diff -Nur --exclude='.*' sandbox-1.2.1.orig/libctest.c sandbox-1.2.1.sbnotify/libctest.c --- sandbox-1.2.1.orig/libctest.c 2005-04-23 14:01:52.000000000 -0700 +++ sandbox-1.2.1.sbnotify/libctest.c 1969-12-31 16:00:00.000000000 -0800 @@ -1 +0,0 @@ -int main(void) { return 0; } diff -Nur --exclude='.*' sandbox-1.2.1.orig/libsandbox.c sandbox-1.2.1.sbnotify/libsandbox.c --- sandbox-1.2.1.orig/libsandbox.c 2005-04-23 13:44:15.000000000 -0700 +++ sandbox-1.2.1.sbnotify/libsandbox.c 2005-04-25 00:48:14.000000000 -0700 @@ -81,6 +81,7 @@ //#include "localdecls.h" #include "sandbox.h" +#include "sbnotify.h" /* Macros to check if a function should be executed */ #define FUNCTION_SANDBOX_SAFE(func, path) \ @@ -158,6 +159,9 @@ static char *filter_path(const char *, int follow_link); static int is_sandbox_on(); static int is_sandbox_pid(); +static void sbnotify_event(int event_flags, const char * canonical, const char * func_name, int result); +static void sbnotify_log(const char * buffer); +static int get_sbnotify_eventmask(); /* Wrapped functions */ @@ -375,6 +379,8 @@ result = true_chmod(path, mode); } + sbnotify_event(SBN_MODIFY|SBN_ATTRIB, canonic, "chmod", result); + return result; } @@ -391,6 +397,8 @@ result = true_chown(path, owner, group); } + sbnotify_event(SBN_MODIFY|SBN_ATTRIB, canonic, "chown", result); + return result; } @@ -408,6 +416,8 @@ result = true_open(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode); } + sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "create", result); + return result; } @@ -424,6 +434,11 @@ result = true_fopen(pathname, mode); } + if(mode[0]=='w'||mode[0]=='a'||mode[1]=='+') + sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "fopen", (int)result); + else + sbnotify_event(SBN_ACCESS, canonic, "fopen", (int)result); + return result; } @@ -440,6 +455,8 @@ result = true_lchown(path, owner, group); } + sbnotify_event(SBN_MODIFY|SBN_ATTRIB, canonic, "lchown", result); + return result; } @@ -457,6 +474,9 @@ result = true_link(oldpath, newpath); } + sbnotify_event(SBN_LINK_FROM, old_canonic, "link", result ); + sbnotify_event(SBN_MODIFY|SBN_LINK_TO|SBN_CREATE, new_canonic, "link", result ); + return result; } @@ -483,6 +503,8 @@ result = true_mkdir(pathname, mode); } + sbnotify_event(SBN_MODIFY|SBN_CREATE, canonic, "mkdir", result ); + return result; } @@ -499,6 +521,8 @@ result = true_opendir(name); } + sbnotify_event(SBN_ACCESS, canonic, "opendir", (int)result ); + return result; } @@ -544,6 +568,11 @@ result = true_open(pathname, flags, mode); } + if(flags & (O_WRONLY | O_RDWR)) + sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "open", result ); + else + sbnotify_event(SBN_ACCESS, canonic, "open", result ); + return result; } @@ -561,6 +590,9 @@ result = true_rename(oldpath, newpath); } + sbnotify_event(SBN_MODIFY|SBN_MOVE_FROM|SBN_DELETE, old_canonic, "rename", result ); + sbnotify_event(SBN_MODIFY|SBN_MOVE_TO|SBN_CREATE, new_canonic, "rename", result ); + return result; } @@ -577,6 +609,8 @@ result = true_rmdir(pathname); } + sbnotify_event(SBN_MODIFY|SBN_DELETE, canonic, "rmdir", result ); + return result; } @@ -594,6 +628,9 @@ result = true_symlink(oldpath, newpath); } + sbnotify_event(SBN_SYMLINK_FROM, old_canonic, "symlink", result ); + sbnotify_event(SBN_MODIFY|SBN_SYMLINK_TO|SBN_CREATE, new_canonic, "symlink", result ); + return result; } @@ -610,6 +647,8 @@ result = true_truncate(path, length); } + sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "truncate", result ); + return result; } @@ -624,6 +663,7 @@ * a device node, bug #79836. */ if (0 == strncmp(canonic, "/dev/", 5)) { errno = EACCES; + sbnotify_event(SBN_MODIFY|SBN_DELETE, canonic, "unlink", result ); return result; } @@ -633,6 +673,8 @@ result = true_unlink(pathname); } + sbnotify_event(SBN_MODIFY|SBN_DELETE, canonic, "unlink", result ); + return result; } @@ -652,6 +694,8 @@ result = true_open64(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode); } + sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "creat64", result); + return result; } @@ -668,6 +712,11 @@ result = true_fopen64(pathname, mode); } + if(mode[0]=='w'||mode[0]=='a'||mode[1]=='+') + sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "fopen64", (int)result); + else + sbnotify_event(SBN_ACCESS, canonic, "fopen64", (int)result); + return result; } @@ -693,6 +742,11 @@ result = true_open64(pathname, flags, mode); } + if(flags & (O_WRONLY | O_RDWR)) + sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "open64", result); + else + sbnotify_event(SBN_ACCESS, canonic, "open64", result); + return result; } @@ -709,6 +763,8 @@ result = true_truncate64(path, length); } + sbnotify_event(SBN_MODIFY, canonic, "truncate64", result); + return result; } @@ -824,6 +880,8 @@ errno = old_errno; + sbnotify_event(SBN_EXECUTE, filename, "execve", result ); + return result; } @@ -1496,6 +1554,46 @@ } } +static void +sbnotify_event( int event_flags, const char * canonical, const char * func_name, int result ) +{ + event_flags = event_flags | SBN_ACCESS; + if (result<0) event_flags = event_flags | SBN_ERROR; + if (event_flags & get_sbnotify_eventmask()) + { + char buffer[512]; + sprintf(buffer, "%d\t%s\t%s\t%d\n", event_flags, canonical, func_name, result); + sbnotify_log((const char *)&buffer); + } +} + +static void +sbnotify_log(const char * buffer) +{ + char *log_path = getenv("SBNOTIFY_LOG"); + if (log_path == NULL) return; + int log_file = true_open(log_path, + O_APPEND | O_WRONLY + | O_CREAT, + S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + if (log_file >= 0) { + write(log_file, buffer, strlen(buffer)); + close(log_file); + } +} + +static int +get_sbnotify_eventmask() +{ + const char * env_var = getenv("SBNOTIFY_EVENTMASK"); + if (NULL != env_var) { + int value; + if (1==sscanf( env_var, "%i", &value)) + return value; + } + return 0; +} + #include "getcwd.c" #include "canonicalize.c" #include "sandbox_futils.c" diff -Nur --exclude='.*' sandbox-1.2.1.orig/sbnotify.h sandbox-1.2.1.sbnotify/sbnotify.h --- sandbox-1.2.1.orig/sbnotify.h 1969-12-31 16:00:00.000000000 -0800 +++ sandbox-1.2.1.sbnotify/sbnotify.h 2005-04-24 23:05:31.000000000 -0700 @@ -0,0 +1,28 @@ +/* + * Sandbox file event notification. Inspired by Inotify. + * + * Copyright (C) 2005 Zachary Medico + */ + +#ifndef __SBNOTIFY_H__ +#define __SBNOTIFY_H__ + +#include + +/* An attempt to categorize filesystem calls */ +#define SBN_ACCESS 0x00000001 /* File access */ +#define SBN_MODIFY 0x00000002 /* File modify (possibly create)*/ +#define SBN_ATTRIB 0x00000004 /* File change attributes */ +#define SBN_CREATE 0x00000008 /* File create. move, link, or symlink */ +#define SBN_DELETE 0x00000010 /* File delete or move */ +#define SBN_WRITE 0x00000020 /* File open write */ +#define SBN_EXECUTE 0x00000040 /* File execute */ +#define SBN_MOVE_FROM 0x00000080 /* File move from X */ +#define SBN_MOVE_TO 0x00000100 /* File move to Y */ +#define SBN_LINK_FROM 0x00000200 /* Link create from X */ +#define SBN_LINK_TO 0x00000400 /* Link create to Y */ +#define SBN_SYMLINK_FROM 0x00000800 /* Symlink create from X */ +#define SBN_SYMLINK_TO 0x00001000 /* Symlink create to Y */ +#define SBN_ERROR 0x00002000 /* Return value is negative */ + +#endif