Add a new keyword, ``topdir'', that grants access only if the file is
in a hierarchy below the specified path.
This commit is contained in:
elad
parent
dc0cbc5f93
commit
3752840791
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: filter.c,v 1.30 2005/08/10 21:53:01 elad Exp $ */
|
/* $NetBSD: filter.c,v 1.31 2005/08/24 19:09:03 elad Exp $ */
|
||||||
/* $OpenBSD: filter.c,v 1.16 2002/08/08 21:18:20 provos Exp $ */
|
/* $OpenBSD: filter.c,v 1.16 2002/08/08 21:18:20 provos Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||||
@ -30,7 +30,7 @@
|
|||||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
*/
|
*/
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__RCSID("$NetBSD: filter.c,v 1.30 2005/08/10 21:53:01 elad Exp $");
|
__RCSID("$NetBSD: filter.c,v 1.31 2005/08/24 19:09:03 elad Exp $");
|
||||||
|
|
||||||
#include <sys/param.h>
|
#include <sys/param.h>
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
@ -864,3 +864,35 @@ filter_true(struct intercept_translate *tl, struct logic *logic)
|
|||||||
{
|
{
|
||||||
return (1);
|
return (1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
filter_topdir(struct intercept_translate *tl, struct logic *logic)
|
||||||
|
{
|
||||||
|
const char *line;
|
||||||
|
size_t len, baselen;
|
||||||
|
|
||||||
|
if ((line = intercept_translate_print(tl)) == NULL)
|
||||||
|
return (0);
|
||||||
|
|
||||||
|
len = strlen(line);
|
||||||
|
baselen = strlen(logic->filterdata);
|
||||||
|
|
||||||
|
/* remove trailing slash */
|
||||||
|
if (baselen && ((char *)logic->filterdata)[baselen - 1] == '/')
|
||||||
|
baselen--;
|
||||||
|
|
||||||
|
if (baselen <= 1)
|
||||||
|
return (1);
|
||||||
|
|
||||||
|
if (len < baselen)
|
||||||
|
return (0);
|
||||||
|
|
||||||
|
if (line[baselen] != '/')
|
||||||
|
return (0);
|
||||||
|
|
||||||
|
if (strncmp(logic->filterdata, line, baselen))
|
||||||
|
return (0);
|
||||||
|
|
||||||
|
return (1);
|
||||||
|
}
|
||||||
|
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: filter.h,v 1.3 2002/11/02 20:04:20 provos Exp $ */
|
/* $NetBSD: filter.h,v 1.4 2005/08/24 19:09:03 elad Exp $ */
|
||||||
/* $OpenBSD: filter.h,v 1.1 2002/07/19 14:38:57 itojun Exp $ */
|
/* $OpenBSD: filter.h,v 1.1 2002/07/19 14:38:57 itojun Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -39,3 +39,4 @@ int filter_negsubstrmatch(struct intercept_translate *, struct logic *);
|
|||||||
int filter_inpath(struct intercept_translate *, struct logic *);
|
int filter_inpath(struct intercept_translate *, struct logic *);
|
||||||
int filter_regex(struct intercept_translate *, struct logic *);
|
int filter_regex(struct intercept_translate *, struct logic *);
|
||||||
int filter_true(struct intercept_translate *, struct logic *);
|
int filter_true(struct intercept_translate *, struct logic *);
|
||||||
|
int filter_topdir(struct intercept_translate *, struct logic *);
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: lex.l,v 1.12 2003/11/18 05:28:05 provos Exp $ */
|
/* $NetBSD: lex.l,v 1.13 2005/08/24 19:09:03 elad Exp $ */
|
||||||
/* $OpenBSD: lex.l,v 1.9 2002/08/04 04:15:50 provos Exp $ */
|
/* $OpenBSD: lex.l,v 1.9 2002/08/04 04:15:50 provos Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -34,7 +34,7 @@
|
|||||||
|
|
||||||
%{
|
%{
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__RCSID("$NetBSD: lex.l,v 1.12 2003/11/18 05:28:05 provos Exp $");
|
__RCSID("$NetBSD: lex.l,v 1.13 2005/08/24 19:09:03 elad Exp $");
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <sys/tree.h>
|
#include <sys/tree.h>
|
||||||
@ -93,6 +93,7 @@ neq { return NEQ; }
|
|||||||
sub { return SUB; }
|
sub { return SUB; }
|
||||||
nsub { return NSUB; }
|
nsub { return NSUB; }
|
||||||
inpath { return INPATH; }
|
inpath { return INPATH; }
|
||||||
|
topdir { return TOPDIR; }
|
||||||
re { return RE; }
|
re { return RE; }
|
||||||
log { return LOG; }
|
log { return LOG; }
|
||||||
true { return TRUE; }
|
true { return TRUE; }
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
/* $NetBSD: parse.y,v 1.9 2003/05/20 22:45:13 provos Exp $ */
|
/* $NetBSD: parse.y,v 1.10 2005/08/24 19:09:03 elad Exp $ */
|
||||||
/* $OpenBSD: parse.y,v 1.9 2002/08/04 04:15:50 provos Exp $ */
|
/* $OpenBSD: parse.y,v 1.9 2002/08/04 04:15:50 provos Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -32,7 +32,7 @@
|
|||||||
*/
|
*/
|
||||||
%{
|
%{
|
||||||
#include <sys/cdefs.h>
|
#include <sys/cdefs.h>
|
||||||
__RCSID("$NetBSD: parse.y,v 1.9 2003/05/20 22:45:13 provos Exp $");
|
__RCSID("$NetBSD: parse.y,v 1.10 2005/08/24 19:09:03 elad Exp $");
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
@ -72,7 +72,7 @@ extern int iamroot;
|
|||||||
|
|
||||||
%token AND OR NOT LBRACE RBRACE LSQBRACE RSQBRACE THEN MATCH PERMIT DENY ASK
|
%token AND OR NOT LBRACE RBRACE LSQBRACE RSQBRACE THEN MATCH PERMIT DENY ASK
|
||||||
%token EQ NEQ TRUE SUB NSUB INPATH LOG COMMA IF USER GROUP EQUAL NEQUAL AS
|
%token EQ NEQ TRUE SUB NSUB INPATH LOG COMMA IF USER GROUP EQUAL NEQUAL AS
|
||||||
%token COLON RE LESSER GREATER
|
%token COLON RE LESSER GREATER TOPDIR
|
||||||
%token <string> STRING
|
%token <string> STRING
|
||||||
%token <string> CMDSTRING
|
%token <string> CMDSTRING
|
||||||
%token <number> NUMBER
|
%token <number> NUMBER
|
||||||
@ -393,6 +393,16 @@ symbol : STRING typeoff MATCH CMDSTRING
|
|||||||
|
|
||||||
node->filter_match = filter_inpath;
|
node->filter_match = filter_inpath;
|
||||||
$$ = node;
|
$$ = node;
|
||||||
|
}
|
||||||
|
| STRING typeoff TOPDIR CMDSTRING
|
||||||
|
{
|
||||||
|
struct logic *node;
|
||||||
|
|
||||||
|
if ((node = parse_newsymbol($1, $2, $4)) == NULL)
|
||||||
|
break;
|
||||||
|
|
||||||
|
node->filter_match = filter_topdir;
|
||||||
|
$$ = node;
|
||||||
}
|
}
|
||||||
| STRING typeoff RE CMDSTRING
|
| STRING typeoff RE CMDSTRING
|
||||||
{
|
{
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
.\" $NetBSD: systrace.1,v 1.31 2005/07/04 16:32:30 elad Exp $
|
.\" $NetBSD: systrace.1,v 1.32 2005/08/24 19:09:03 elad Exp $
|
||||||
.\" $OpenBSD: systrace.1,v 1.27 2002/08/05 23:27:53 provos Exp $
|
.\" $OpenBSD: systrace.1,v 1.27 2002/08/05 23:27:53 provos Exp $
|
||||||
.\"
|
.\"
|
||||||
.\" Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
.\" Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||||
@ -146,6 +146,7 @@ symbol = string typeoff "match" cmdstring |
|
|||||||
string typeoff "eq" cmdstring | string typeoff "neq" cmdstring |
|
string typeoff "eq" cmdstring | string typeoff "neq" cmdstring |
|
||||||
string typeoff "sub" cmdstring | string typeoff "nsub" cmdstring |
|
string typeoff "sub" cmdstring | string typeoff "nsub" cmdstring |
|
||||||
string typeoff "inpath" cmdstring | string typeoff "re" cmdstring |
|
string typeoff "inpath" cmdstring | string typeoff "re" cmdstring |
|
||||||
|
string typeoff "topdir" cmdstring
|
||||||
"true"
|
"true"
|
||||||
typeoff = /* empty */ | "[" number "]"
|
typeoff = /* empty */ | "[" number "]"
|
||||||
action = "permit" | "deny" | "ask"
|
action = "permit" | "deny" | "ask"
|
||||||
@ -224,6 +225,10 @@ must be an absolute pathname, possibly with one trailing slash.
|
|||||||
.It re
|
.It re
|
||||||
Evaluates to true if the system call arguments matches
|
Evaluates to true if the system call arguments matches
|
||||||
the specified regular expression.
|
the specified regular expression.
|
||||||
|
.It topdir
|
||||||
|
Evaluates to true if the system call argument is in a directory
|
||||||
|
hierarchy under
|
||||||
|
.Va cmdstring .
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
By appending the
|
By appending the
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user