Lines 81-86
Link Here
|
81 |
|
81 |
|
82 |
//#include "localdecls.h" |
82 |
//#include "localdecls.h" |
83 |
#include "sandbox.h" |
83 |
#include "sandbox.h" |
|
|
84 |
#include "sbnotify.h" |
84 |
|
85 |
|
85 |
/* Macros to check if a function should be executed */ |
86 |
/* Macros to check if a function should be executed */ |
86 |
#define FUNCTION_SANDBOX_SAFE(func, path) \ |
87 |
#define FUNCTION_SANDBOX_SAFE(func, path) \ |
Lines 158-163
Link Here
|
158 |
static char *filter_path(const char *, int follow_link); |
159 |
static char *filter_path(const char *, int follow_link); |
159 |
static int is_sandbox_on(); |
160 |
static int is_sandbox_on(); |
160 |
static int is_sandbox_pid(); |
161 |
static int is_sandbox_pid(); |
|
|
162 |
static void sbnotify_event(int event_flags, const char * canonical, const char * func_name, int result); |
163 |
static void sbnotify_log(const char * buffer); |
164 |
static int get_sbnotify_eventmask(); |
161 |
|
165 |
|
162 |
/* Wrapped functions */ |
166 |
/* Wrapped functions */ |
163 |
|
167 |
|
Lines 375-380
Link Here
|
375 |
result = true_chmod(path, mode); |
379 |
result = true_chmod(path, mode); |
376 |
} |
380 |
} |
377 |
|
381 |
|
|
|
382 |
sbnotify_event(SBN_MODIFY|SBN_ATTRIB, canonic, "chmod", result); |
383 |
|
378 |
return result; |
384 |
return result; |
379 |
} |
385 |
} |
380 |
|
386 |
|
Lines 391-396
Link Here
|
391 |
result = true_chown(path, owner, group); |
397 |
result = true_chown(path, owner, group); |
392 |
} |
398 |
} |
393 |
|
399 |
|
|
|
400 |
sbnotify_event(SBN_MODIFY|SBN_ATTRIB, canonic, "chown", result); |
401 |
|
394 |
return result; |
402 |
return result; |
395 |
} |
403 |
} |
396 |
|
404 |
|
Lines 408-413
Link Here
|
408 |
result = true_open(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode); |
416 |
result = true_open(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode); |
409 |
} |
417 |
} |
410 |
|
418 |
|
|
|
419 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "create", result); |
420 |
|
411 |
return result; |
421 |
return result; |
412 |
} |
422 |
} |
413 |
|
423 |
|
Lines 424-429
Link Here
|
424 |
result = true_fopen(pathname, mode); |
434 |
result = true_fopen(pathname, mode); |
425 |
} |
435 |
} |
426 |
|
436 |
|
|
|
437 |
if(mode[0]=='w'||mode[0]=='a'||mode[1]=='+') |
438 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "fopen", (int)result); |
439 |
else |
440 |
sbnotify_event(SBN_ACCESS, canonic, "fopen", (int)result); |
441 |
|
427 |
return result; |
442 |
return result; |
428 |
} |
443 |
} |
429 |
|
444 |
|
Lines 440-445
Link Here
|
440 |
result = true_lchown(path, owner, group); |
455 |
result = true_lchown(path, owner, group); |
441 |
} |
456 |
} |
442 |
|
457 |
|
|
|
458 |
sbnotify_event(SBN_MODIFY|SBN_ATTRIB, canonic, "lchown", result); |
459 |
|
443 |
return result; |
460 |
return result; |
444 |
} |
461 |
} |
445 |
|
462 |
|
Lines 457-462
Link Here
|
457 |
result = true_link(oldpath, newpath); |
474 |
result = true_link(oldpath, newpath); |
458 |
} |
475 |
} |
459 |
|
476 |
|
|
|
477 |
sbnotify_event(SBN_LINK_FROM, old_canonic, "link", result ); |
478 |
sbnotify_event(SBN_MODIFY|SBN_LINK_TO|SBN_CREATE, new_canonic, "link", result ); |
479 |
|
460 |
return result; |
480 |
return result; |
461 |
} |
481 |
} |
462 |
|
482 |
|
Lines 483-488
Link Here
|
483 |
result = true_mkdir(pathname, mode); |
503 |
result = true_mkdir(pathname, mode); |
484 |
} |
504 |
} |
485 |
|
505 |
|
|
|
506 |
sbnotify_event(SBN_MODIFY|SBN_CREATE, canonic, "mkdir", result ); |
507 |
|
486 |
return result; |
508 |
return result; |
487 |
} |
509 |
} |
488 |
|
510 |
|
Lines 499-504
Link Here
|
499 |
result = true_opendir(name); |
521 |
result = true_opendir(name); |
500 |
} |
522 |
} |
501 |
|
523 |
|
|
|
524 |
sbnotify_event(SBN_ACCESS, canonic, "opendir", (int)result ); |
525 |
|
502 |
return result; |
526 |
return result; |
503 |
} |
527 |
} |
504 |
|
528 |
|
Lines 544-549
Link Here
|
544 |
result = true_open(pathname, flags, mode); |
568 |
result = true_open(pathname, flags, mode); |
545 |
} |
569 |
} |
546 |
|
570 |
|
|
|
571 |
if(flags & (O_WRONLY | O_RDWR)) |
572 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "open", result ); |
573 |
else |
574 |
sbnotify_event(SBN_ACCESS, canonic, "open", result ); |
575 |
|
547 |
return result; |
576 |
return result; |
548 |
} |
577 |
} |
549 |
|
578 |
|
Lines 561-566
Link Here
|
561 |
result = true_rename(oldpath, newpath); |
590 |
result = true_rename(oldpath, newpath); |
562 |
} |
591 |
} |
563 |
|
592 |
|
|
|
593 |
sbnotify_event(SBN_MODIFY|SBN_MOVE_FROM|SBN_DELETE, old_canonic, "rename", result ); |
594 |
sbnotify_event(SBN_MODIFY|SBN_MOVE_TO|SBN_CREATE, new_canonic, "rename", result ); |
595 |
|
564 |
return result; |
596 |
return result; |
565 |
} |
597 |
} |
566 |
|
598 |
|
Lines 577-582
Link Here
|
577 |
result = true_rmdir(pathname); |
609 |
result = true_rmdir(pathname); |
578 |
} |
610 |
} |
579 |
|
611 |
|
|
|
612 |
sbnotify_event(SBN_MODIFY|SBN_DELETE, canonic, "rmdir", result ); |
613 |
|
580 |
return result; |
614 |
return result; |
581 |
} |
615 |
} |
582 |
|
616 |
|
Lines 594-599
Link Here
|
594 |
result = true_symlink(oldpath, newpath); |
628 |
result = true_symlink(oldpath, newpath); |
595 |
} |
629 |
} |
596 |
|
630 |
|
|
|
631 |
sbnotify_event(SBN_SYMLINK_FROM, old_canonic, "symlink", result ); |
632 |
sbnotify_event(SBN_MODIFY|SBN_SYMLINK_TO|SBN_CREATE, new_canonic, "symlink", result ); |
633 |
|
597 |
return result; |
634 |
return result; |
598 |
} |
635 |
} |
599 |
|
636 |
|
Lines 610-615
Link Here
|
610 |
result = true_truncate(path, length); |
647 |
result = true_truncate(path, length); |
611 |
} |
648 |
} |
612 |
|
649 |
|
|
|
650 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "truncate", result ); |
651 |
|
613 |
return result; |
652 |
return result; |
614 |
} |
653 |
} |
615 |
|
654 |
|
Lines 624-629
Link Here
|
624 |
* a device node, bug #79836. */ |
663 |
* a device node, bug #79836. */ |
625 |
if (0 == strncmp(canonic, "/dev/", 5)) { |
664 |
if (0 == strncmp(canonic, "/dev/", 5)) { |
626 |
errno = EACCES; |
665 |
errno = EACCES; |
|
|
666 |
sbnotify_event(SBN_MODIFY|SBN_DELETE, canonic, "unlink", result ); |
627 |
return result; |
667 |
return result; |
628 |
} |
668 |
} |
629 |
|
669 |
|
Lines 633-638
Link Here
|
633 |
result = true_unlink(pathname); |
673 |
result = true_unlink(pathname); |
634 |
} |
674 |
} |
635 |
|
675 |
|
|
|
676 |
sbnotify_event(SBN_MODIFY|SBN_DELETE, canonic, "unlink", result ); |
677 |
|
636 |
return result; |
678 |
return result; |
637 |
} |
679 |
} |
638 |
|
680 |
|
Lines 652-657
Link Here
|
652 |
result = true_open64(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode); |
694 |
result = true_open64(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode); |
653 |
} |
695 |
} |
654 |
|
696 |
|
|
|
697 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "creat64", result); |
698 |
|
655 |
return result; |
699 |
return result; |
656 |
} |
700 |
} |
657 |
|
701 |
|
Lines 668-673
Link Here
|
668 |
result = true_fopen64(pathname, mode); |
712 |
result = true_fopen64(pathname, mode); |
669 |
} |
713 |
} |
670 |
|
714 |
|
|
|
715 |
if(mode[0]=='w'||mode[0]=='a'||mode[1]=='+') |
716 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "fopen64", (int)result); |
717 |
else |
718 |
sbnotify_event(SBN_ACCESS, canonic, "fopen64", (int)result); |
719 |
|
671 |
return result; |
720 |
return result; |
672 |
} |
721 |
} |
673 |
|
722 |
|
Lines 693-698
Link Here
|
693 |
result = true_open64(pathname, flags, mode); |
742 |
result = true_open64(pathname, flags, mode); |
694 |
} |
743 |
} |
695 |
|
744 |
|
|
|
745 |
if(flags & (O_WRONLY | O_RDWR)) |
746 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "open64", result); |
747 |
else |
748 |
sbnotify_event(SBN_ACCESS, canonic, "open64", result); |
749 |
|
696 |
return result; |
750 |
return result; |
697 |
} |
751 |
} |
698 |
|
752 |
|
Lines 709-714
Link Here
|
709 |
result = true_truncate64(path, length); |
763 |
result = true_truncate64(path, length); |
710 |
} |
764 |
} |
711 |
|
765 |
|
|
|
766 |
sbnotify_event(SBN_MODIFY, canonic, "truncate64", result); |
767 |
|
712 |
return result; |
768 |
return result; |
713 |
} |
769 |
} |
714 |
|
770 |
|
Lines 824-829
Link Here
|
824 |
|
880 |
|
825 |
errno = old_errno; |
881 |
errno = old_errno; |
826 |
|
882 |
|
|
|
883 |
sbnotify_event(SBN_EXECUTE, filename, "execve", result ); |
884 |
|
827 |
return result; |
885 |
return result; |
828 |
} |
886 |
} |
829 |
|
887 |
|
Lines 1496-1501
Link Here
|
1496 |
} |
1554 |
} |
1497 |
} |
1555 |
} |
1498 |
|
1556 |
|
|
|
1557 |
static void |
1558 |
sbnotify_event( int event_flags, const char * canonical, const char * func_name, int result ) |
1559 |
{ |
1560 |
event_flags = event_flags | SBN_ACCESS; |
1561 |
if (result<0) event_flags = event_flags | SBN_ERROR; |
1562 |
if (event_flags & get_sbnotify_eventmask()) |
1563 |
{ |
1564 |
char buffer[512]; |
1565 |
sprintf(buffer, "%d\t%s\t%s\t%d\n", event_flags, canonical, func_name, result); |
1566 |
sbnotify_log((const char *)&buffer); |
1567 |
} |
1568 |
} |
1569 |
|
1570 |
static void |
1571 |
sbnotify_log(const char * buffer) |
1572 |
{ |
1573 |
char *log_path = getenv("SBNOTIFY_LOG"); |
1574 |
if (log_path == NULL) return; |
1575 |
int log_file = true_open(log_path, |
1576 |
O_APPEND | O_WRONLY |
1577 |
| O_CREAT, |
1578 |
S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
1579 |
if (log_file >= 0) { |
1580 |
write(log_file, buffer, strlen(buffer)); |
1581 |
close(log_file); |
1582 |
} |
1583 |
} |
1584 |
|
1585 |
static int |
1586 |
get_sbnotify_eventmask() |
1587 |
{ |
1588 |
const char * env_var = getenv("SBNOTIFY_EVENTMASK"); |
1589 |
if (NULL != env_var) { |
1590 |
int value; |
1591 |
if (1==sscanf( env_var, "%i", &value)) |
1592 |
return value; |
1593 |
} |
1594 |
return 0; |
1595 |
} |
1596 |
|
1499 |
#include "getcwd.c" |
1597 |
#include "getcwd.c" |
1500 |
#include "canonicalize.c" |
1598 |
#include "canonicalize.c" |
1501 |
#include "sandbox_futils.c" |
1599 |
#include "sandbox_futils.c" |