Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/bin Add userland portion of systrace.
details: https://anonhg.NetBSD.org/src/rev/b29029849f7c
branches: trunk
changeset: 532891:b29029849f7c
user: christos <christos%NetBSD.org@localhost>
date: Mon Jun 17 16:29:07 2002 +0000
description:
Add userland portion of systrace.
diffstat:
bin/Makefile | 4 +-
bin/systrace/Makefile | 18 +
bin/systrace/filter.c | 577 +++++++++++++++++++++++++++++++
bin/systrace/filter.h | 40 ++
bin/systrace/intercept-translate.c | 285 +++++++++++++++
bin/systrace/intercept.c | 566 +++++++++++++++++++++++++++++++
bin/systrace/intercept.h | 155 ++++++++
bin/systrace/lex.l | 113 ++++++
bin/systrace/netbsd-syscalls.c | 585 ++++++++++++++++++++++++++++++++
bin/systrace/openbsd-syscalls.c | 543 ++++++++++++++++++++++++++++++
bin/systrace/parse.y | 329 ++++++++++++++++++
bin/systrace/policy.c | 560 ++++++++++++++++++++++++++++++
bin/systrace/systrace-errno.h | 122 ++++++
bin/systrace/systrace-error.c | 151 ++++++++
bin/systrace/systrace-translate.c | 190 ++++++++++
bin/systrace/systrace.1 | 186 ++++++++++
bin/systrace/systrace.c | 580 ++++++++++++++++++++++++++++++++
bin/systrace/systrace.h | 135 +++++++
bin/systrace/tree.h | 669 +++++++++++++++++++++++++++++++++++++
bin/systrace/util.c | 232 ++++++++++++
bin/systrace/util.h | 36 +
21 files changed, 6074 insertions(+), 2 deletions(-)
diffs (truncated from 6166 to 300 lines):
diff -r 80bb891799d6 -r b29029849f7c bin/Makefile
--- a/bin/Makefile Mon Jun 17 16:24:57 2002 +0000
+++ b/bin/Makefile Mon Jun 17 16:29:07 2002 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.18 1999/11/23 05:28:15 mrg Exp $
+# $NetBSD: Makefile,v 1.19 2002/06/17 16:29:07 christos Exp $
# @(#)Makefile 8.1 (Berkeley) 5/31/93
SUBDIR= cat chio chmod cp csh date dd df domainname echo ed expr hostname \
kill ksh ln ls mkdir mt mv pax ps pwd rcp rcmd rm rmdir sh \
- sleep stty sync test
+ sleep stty sync systrace test
.include <bsd.subdir.mk>
diff -r 80bb891799d6 -r b29029849f7c bin/systrace/Makefile
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/bin/systrace/Makefile Mon Jun 17 16:29:07 2002 +0000
@@ -0,0 +1,18 @@
+# $NetBSD: Makefile,v 1.1 2002/06/17 16:29:08 christos Exp $
+# $OpenBSD: Makefile,v 1.4 2002/06/05 17:34:56 mickey Exp $
+
+PROG= systrace
+CFLAGS+= -I. -I/sys
+SRCS= filter.c intercept-translate.c intercept.c \
+ netbsd-syscalls.c util.c \
+ policy.c systrace-errno.h systrace-error.c \
+ systrace-translate.c systrace.c \
+ parse.y lex.l
+CLEANFILES+= parse.c lex.c y.tab.h
+YHEADER=yes
+LDADD+= -ll -ly
+DPADD+= ${LIBL} ${LIBY}
+
+.include <bsd.prog.mk>
+
+.depend: parse.c lex.c
diff -r 80bb891799d6 -r b29029849f7c bin/systrace/filter.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/bin/systrace/filter.c Mon Jun 17 16:29:07 2002 +0000
@@ -0,0 +1,577 @@
+/* $NetBSD: filter.c,v 1.1 2002/06/17 16:29:08 christos Exp $ */
+/* $OpenBSD: filter.c,v 1.11 2002/06/11 05:30:28 provos Exp $ */
+
+/*
+ * Copyright 2002 Niels Provos <provos%citi.umich.edu@localhost>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * This product includes software developed by Niels Provos.
+ * 4. The name of the author may not be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include <sys/cdefs.h>
+__RCSID("$NetBSD: filter.c,v 1.1 2002/06/17 16:29:08 christos Exp $");
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/tree.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <fnmatch.h>
+#include <err.h>
+
+#include "intercept.h"
+#include "systrace.h"
+#include "filter.h"
+#include "util.h"
+
+extern int allow;
+extern int connected;
+extern char cwd[];
+
+static void logic_free(struct logic *);
+static int filter_match(struct intercept_tlq *, struct logic *);
+static void filter_review(struct filterq *);
+static void filter_policyrecord(struct policy *, struct filter *, const char *,
+ const char *, char *);
+static void filter_replace(char *, size_t, char *, char *);
+
+static int
+filter_match(struct intercept_tlq *tls, struct logic *logic)
+{
+ struct intercept_translate *tl;
+ int off = 0;
+
+ switch (logic->op) {
+ case LOGIC_NOT:
+ return (!filter_match(tls, logic->left));
+ case LOGIC_OR:
+ if (filter_match(tls, logic->left))
+ return (1);
+ return (filter_match(tls, logic->right));
+ case LOGIC_AND:
+ if (!filter_match(tls, logic->left))
+ return (0);
+ return (filter_match(tls, logic->right));
+ default:
+ break;
+ }
+
+ /* Now we just have a logic single */
+ if (logic->type == NULL)
+ goto match;
+
+ TAILQ_FOREACH(tl, tls, next) {
+ if (!tl->trans_valid)
+ return (0);
+
+ if (strcasecmp(tl->name, logic->type))
+ continue;
+
+ if (logic->typeoff == -1 || logic->typeoff == off)
+ break;
+
+ off++;
+ }
+
+ if (tl == NULL)
+ return (0);
+
+ match:
+ return (logic->filter_match(tl, logic));
+}
+
+short
+filter_evaluate(struct intercept_tlq *tls, struct filterq *fls, int *pflags)
+{
+ struct filter *filter, *last = NULL;
+ short action, laction = 0;
+
+ TAILQ_FOREACH(filter, fls, next) {
+ action = filter->match_action;
+
+ if (filter_match(tls, filter->logicroot)) {
+ /* Profile feedback optimization */
+ filter->match_count++;
+ if (last != NULL && last->match_action == action &&
+ filter->match_count > last->match_count) {
+ TAILQ_REMOVE(fls, last, next);
+ TAILQ_INSERT_AFTER(fls, filter, last, next);
+ }
+
+ if (action == ICPOLICY_NEVER)
+ action = filter->match_error;
+ *pflags = filter->match_flags;
+ return (action);
+ }
+
+ /* Keep track of last processed filtered in a group */
+ last = filter;
+ laction = action;
+ }
+
+ return (ICPOLICY_ASK);
+}
+
+static void
+logic_free(struct logic *logic)
+{
+ if (logic->left)
+ logic_free(logic->left);
+ if (logic->right)
+ logic_free(logic->right);
+ if (logic->type)
+ free(logic->type);
+ if (logic->filterdata)
+ free(logic->filterdata);
+ free(logic);
+}
+
+void
+filter_free(struct filter *filter)
+{
+ if (filter->logicroot)
+ logic_free(filter->logicroot);
+ if (filter->rule)
+ free(filter->rule);
+ free(filter);
+}
+
+static void
+filter_review(struct filterq *fls)
+{
+ struct filter *filter;
+ int i = 0;
+
+ printf("Filter review:\n");
+
+ TAILQ_FOREACH(filter, fls, next) {
+ i++;
+ printf("%d. %s\n", i, filter->rule);
+ }
+}
+
+static void
+filter_policyrecord(struct policy *policy, struct filter *filter,
+ const char *emulation, const char *name, char *rule)
+{
+ /* Record the filter in the policy */
+ if (filter == NULL) {
+ filter = calloc(1, sizeof(struct filter));
+ if (filter == NULL)
+ err(1, "%s:%d: calloc", __func__, __LINE__);
+ if ((filter->rule = strdup(rule)) == NULL)
+ err(1, "%s:%d: strdup", __func__, __LINE__);
+ }
+
+ strlcpy(filter->name, name, sizeof(filter->name));
+ strlcpy(filter->emulation, emulation, sizeof(filter->emulation));
+
+ TAILQ_INSERT_TAIL(&policy->filters, filter, policy_next);
+ policy->nfilters++;
+
+ policy->flags |= POLICY_CHANGED;
+}
+
+int
+filter_parse(char *line, struct filter **pfilter)
+{
+ char *rule;
+
+ if (parse_filter(line, pfilter) == -1)
+ return (-1);
+
+ if ((rule = strdup(line)) == NULL)
+ err(1, "%s:%d: strdup", __func__, __LINE__);
+
+ (*pfilter)->rule = rule;
+
+ return (0);
+}
+
+/* Translate a simple action like "permit" or "deny[einval]" to numbers */
+
+int
+filter_parse_simple(char *rule, short *paction, short *pfuture)
+{
+ char buf[1024];
+ int isfuture = 1;
+ char *line, *p;
+
+ strlcpy(buf, rule, sizeof(buf));
+ line = buf;
+
+ if (!strcmp("permit", line)) {
+ *paction = *pfuture = ICPOLICY_PERMIT;
+ return (0);
+ } else if (!strcmp("permit-now", line)) {
+ *paction = ICPOLICY_PERMIT;
+ return (0);
+ } else if (strncmp("deny", line, 4))
+ return (-1);
+
+ line +=4 ;
+ if (!strncmp("-now", line, 4)) {
+ line += 4;
+ isfuture = 0;
+ }
+
+ *paction = ICPOLICY_NEVER;
+
+ switch (line[0]) {
+ case '\0':
+ break;
+ case '[':
+ line++;
+ p = strsep(&line, "]");
+ if (line == NULL || *line != '\0')
+ return (-1);
+
+ *paction = systrace_error_translate(p);
+ if (*paction == -1)
+ return (-1);
+ break;
+ default:
+ return (-1);
Home |
Main Index |
Thread Index |
Old Index