diff -Nur --exclude='.*' sandbox-1.2.1.orig/libsandbox.c sandbox-1.2.1.sbnotify/libsandbox.c --- sandbox-1.2.1.orig/libsandbox.c 2005-04-23 13:44:15.000000000 -0700 +++ sandbox-1.2.1.sbnotify/libsandbox.c 2005-04-25 10:14:18.000000000 -0700 @@ -81,6 +81,7 @@ //#include "localdecls.h" #include "sandbox.h" +#include "sbnotify.h" /* Macros to check if a function should be executed */ #define FUNCTION_SANDBOX_SAFE(func, path) \ @@ -158,6 +159,9 @@ static char *filter_path(const char *, int follow_link); static int is_sandbox_on(); static int is_sandbox_pid(); +static void sbnotify_event(int event_flags, const char * canonical, const char * func_name, int result); +static void sbnotify_log(const char * buffer); +static int get_sbnotify_eventmask(); /* Wrapped functions */ @@ -375,6 +379,8 @@ result = true_chmod(path, mode); } + sbnotify_event(SBN_MODIFY|SBN_ATTRIB, canonic, "chmod", result); + return result; } @@ -391,6 +397,8 @@ result = true_chown(path, owner, group); } + sbnotify_event(SBN_MODIFY|SBN_ATTRIB, canonic, "chown", result); + return result; } @@ -408,6 +416,8 @@ result = true_open(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode); } + sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "create", result); + return result; } @@ -424,6 +434,12 @@ result = true_fopen(pathname, mode); } + int len = strlen(mode); + if ((len>0 && (mode[0]=='w' || mode[0]=='a')) || (len>1 && mode[1]=='+')) + sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "fopen", (int)result); + else + sbnotify_event(SBN_ACCESS, canonic, "fopen", (int)result); + return result; } @@ -440,6 +456,8 @@ result = true_lchown(path, owner, group); } + sbnotify_event(SBN_MODIFY|SBN_ATTRIB, canonic, "lchown", result); + return result; } @@ -457,6 +475,9 @@ result = true_link(oldpath, newpath); } + sbnotify_event(SBN_LINK_FROM, old_canonic, "link", result ); + sbnotify_event(SBN_MODIFY|SBN_LINK_TO|SBN_CREATE, new_canonic, "link", result ); + return result; } @@ -483,6 +504,8 @@ result = true_mkdir(pathname, mode); } + sbnotify_event(SBN_MODIFY|SBN_CREATE, canonic, "mkdir", result ); + return result; } @@ -499,6 +522,8 @@ result = true_opendir(name); } + sbnotify_event(SBN_ACCESS, canonic, "opendir", (int)result ); + return result; } @@ -544,6 +569,11 @@ result = true_open(pathname, flags, mode); } + if(flags & (O_WRONLY | O_RDWR)) + sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "open", result ); + else + sbnotify_event(SBN_ACCESS, canonic, "open", result ); + return result; } @@ -561,6 +591,9 @@ result = true_rename(oldpath, newpath); } + sbnotify_event(SBN_MODIFY|SBN_MOVE_FROM|SBN_DELETE, old_canonic, "rename", result ); + sbnotify_event(SBN_MODIFY|SBN_MOVE_TO|SBN_CREATE, new_canonic, "rename", result ); + return result; } @@ -577,6 +610,8 @@ result = true_rmdir(pathname); } + sbnotify_event(SBN_MODIFY|SBN_DELETE, canonic, "rmdir", result ); + return result; } @@ -594,6 +629,9 @@ result = true_symlink(oldpath, newpath); } + sbnotify_event(SBN_SYMLINK_FROM, old_canonic, "symlink", result ); + sbnotify_event(SBN_MODIFY|SBN_SYMLINK_TO|SBN_CREATE, new_canonic, "symlink", result ); + return result; } @@ -610,6 +648,8 @@ result = true_truncate(path, length); } + sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "truncate", result ); + return result; } @@ -624,6 +664,7 @@ * a device node, bug #79836. */ if (0 == strncmp(canonic, "/dev/", 5)) { errno = EACCES; + sbnotify_event(SBN_MODIFY|SBN_DELETE, canonic, "unlink", result ); return result; } @@ -633,6 +674,8 @@ result = true_unlink(pathname); } + sbnotify_event(SBN_MODIFY|SBN_DELETE, canonic, "unlink", result ); + return result; } @@ -652,6 +695,8 @@ result = true_open64(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode); } + sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "creat64", result); + return result; } @@ -668,6 +713,12 @@ result = true_fopen64(pathname, mode); } + int len = strlen(mode); + if ((len>0 && (mode[0]=='w' || mode[0]=='a')) || (len>1 && mode[1]=='+')) + sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "fopen", (int)result); + else + sbnotify_event(SBN_ACCESS, canonic, "fopen", (int)result); + return result; } @@ -693,6 +744,11 @@ result = true_open64(pathname, flags, mode); } + if(flags & (O_WRONLY | O_RDWR)) + sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "open64", result); + else + sbnotify_event(SBN_ACCESS, canonic, "open64", result); + return result; } @@ -709,6 +765,8 @@ result = true_truncate64(path, length); } + sbnotify_event(SBN_MODIFY, canonic, "truncate64", result); + return result; } @@ -824,6 +882,8 @@ errno = old_errno; + sbnotify_event(SBN_EXECUTE, filename, "execve", result ); + return result; } @@ -1496,6 +1556,43 @@ } } +static void sbnotify_event( int event_flags, const char * canonical, const char * func_name, int result ) +{ + event_flags = event_flags | SBN_ACCESS; + if (result<0) event_flags = event_flags | SBN_ERROR; + if (event_flags & get_sbnotify_eventmask()) + { + char buffer[512]; + sprintf(buffer, "%d\t%s\t%s\t%d\n", event_flags, canonical, func_name, result); + sbnotify_log((const char *)&buffer); + } +} + +static void sbnotify_log(const char * buffer) +{ + char *log_path = getenv("SBNOTIFY_LOG"); + if (log_path == NULL) return; + int log_file = true_open(log_path, + O_APPEND | O_WRONLY + | O_CREAT, + S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); + if (log_file >= 0) { + write(log_file, buffer, strlen(buffer)); + close(log_file); + } +} + +static int get_sbnotify_eventmask() +{ + const char * env_var = getenv("SBNOTIFY_EVENTMASK"); + if (NULL != env_var) { + int value; + if (1==sscanf( env_var, "%i", &value)) + return value; + } + return 0; +} + #include "getcwd.c" #include "canonicalize.c" #include "sandbox_futils.c" diff -Nur --exclude='.*' sandbox-1.2.1.orig/sbnotify.h sandbox-1.2.1.sbnotify/sbnotify.h --- sandbox-1.2.1.orig/sbnotify.h 1969-12-31 16:00:00.000000000 -0800 +++ sandbox-1.2.1.sbnotify/sbnotify.h 2005-04-24 23:05:31.000000000 -0700 @@ -0,0 +1,28 @@ +/* + * Sandbox file event notification. Inspired by Inotify. + * + * Copyright (C) 2005 Zachary Medico + */ + +#ifndef __SBNOTIFY_H__ +#define __SBNOTIFY_H__ + +#include + +/* An attempt to categorize filesystem calls */ +#define SBN_ACCESS 0x00000001 /* File access */ +#define SBN_MODIFY 0x00000002 /* File modify (possibly create)*/ +#define SBN_ATTRIB 0x00000004 /* File change attributes */ +#define SBN_CREATE 0x00000008 /* File create. move, link, or symlink */ +#define SBN_DELETE 0x00000010 /* File delete or move */ +#define SBN_WRITE 0x00000020 /* File open write */ +#define SBN_EXECUTE 0x00000040 /* File execute */ +#define SBN_MOVE_FROM 0x00000080 /* File move from X */ +#define SBN_MOVE_TO 0x00000100 /* File move to Y */ +#define SBN_LINK_FROM 0x00000200 /* Link create from X */ +#define SBN_LINK_TO 0x00000400 /* Link create to Y */ +#define SBN_SYMLINK_FROM 0x00000800 /* Symlink create from X */ +#define SBN_SYMLINK_TO 0x00001000 /* Symlink create to Y */ +#define SBN_ERROR 0x00002000 /* Return value is negative */ + +#endif