else if (tls != NULL) { + struct intercept_translate *tl; + char compose[MAXPATHLEN], *l; + int set = 0; + + /* Explicitly match every component */ + line[0] = '\0'; + TAILQ_FOREACH(tl, tls, next) { + if (!tl->trans_valid) + break; + l = intercept_translate_print(tl); + if (l == NULL) + continue; + + snprintf(compose, sizeof(compose), + "%s eq \"%s\"", tl->name, l); + if (set) + strlcat(line, " and ", + sizeof(line)); + else + set = 1; + strlcat(line, compose, sizeof(line)); + } + if (!set) + strlcpy(line, "true", sizeof(line)); + strlcat(line, " then permit", sizeof(line)); + } else + strlcpy(line, "permit", sizeof(line)); } - fgets(line, sizeof(line), stdin); p = line; strsep(&p, "\n"); diff --git a/bin/systrace/systrace.1 b/bin/systrace/systrace.1 index 1aa0a118c83..794d7de4165 100644 --- a/bin/systrace/systrace.1 +++ b/bin/systrace/systrace.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: systrace.1,v 1.8 2002/06/05 12:00:15 mpech Exp $ +.\" $OpenBSD: systrace.1,v 1.9 2002/06/05 16:51:08 provos Exp $ .\" .\" Copyright 2002 Niels Provos <provos@citi.umich.edu> .\" All rights reserved. @@ -38,7 +38,7 @@ .Nd generates and enforces system call policies .Sh SYNOPSIS .Nm systrace -.Op Fl aitU +.Op Fl aAitU .Op Fl g Ar gui .Op Fl f Ar file .Ar command ... @@ -57,6 +57,10 @@ The options are as follows: Enables automatic enforcement of configured policies. An operation not covered by policy is denied and logged via .Xr syslog 3 . +.It Fl A +Automatically generate a policy that allows every operation the +application executes. +The created policy functions as a base that can be refined. .It Fl i Inherits the policy of the first executed binary to all children. .It Fl t diff --git a/bin/systrace/systrace.c b/bin/systrace/systrace.c index 7ec5c124f22..e572b761fc2 100644 --- a/bin/systrace/systrace.c +++ b/bin/systrace/systrace.c @@ -1,4 +1,4 @@ -/* $OpenBSD: systrace.c,v 1.10 2002/06/05 15:59:52 provos Exp $ */ +/* $OpenBSD: systrace.c,v 1.11 2002/06/05 16:51:08 provos Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * All rights reserved. @@ -51,6 +51,7 @@ int fd; int connected = 0; /* Connected to GUI */ int inherit = 0; /* Inherit policy to childs */ int automatic = 0; /* Do not run interactively */ +int allow = 0; /* Allow all and generate */ int userpolicy = 1; /* Permit user defined policies */ char *username = NULL; /* Username in automatic mode */ char cwd[MAXPATHLEN]; /* Current working directory of process */ @@ -393,12 +394,15 @@ main(int argc, char **argv) char *guipath = _PATH_XSYSTRACE; int usex11 = 1; - while ((c = getopt(argc, argv, "aitUg:f:")) != -1) { + while ((c = getopt(argc, argv, "aAitUg:f:")) != -1) { switch (c) { case 'a': automatic = 1; username = uid_to_name(getuid()); break; + case 'A': + allow = 1; + break; case 'i': inherit = 1; break; @@ -453,7 +457,7 @@ main(int argc, char **argv) if (intercept_attach(fd, pid) == -1) err(1, "attach"); - if (usex11 && !automatic) + if (usex11 && !automatic && !allow) requestor_start(guipath); if (kill(pid, SIGCONT) == -1) |