new "ask" action. creates a new rule that prompts the user for an
action but allows only yes or no answer. inspired from talking with dugsong@monkey
This commit is contained in:
provos
parent
5173f83708
commit
a2468a8d04
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: filter.c,v 1.16 2003/03/25 22:48:43 provos Exp $ */
|
||||
/* $NetBSD: filter.c,v 1.17 2003/03/25 23:17:29 provos Exp $ */
|
||||
/* $OpenBSD: filter.c,v 1.16 2002/08/08 21:18:20 provos Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
@ -30,7 +30,7 @@
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
#include <sys/cdefs.h>
|
||||
__RCSID("$NetBSD: filter.c,v 1.16 2003/03/25 22:48:43 provos Exp $");
|
||||
__RCSID("$NetBSD: filter.c,v 1.17 2003/03/25 23:17:29 provos Exp $");
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/types.h>
|
||||
@ -481,10 +481,9 @@ filter_ask(int fd, struct intercept_tlq *tls, struct filterq *fls,
|
||||
struct filter *filter;
|
||||
struct policy *policy;
|
||||
short action;
|
||||
int first = 1, isalias;
|
||||
int first = 1, isalias, isprompt = 0;
|
||||
|
||||
*pfuture = ICPOLICY_ASK;
|
||||
icpid->uflags = 0;
|
||||
|
||||
isalias = systrace_find_reverse(emulation, name) != NULL;
|
||||
|
||||
@ -532,6 +531,11 @@ filter_ask(int fd, struct intercept_tlq *tls, struct filterq *fls,
|
||||
}
|
||||
|
||||
while (1) {
|
||||
/* Special policy active that allows only yes or no */
|
||||
if (icpid->uflags & PROCESS_PROMPT) {
|
||||
fprintf(stderr, "isprompt\n");
|
||||
isprompt = 1;
|
||||
}
|
||||
filter = NULL;
|
||||
|
||||
if (!allow) {
|
||||
@ -596,6 +600,9 @@ filter_ask(int fd, struct intercept_tlq *tls, struct filterq *fls,
|
||||
}
|
||||
|
||||
if (filter_parse_simple(line, &action, pfuture) != -1) {
|
||||
/* Yes or no, no in-kernel policy allowed */
|
||||
if (isprompt)
|
||||
*pfuture = ICPOLICY_ASK;
|
||||
if (*pfuture == ICPOLICY_ASK)
|
||||
goto out;
|
||||
/* We have a policy decision */
|
||||
@ -609,6 +616,12 @@ filter_ask(int fd, struct intercept_tlq *tls, struct filterq *fls,
|
||||
snprintf(line, sizeof(line), "true then %s", compose);
|
||||
}
|
||||
|
||||
if (isprompt) {
|
||||
printf("Answer only \"permit\" or \"deny\". "
|
||||
"This is a prompt.\n");
|
||||
continue;
|
||||
}
|
||||
|
||||
if (fls == NULL) {
|
||||
printf("Syntax error.\n");
|
||||
continue;
|
||||
@ -619,6 +632,14 @@ filter_ask(int fd, struct intercept_tlq *tls, struct filterq *fls,
|
||||
|
||||
TAILQ_INSERT_TAIL(fls, filter, next);
|
||||
action = filter_evaluate(tls, fls, icpid);
|
||||
|
||||
/* If we get a prompt flag here, we ask again */
|
||||
if (icpid->uflags & PROCESS_PROMPT) {
|
||||
filter_policyrecord(policy, filter, emulation, name, line);
|
||||
printf("Answer only \"permit\" or \"deny\". "
|
||||
"This is a prompt.\n");
|
||||
continue;
|
||||
}
|
||||
if (action == ICPOLICY_ASK) {
|
||||
TAILQ_REMOVE(fls, filter, next);
|
||||
printf("Filter unmatched. Freeing it\n");
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: lex.l,v 1.7 2002/11/02 20:04:20 provos Exp $ */
|
||||
/* $NetBSD: lex.l,v 1.8 2003/03/25 23:17:30 provos Exp $ */
|
||||
/* $OpenBSD: lex.l,v 1.9 2002/08/04 04:15:50 provos Exp $ */
|
||||
|
||||
/*
|
||||
@ -34,7 +34,7 @@
|
||||
|
||||
%{
|
||||
#include <sys/cdefs.h>
|
||||
__RCSID("$NetBSD: lex.l,v 1.7 2002/11/02 20:04:20 provos Exp $");
|
||||
__RCSID("$NetBSD: lex.l,v 1.8 2003/03/25 23:17:30 provos Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/tree.h>
|
||||
@ -77,6 +77,7 @@ int myoff;
|
||||
%}
|
||||
|
||||
%%
|
||||
ask { return ASK; }
|
||||
deny { return DENY; }
|
||||
permit { return PERMIT; }
|
||||
and { return AND; }
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: parse.y,v 1.7 2002/11/23 17:42:45 provos Exp $ */
|
||||
/* $NetBSD: parse.y,v 1.8 2003/03/25 23:17:30 provos Exp $ */
|
||||
/* $OpenBSD: parse.y,v 1.9 2002/08/04 04:15:50 provos Exp $ */
|
||||
|
||||
/*
|
||||
@ -32,7 +32,7 @@
|
||||
*/
|
||||
%{
|
||||
#include <sys/cdefs.h>
|
||||
__RCSID("$NetBSD: parse.y,v 1.7 2002/11/23 17:42:45 provos Exp $");
|
||||
__RCSID("$NetBSD: parse.y,v 1.8 2003/03/25 23:17:30 provos Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
@ -70,7 +70,7 @@ extern int iamroot;
|
||||
|
||||
%}
|
||||
|
||||
%token AND OR NOT LBRACE RBRACE LSQBRACE RSQBRACE THEN MATCH PERMIT DENY
|
||||
%token AND OR NOT LBRACE RBRACE LSQBRACE RSQBRACE THEN MATCH PERMIT DENY ASK
|
||||
%token EQ NEQ TRUE SUB NSUB INPATH LOG COMMA IF USER GROUP EQUAL NEQUAL AS
|
||||
%token COLON RE
|
||||
%token <string> STRING
|
||||
@ -125,6 +125,10 @@ fullexpression : expression THEN action errorcode logcode elevate predicate
|
||||
if ($5)
|
||||
flags |= SYSCALL_LOG;
|
||||
|
||||
/* Special policy that allows only yes or no */
|
||||
if ($3 == ICPOLICY_ASK)
|
||||
flags |= PROCESS_PROMPT;
|
||||
|
||||
if ($4 != NULL)
|
||||
free($4);
|
||||
|
||||
@ -416,6 +420,10 @@ typeoff : /* empty */
|
||||
action : PERMIT
|
||||
{
|
||||
$$ = ICPOLICY_PERMIT;
|
||||
}
|
||||
| ASK
|
||||
{
|
||||
$$ = ICPOLICY_ASK;
|
||||
}
|
||||
| DENY
|
||||
{
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.\" $NetBSD: systrace.1,v 1.20 2003/03/25 23:00:05 provos Exp $
|
||||
.\" $NetBSD: systrace.1,v 1.21 2003/03/25 23:17:30 provos Exp $
|
||||
.\" $OpenBSD: systrace.1,v 1.27 2002/08/05 23:27:53 provos Exp $
|
||||
.\"
|
||||
.\" Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
@ -140,7 +140,7 @@ symbol = string typeoff "match" cmdstring |
|
||||
string typeoff "inpath" cmdstring | string typeoff "re" cmdstring |
|
||||
"true"
|
||||
typeoff = /* empty */ | "[" number "]"
|
||||
action = "permit" | "deny"
|
||||
action = "permit" | "deny" | "ask"
|
||||
errorcode = /* empty */ | "[" string "]"
|
||||
logcode = /* empty */ | "log"
|
||||
.Ed
|
||||
@ -184,6 +184,11 @@ the
|
||||
.Va execve
|
||||
system call.
|
||||
.Pp
|
||||
The
|
||||
.Va ask
|
||||
action specifies that the user should be prompted for a decision
|
||||
every time that the rule matches.
|
||||
.Pp
|
||||
The filter operations have the following meaning:
|
||||
.Bl -hang -width Dinpath -offset AAA
|
||||
.It match
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: systrace.c,v 1.16 2003/03/25 23:04:48 provos Exp $ */
|
||||
/* $NetBSD: systrace.c,v 1.17 2003/03/25 23:17:30 provos Exp $ */
|
||||
/* $OpenBSD: systrace.c,v 1.32 2002/08/05 23:27:53 provos Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
@ -299,7 +299,7 @@ gen_cb(int fd, pid_t pid, int policynr, const char *name, int code,
|
||||
goto out;
|
||||
}
|
||||
|
||||
action = filter_ask(fd, NULL, NULL, policynr, emulation, name,
|
||||
action = filter_ask(fd, NULL, pflq, policynr, emulation, name,
|
||||
output, &future, ipid);
|
||||
if (future != ICPOLICY_ASK)
|
||||
systrace_modifypolicy(fd, policynr, name, future);
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: systrace.h,v 1.11 2002/11/02 20:04:20 provos Exp $ */
|
||||
/* $NetBSD: systrace.h,v 1.12 2003/03/25 23:17:30 provos Exp $ */
|
||||
/* $OpenBSD: systrace.h,v 1.14 2002/08/05 23:27:53 provos Exp $ */
|
||||
/*
|
||||
* Copyright 2002 Niels Provos <provos@citi.umich.edu>
|
||||
@ -127,6 +127,7 @@ TAILQ_HEAD(tmplqueue, template);
|
||||
#define PROCESS_INHERIT_POLICY 0x01 /* Process inherits policy */
|
||||
#define PROCESS_DETACH 0x02 /* Process gets detached */
|
||||
#define SYSCALL_LOG 0x04 /* Log this system call */
|
||||
#define PROCESS_PROMPT 0x08 /* Prompt but nothing else */
|
||||
|
||||
void systrace_parameters(void);
|
||||
int systrace_initpolicy(char *, char *);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user