Commit Graph

20 Commits

Author SHA1 Message Date
provos 3afd9aba5f the special filename "" does not receive translation and is going to fail.
previously, systrace would normalize it to $CWD/.; found by Nikolay Sturm
from OpenBSD.
2004-01-24 03:44:46 +00:00
cb 5f734a1850 fix a race condition between path resolution in userland
and the subsequent namei(): inform the kernel portion of
valid filenames and then disallow symlink lookups for
those filenames by means of a hook in namei().
with suggestions from provos@

also, add (currently unused) seqnr field to struct
systrace_replace, from provos@
2003-08-25 09:12:42 +00:00
provos ab6fc8a1fd fixed contrived race condition during attachment; from marius@monkey.org 2003-08-02 14:45:08 +00:00
provos 037feaaf20 avoid warning due to name collision. 2003-08-02 14:34:35 +00:00
provos 08ab84f25d introduce normalize filename function. 2003-08-02 14:29:33 +00:00
provos 43914d5f2f change CWD handling. CWD is fixed to the CWD of the systrace process. 2003-08-02 14:24:30 +00:00
provos 2268d69749 support for a new kernel message that informs userland that an in-kernel
policy has been freed.  this allows us to enforce the kernel policy size
limit for users while users are still able to execute an arbitary number
of applications;  the protocol change is backwards compatible.
2003-06-03 04:33:44 +00:00
provos 2b37f26aed mkdir requires unlinkname as a translator; unlinkname does not return
<non-existent filename> errors any longer.
2003-03-25 22:58:24 +00:00
provos da50ee4397 prevent attempt to use in-kernel fastpath for aliased system calls. 2002-11-25 06:25:09 +00:00
provos c27faa29c9 performance improvement by omitting a redundant getcwd. 2002-11-02 19:57:02 +00:00
provos 5f7d4eab6c fix bug in determining execve name 2002-10-30 17:39:34 +00:00
provos 04a469212b cleanup 2002-10-17 04:45:04 +00:00
provos 61e8c76047 support for privilege elevation.
with privilege elevation no suid or sgid binaries are necessary any
longer.  Applications can be executed completely unprivileged. Systrace
raises the privileges for a single system call depending on the
configured policy.

Idea from discussions with Perry Metzger, Dug Song and Marcus Watts.
Approved by christos and thorpej.
2002-10-11 21:54:55 +00:00
provos 89afc325c0 predicates are part of the grammar now; in non-root case, predicates are
evaluated only once; in root case, predicates and variable expansion are
dynamic.
2002-10-08 14:49:23 +00:00
itojun 0b2d2fe3d7 daemon should not change the directory. from provos 2002-09-17 04:54:36 +00:00
itojun b6aefbe19f sync with latest systrace in openbsd tree. improved systrace with chroot. 2002-08-28 03:52:44 +00:00
itojun 4f0c9c76b6 sync up with latest openbsd systrace.
- avoid race conditions by having seqno in ioctl
- better uid/gid tracking
- "replace" policy to replace args
- less diffs, as many of local changes were fed back to openbsd already

due to the 1st item, it was impossible for us to provide backward-compatibility
(new kernel + old bin/systrace won't work).  upgrade both.
2002-07-30 16:29:28 +00:00
atatat 11bb544ec0 Mostly just a rewrite of intercept_run() so the arrangement of "child"
process and "parent" process is more conducive to policy generation.
Previously, tracing of a given program worked something like this:

	fork()
	if (child)
		execprogram()
	else
		dotracing()

That means that if you "systrace -a named", named would fork and
background itself, but you would never get your prompt back because
systrace didn't exit.  Now it works like this:

	fork()
	if (interactive)
		if (child)
			execprogram()
		else
			dotracing()
	else
		if (parent)
			execprogram()
		else
			fork()
			if (parent)
				exit(0)
			setsid()
			dotracing()

This makes it *much* easier to do automated policy generation for
tasks run from rc.d.  Or, for that matter, makes it much easier to use
systrace with tasks run from rc.d.
2002-07-03 22:54:38 +00:00
thorpej 873bb550a0 Some const poisoning. 2002-06-18 02:49:08 +00:00
christos 5039a9e5ee Add userland portion of systrace. 2002-06-17 16:29:07 +00:00