Add a new keyword, ``topdir'', that grants access only if the file is

in a hierarchy below the specified path.
This commit is contained in:
elad 2005-08-24 19:09:03 +00:00
parent dc0cbc5f93
commit 3752840791
5 changed files with 58 additions and 9 deletions

View File

@ -1,4 +1,4 @@
/* $NetBSD: filter.c,v 1.30 2005/08/10 21:53:01 elad Exp $ */
/* $NetBSD: filter.c,v 1.31 2005/08/24 19:09:03 elad Exp $ */
/* $OpenBSD: filter.c,v 1.16 2002/08/08 21:18:20 provos Exp $ */
/*
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
@ -30,7 +30,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__RCSID("$NetBSD: filter.c,v 1.30 2005/08/10 21:53:01 elad Exp $");
__RCSID("$NetBSD: filter.c,v 1.31 2005/08/24 19:09:03 elad Exp $");
#include <sys/param.h>
#include <sys/types.h>
@ -864,3 +864,35 @@ filter_true(struct intercept_translate *tl, struct logic *logic)
{
return (1);
}
int
filter_topdir(struct intercept_translate *tl, struct logic *logic)
{
const char *line;
size_t len, baselen;
if ((line = intercept_translate_print(tl)) == NULL)
return (0);
len = strlen(line);
baselen = strlen(logic->filterdata);
/* remove trailing slash */
if (baselen && ((char *)logic->filterdata)[baselen - 1] == '/')
baselen--;
if (baselen <= 1)
return (1);
if (len < baselen)
return (0);
if (line[baselen] != '/')
return (0);
if (strncmp(logic->filterdata, line, baselen))
return (0);
return (1);
}

View File

@ -1,4 +1,4 @@
/* $NetBSD: filter.h,v 1.3 2002/11/02 20:04:20 provos Exp $ */
/* $NetBSD: filter.h,v 1.4 2005/08/24 19:09:03 elad Exp $ */
/* $OpenBSD: filter.h,v 1.1 2002/07/19 14:38:57 itojun Exp $ */
/*
@ -39,3 +39,4 @@ int filter_negsubstrmatch(struct intercept_translate *, struct logic *);
int filter_inpath(struct intercept_translate *, struct logic *);
int filter_regex(struct intercept_translate *, struct logic *);
int filter_true(struct intercept_translate *, struct logic *);
int filter_topdir(struct intercept_translate *, struct logic *);

View File

@ -1,4 +1,4 @@
/* $NetBSD: lex.l,v 1.12 2003/11/18 05:28:05 provos Exp $ */
/* $NetBSD: lex.l,v 1.13 2005/08/24 19:09:03 elad Exp $ */
/* $OpenBSD: lex.l,v 1.9 2002/08/04 04:15:50 provos Exp $ */
/*
@ -34,7 +34,7 @@
%{
#include <sys/cdefs.h>
__RCSID("$NetBSD: lex.l,v 1.12 2003/11/18 05:28:05 provos Exp $");
__RCSID("$NetBSD: lex.l,v 1.13 2005/08/24 19:09:03 elad Exp $");
#include <sys/types.h>
#include <sys/tree.h>
@ -93,6 +93,7 @@ neq { return NEQ; }
sub { return SUB; }
nsub { return NSUB; }
inpath { return INPATH; }
topdir { return TOPDIR; }
re { return RE; }
log { return LOG; }
true { return TRUE; }

View File

@ -1,4 +1,4 @@
/* $NetBSD: parse.y,v 1.9 2003/05/20 22:45:13 provos Exp $ */
/* $NetBSD: parse.y,v 1.10 2005/08/24 19:09:03 elad Exp $ */
/* $OpenBSD: parse.y,v 1.9 2002/08/04 04:15:50 provos Exp $ */
/*
@ -32,7 +32,7 @@
*/
%{
#include <sys/cdefs.h>
__RCSID("$NetBSD: parse.y,v 1.9 2003/05/20 22:45:13 provos Exp $");
__RCSID("$NetBSD: parse.y,v 1.10 2005/08/24 19:09:03 elad Exp $");
#include <sys/types.h>
@ -72,7 +72,7 @@ extern int iamroot;
%token AND OR NOT LBRACE RBRACE LSQBRACE RSQBRACE THEN MATCH PERMIT DENY ASK
%token EQ NEQ TRUE SUB NSUB INPATH LOG COMMA IF USER GROUP EQUAL NEQUAL AS
%token COLON RE LESSER GREATER
%token COLON RE LESSER GREATER TOPDIR
%token <string> STRING
%token <string> CMDSTRING
%token <number> NUMBER
@ -393,6 +393,16 @@ symbol : STRING typeoff MATCH CMDSTRING
node->filter_match = filter_inpath;
$$ = node;
}
| STRING typeoff TOPDIR CMDSTRING
{
struct logic *node;
if ((node = parse_newsymbol($1, $2, $4)) == NULL)
break;
node->filter_match = filter_topdir;
$$ = node;
}
| STRING typeoff RE CMDSTRING
{

View File

@ -1,4 +1,4 @@
.\" $NetBSD: systrace.1,v 1.31 2005/07/04 16:32:30 elad Exp $
.\" $NetBSD: systrace.1,v 1.32 2005/08/24 19:09:03 elad Exp $
.\" $OpenBSD: systrace.1,v 1.27 2002/08/05 23:27:53 provos Exp $
.\"
.\" Copyright 2002 Niels Provos <provos@citi.umich.edu>
@ -146,6 +146,7 @@ symbol = string typeoff "match" cmdstring |
string typeoff "eq" cmdstring | string typeoff "neq" cmdstring |
string typeoff "sub" cmdstring | string typeoff "nsub" cmdstring |
string typeoff "inpath" cmdstring | string typeoff "re" cmdstring |
string typeoff "topdir" cmdstring
"true"
typeoff = /* empty */ | "[" number "]"
action = "permit" | "deny" | "ask"
@ -224,6 +225,10 @@ must be an absolute pathname, possibly with one trailing slash.
.It re
Evaluates to true if the system call arguments matches
the specified regular expression.
.It topdir
Evaluates to true if the system call argument is in a directory
hierarchy under
.Va cmdstring .
.El
.Pp
By appending the