2005-08-10 22:19:21 +04:00
|
|
|
/* $NetBSD: systrace.h,v 1.21 2005/08/10 18:19:21 elad Exp $ */
|
2002-08-28 07:52:44 +04:00
|
|
|
/* $OpenBSD: systrace.h,v 1.14 2002/08/05 23:27:53 provos Exp $ */
|
2002-06-17 20:29:07 +04:00
|
|
|
/*
|
|
|
|
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
* 3. All advertising materials mentioning features or use of this software
|
|
|
|
* must display the following acknowledgement:
|
|
|
|
* This product includes software developed by Niels Provos.
|
|
|
|
* 4. The name of the author may not be used to endorse or promote products
|
|
|
|
* derived from this software without specific prior written permission.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
|
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
|
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
|
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
|
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef _SYSTRACE_H_
|
|
|
|
#define _SYSTRACE_H_
|
|
|
|
#include <sys/queue.h>
|
|
|
|
|
|
|
|
#define _PATH_XSYSTRACE "/usr/X11R6/bin/xsystrace"
|
|
|
|
|
|
|
|
enum logicop { LOGIC_AND, LOGIC_OR, LOGIC_NOT, LOGIC_SINGLE };
|
|
|
|
|
|
|
|
struct logic {
|
|
|
|
enum logicop op;
|
|
|
|
struct logic *left;
|
|
|
|
struct logic *right;
|
|
|
|
char *type;
|
|
|
|
int typeoff;
|
2002-10-08 18:49:23 +04:00
|
|
|
int flags;
|
2002-06-17 20:29:07 +04:00
|
|
|
void *filterdata;
|
|
|
|
size_t filterlen;
|
|
|
|
int (*filter_match)(struct intercept_translate *, struct logic *);
|
2002-11-02 23:04:20 +03:00
|
|
|
void *filterarg;
|
2002-06-17 20:29:07 +04:00
|
|
|
};
|
|
|
|
|
2002-10-08 18:49:23 +04:00
|
|
|
#define LOGIC_NEEDEXPAND 0x01
|
|
|
|
|
2002-06-17 20:29:07 +04:00
|
|
|
struct filter {
|
|
|
|
TAILQ_ENTRY(filter) next;
|
|
|
|
TAILQ_ENTRY(filter) policy_next;
|
|
|
|
|
|
|
|
char *rule;
|
2004-12-01 06:30:07 +03:00
|
|
|
char name[64];
|
2002-06-17 20:29:07 +04:00
|
|
|
char emulation[16];
|
|
|
|
struct logic *logicroot;
|
|
|
|
short match_action;
|
|
|
|
int match_error;
|
|
|
|
int match_flags;
|
|
|
|
int match_count; /* Number of times this filter matched */
|
2002-10-08 18:49:23 +04:00
|
|
|
|
|
|
|
struct predicate {
|
|
|
|
#define PREDIC_UID 0x01
|
|
|
|
#define PREDIC_GID 0x02
|
|
|
|
#define PREDIC_NEGATIVE 0x10
|
2003-05-21 02:45:13 +04:00
|
|
|
#define PREDIC_LESSER 0x20
|
|
|
|
#define PREDIC_GREATER 0x30
|
|
|
|
#define PREDIC_MASK 0x30
|
2002-10-08 18:49:23 +04:00
|
|
|
int p_flags;
|
|
|
|
uid_t p_uid;
|
|
|
|
gid_t p_gid;
|
|
|
|
} match_predicate;
|
2002-10-12 01:54:55 +04:00
|
|
|
|
|
|
|
struct elevate elevate;
|
2002-06-17 20:29:07 +04:00
|
|
|
};
|
|
|
|
|
|
|
|
TAILQ_HEAD(filterq, filter);
|
|
|
|
|
|
|
|
struct policy_syscall {
|
|
|
|
SPLAY_ENTRY(policy_syscall) node;
|
|
|
|
|
|
|
|
char name[64];
|
|
|
|
char emulation[16];
|
|
|
|
|
|
|
|
struct filterq flq;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct policy {
|
|
|
|
SPLAY_ENTRY(policy) node;
|
|
|
|
SPLAY_ENTRY(policy) nrnode;
|
|
|
|
|
|
|
|
const char *name;
|
|
|
|
char emulation[16];
|
|
|
|
|
|
|
|
SPLAY_HEAD(syscalltree, policy_syscall) pflqs;
|
|
|
|
|
|
|
|
int policynr;
|
|
|
|
int flags;
|
|
|
|
|
|
|
|
struct filterq filters;
|
|
|
|
int nfilters;
|
|
|
|
struct filterq prefilters;
|
|
|
|
};
|
|
|
|
|
2002-09-23 08:35:41 +04:00
|
|
|
struct template {
|
|
|
|
TAILQ_ENTRY(template) next;
|
|
|
|
|
|
|
|
char *filename;
|
|
|
|
char *name;
|
|
|
|
char *description;
|
|
|
|
|
|
|
|
char *emulation;
|
|
|
|
};
|
|
|
|
|
|
|
|
TAILQ_HEAD(tmplqueue, template);
|
|
|
|
|
2002-06-17 20:29:07 +04:00
|
|
|
#define POLICY_PATH "/etc/systrace"
|
|
|
|
|
|
|
|
#define POLICY_UNSUPERVISED 0x01 /* Auto-Pilot */
|
|
|
|
#define POLICY_DETACHED 0x02 /* Ignore this program */
|
|
|
|
#define POLICY_CHANGED 0x04
|
|
|
|
|
|
|
|
#define PROCESS_INHERIT_POLICY 0x01 /* Process inherits policy */
|
2002-07-30 20:29:28 +04:00
|
|
|
#define PROCESS_DETACH 0x02 /* Process gets detached */
|
2002-08-28 07:52:44 +04:00
|
|
|
#define SYSCALL_LOG 0x04 /* Log this system call */
|
2003-03-26 02:17:29 +03:00
|
|
|
#define PROCESS_PROMPT 0x08 /* Prompt but nothing else */
|
2002-06-17 20:29:07 +04:00
|
|
|
|
2002-10-08 18:49:23 +04:00
|
|
|
void systrace_parameters(void);
|
2002-08-28 07:52:44 +04:00
|
|
|
int systrace_initpolicy(char *, char *);
|
|
|
|
void systrace_setupdir(char *);
|
2002-09-23 08:35:41 +04:00
|
|
|
struct template *systrace_readtemplate(char *, struct policy *,
|
|
|
|
struct template *);
|
2002-07-30 20:29:28 +04:00
|
|
|
void systrace_initcb(void);
|
2002-06-17 20:29:07 +04:00
|
|
|
struct policy *systrace_newpolicy(const char *, const char *);
|
2003-06-03 08:33:44 +04:00
|
|
|
void systrace_freepolicy(struct policy *);
|
2002-06-17 20:29:07 +04:00
|
|
|
int systrace_newpolicynr(int, struct policy *);
|
|
|
|
int systrace_modifypolicy(int, int, const char *, short);
|
|
|
|
struct policy *systrace_findpolicy(const char *);
|
|
|
|
struct policy *systrace_findpolnr(int);
|
|
|
|
int systrace_dumppolicy(void);
|
|
|
|
int systrace_readpolicy(char *);
|
2005-08-10 22:19:21 +04:00
|
|
|
char *systrace_getpolicyfilename(const char *);
|
2002-06-17 20:29:07 +04:00
|
|
|
int systrace_addpolicy(const char *);
|
|
|
|
struct filterq *systrace_policyflq(struct policy *, const char *, const char *);
|
|
|
|
|
|
|
|
int systrace_error_translate(char *);
|
|
|
|
|
2002-07-30 20:29:28 +04:00
|
|
|
#define SYSTRACE_MAXALIAS 5
|
|
|
|
|
|
|
|
struct systrace_alias {
|
|
|
|
SPLAY_ENTRY(systrace_alias) node;
|
|
|
|
TAILQ_ENTRY(systrace_alias) next;
|
|
|
|
|
|
|
|
char name[64];
|
|
|
|
char emulation[16];
|
|
|
|
|
|
|
|
char aname[64];
|
|
|
|
char aemul[16];
|
|
|
|
|
|
|
|
struct intercept_translate *arguments[SYSTRACE_MAXALIAS];
|
|
|
|
int nargs;
|
|
|
|
|
|
|
|
struct systrace_revalias *reverse;
|
|
|
|
};
|
|
|
|
|
|
|
|
int systrace_initalias(void);
|
2005-06-25 03:21:09 +04:00
|
|
|
struct systrace_alias *systrace_new_alias(const char *, const char *, const char *, const char *);
|
|
|
|
void systrace_switch_alias(const char *, const char *, const char *, const char *);
|
2002-07-30 20:29:28 +04:00
|
|
|
struct systrace_alias *systrace_find_alias(const char *, const char *);
|
|
|
|
void systrace_alias_add_trans(struct systrace_alias *,
|
|
|
|
struct intercept_translate *);
|
|
|
|
|
|
|
|
struct systrace_revalias {
|
|
|
|
SPLAY_ENTRY(systrace_revalias) node;
|
|
|
|
|
|
|
|
char name[64];
|
|
|
|
char emulation[16];
|
|
|
|
|
|
|
|
TAILQ_HEAD(revaliasq, systrace_alias) revl;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct systrace_revalias *systrace_reverse(const char *, const char *);
|
|
|
|
struct systrace_revalias *systrace_find_reverse(const char *, const char *);
|
|
|
|
|
2002-10-08 18:49:23 +04:00
|
|
|
short filter_evaluate(struct intercept_tlq *, struct filterq *,
|
|
|
|
struct intercept_pid *);
|
2002-09-23 08:35:41 +04:00
|
|
|
short filter_ask(int, struct intercept_tlq *, struct filterq *, int,
|
2002-10-08 18:49:23 +04:00
|
|
|
const char *, const char *, char *, short *, struct intercept_pid *);
|
2002-06-17 20:29:07 +04:00
|
|
|
void filter_free(struct filter *);
|
2002-07-30 20:29:28 +04:00
|
|
|
void filter_modifypolicy(int, int, const char *, const char *, short);
|
2002-06-17 20:29:07 +04:00
|
|
|
|
2002-10-08 18:49:23 +04:00
|
|
|
int filter_predicate(struct intercept_pid *, struct predicate *);
|
2002-06-17 20:29:07 +04:00
|
|
|
int filter_parse_simple(char *, short *, short *);
|
|
|
|
int filter_parse(char *, struct filter **);
|
|
|
|
int filter_prepolicy(int, struct policy *);
|
2002-10-08 18:49:23 +04:00
|
|
|
char *filter_expand(char *);
|
|
|
|
char *filter_dynamicexpand(struct intercept_pid *, char *);
|
|
|
|
int filter_needexpand(char *);
|
2002-06-17 20:29:07 +04:00
|
|
|
|
2005-06-25 03:21:09 +04:00
|
|
|
void cradle_start(const char *, const char *, const char *);
|
2003-11-29 00:53:32 +03:00
|
|
|
|
2002-06-17 20:29:07 +04:00
|
|
|
int parse_filter(char *, struct filter **);
|
|
|
|
|
2002-07-30 20:29:28 +04:00
|
|
|
char *uid_to_name(uid_t);
|
|
|
|
|
2005-06-25 03:21:09 +04:00
|
|
|
char *strrpl(char *, size_t, const char *, const char *);
|
2002-07-30 20:29:28 +04:00
|
|
|
|
2002-08-28 07:52:44 +04:00
|
|
|
void make_output(char *, size_t, const char *, pid_t, pid_t, int,
|
2002-07-30 20:29:28 +04:00
|
|
|
const char *, int, const char *, const char *, int, struct intercept_tlq *,
|
|
|
|
struct intercept_replace *);
|
|
|
|
short trans_cb(int, pid_t, int, const char *, int, const char *, void *,
|
2003-08-25 13:12:42 +04:00
|
|
|
int, struct intercept_replace *, struct intercept_tlq *, void *);
|
2002-07-30 20:29:28 +04:00
|
|
|
short gen_cb(int, pid_t, int, const char *, int, const char *, void *,
|
|
|
|
int, void *);
|
|
|
|
void execres_cb(int, pid_t, int, const char *, const char *, void *);
|
2003-06-03 08:33:44 +04:00
|
|
|
void policyfree_cb(int, void *);
|
2002-07-30 20:29:28 +04:00
|
|
|
|
2002-11-02 22:43:27 +03:00
|
|
|
extern struct intercept_translate ic_oflags;
|
|
|
|
extern struct intercept_translate ic_modeflags;
|
|
|
|
extern struct intercept_translate ic_fdt;
|
|
|
|
extern struct intercept_translate ic_uidt;
|
|
|
|
extern struct intercept_translate ic_uname;
|
|
|
|
extern struct intercept_translate ic_gidt;
|
|
|
|
extern struct intercept_translate ic_trargv;
|
|
|
|
extern struct intercept_translate ic_sockdom;
|
|
|
|
extern struct intercept_translate ic_socktype;
|
2002-11-02 22:49:21 +03:00
|
|
|
extern struct intercept_translate ic_pidname;
|
|
|
|
extern struct intercept_translate ic_signame;
|
2005-05-07 19:11:02 +04:00
|
|
|
extern struct intercept_translate ic_fcntlcmd;
|
2005-06-25 16:22:43 +04:00
|
|
|
extern struct intercept_translate ic_memprot;
|
2002-11-02 22:43:27 +03:00
|
|
|
|
|
|
|
extern struct intercept_translate ic_linux_oflags;
|
2002-07-30 20:29:28 +04:00
|
|
|
|
2005-06-25 03:21:09 +04:00
|
|
|
int requestor_start(const char *, int);
|
2003-11-29 00:53:32 +03:00
|
|
|
|
2002-08-01 12:47:03 +04:00
|
|
|
#if defined(__i386__) || defined(__m68k__) || defined(__alpha__) || defined(__powerpc__) || defined(__mips__) || defined(__arm__)
|
|
|
|
#define HAVE_LINUX_FCNTL_H
|
|
|
|
#endif
|
|
|
|
|
2002-06-17 20:29:07 +04:00
|
|
|
#endif /* _SYSTRACE_H_ */
|