Lines 81-86
Link Here
|
81 |
|
81 |
|
82 |
//#include "localdecls.h" |
82 |
//#include "localdecls.h" |
83 |
#include "sandbox.h" |
83 |
#include "sandbox.h" |
|
|
84 |
#include "sbnotify.h" |
84 |
|
85 |
|
85 |
/* Macros to check if a function should be executed */ |
86 |
/* Macros to check if a function should be executed */ |
86 |
#define FUNCTION_SANDBOX_SAFE(func, path) \ |
87 |
#define FUNCTION_SANDBOX_SAFE(func, path) \ |
Lines 158-163
Link Here
|
158 |
static char *filter_path(const char *, int follow_link); |
159 |
static char *filter_path(const char *, int follow_link); |
159 |
static int is_sandbox_on(); |
160 |
static int is_sandbox_on(); |
160 |
static int is_sandbox_pid(); |
161 |
static int is_sandbox_pid(); |
|
|
162 |
static void sbnotify_event(int event_flags, const char * canonical, const char * func_name, int result); |
163 |
static void sbnotify_log(const char * buffer); |
164 |
static int get_sbnotify_eventmask(); |
161 |
|
165 |
|
162 |
/* Wrapped functions */ |
166 |
/* Wrapped functions */ |
163 |
|
167 |
|
Lines 375-380
Link Here
|
375 |
result = true_chmod(path, mode); |
379 |
result = true_chmod(path, mode); |
376 |
} |
380 |
} |
377 |
|
381 |
|
|
|
382 |
sbnotify_event(SBN_MODIFY|SBN_ATTRIB, canonic, "chmod", result); |
383 |
|
378 |
return result; |
384 |
return result; |
379 |
} |
385 |
} |
380 |
|
386 |
|
Lines 391-396
Link Here
|
391 |
result = true_chown(path, owner, group); |
397 |
result = true_chown(path, owner, group); |
392 |
} |
398 |
} |
393 |
|
399 |
|
|
|
400 |
sbnotify_event(SBN_MODIFY|SBN_ATTRIB, canonic, "chown", result); |
401 |
|
394 |
return result; |
402 |
return result; |
395 |
} |
403 |
} |
396 |
|
404 |
|
Lines 408-413
Link Here
|
408 |
result = true_open(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode); |
416 |
result = true_open(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode); |
409 |
} |
417 |
} |
410 |
|
418 |
|
|
|
419 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "create", result); |
420 |
|
411 |
return result; |
421 |
return result; |
412 |
} |
422 |
} |
413 |
|
423 |
|
Lines 424-429
Link Here
|
424 |
result = true_fopen(pathname, mode); |
434 |
result = true_fopen(pathname, mode); |
425 |
} |
435 |
} |
426 |
|
436 |
|
|
|
437 |
int len = strlen(mode); |
438 |
if ((len>0 && (mode[0]=='w' || mode[0]=='a')) || (len>1 && mode[1]=='+')) |
439 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "fopen", (int)result); |
440 |
else |
441 |
sbnotify_event(SBN_ACCESS, canonic, "fopen", (int)result); |
442 |
|
427 |
return result; |
443 |
return result; |
428 |
} |
444 |
} |
429 |
|
445 |
|
Lines 440-445
Link Here
|
440 |
result = true_lchown(path, owner, group); |
456 |
result = true_lchown(path, owner, group); |
441 |
} |
457 |
} |
442 |
|
458 |
|
|
|
459 |
sbnotify_event(SBN_MODIFY|SBN_ATTRIB, canonic, "lchown", result); |
460 |
|
443 |
return result; |
461 |
return result; |
444 |
} |
462 |
} |
445 |
|
463 |
|
Lines 457-462
Link Here
|
457 |
result = true_link(oldpath, newpath); |
475 |
result = true_link(oldpath, newpath); |
458 |
} |
476 |
} |
459 |
|
477 |
|
|
|
478 |
sbnotify_event(SBN_LINK_FROM, old_canonic, "link", result ); |
479 |
sbnotify_event(SBN_MODIFY|SBN_LINK_TO|SBN_CREATE, new_canonic, "link", result ); |
480 |
|
460 |
return result; |
481 |
return result; |
461 |
} |
482 |
} |
462 |
|
483 |
|
Lines 483-488
Link Here
|
483 |
result = true_mkdir(pathname, mode); |
504 |
result = true_mkdir(pathname, mode); |
484 |
} |
505 |
} |
485 |
|
506 |
|
|
|
507 |
sbnotify_event(SBN_MODIFY|SBN_CREATE, canonic, "mkdir", result ); |
508 |
|
486 |
return result; |
509 |
return result; |
487 |
} |
510 |
} |
488 |
|
511 |
|
Lines 499-504
Link Here
|
499 |
result = true_opendir(name); |
522 |
result = true_opendir(name); |
500 |
} |
523 |
} |
501 |
|
524 |
|
|
|
525 |
sbnotify_event(SBN_ACCESS, canonic, "opendir", (int)result ); |
526 |
|
502 |
return result; |
527 |
return result; |
503 |
} |
528 |
} |
504 |
|
529 |
|
Lines 544-549
Link Here
|
544 |
result = true_open(pathname, flags, mode); |
569 |
result = true_open(pathname, flags, mode); |
545 |
} |
570 |
} |
546 |
|
571 |
|
|
|
572 |
if(flags & (O_WRONLY | O_RDWR)) |
573 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "open", result ); |
574 |
else |
575 |
sbnotify_event(SBN_ACCESS, canonic, "open", result ); |
576 |
|
547 |
return result; |
577 |
return result; |
548 |
} |
578 |
} |
549 |
|
579 |
|
Lines 561-566
Link Here
|
561 |
result = true_rename(oldpath, newpath); |
591 |
result = true_rename(oldpath, newpath); |
562 |
} |
592 |
} |
563 |
|
593 |
|
|
|
594 |
sbnotify_event(SBN_MODIFY|SBN_MOVE_FROM|SBN_DELETE, old_canonic, "rename", result ); |
595 |
sbnotify_event(SBN_MODIFY|SBN_MOVE_TO|SBN_CREATE, new_canonic, "rename", result ); |
596 |
|
564 |
return result; |
597 |
return result; |
565 |
} |
598 |
} |
566 |
|
599 |
|
Lines 577-582
Link Here
|
577 |
result = true_rmdir(pathname); |
610 |
result = true_rmdir(pathname); |
578 |
} |
611 |
} |
579 |
|
612 |
|
|
|
613 |
sbnotify_event(SBN_MODIFY|SBN_DELETE, canonic, "rmdir", result ); |
614 |
|
580 |
return result; |
615 |
return result; |
581 |
} |
616 |
} |
582 |
|
617 |
|
Lines 594-599
Link Here
|
594 |
result = true_symlink(oldpath, newpath); |
629 |
result = true_symlink(oldpath, newpath); |
595 |
} |
630 |
} |
596 |
|
631 |
|
|
|
632 |
sbnotify_event(SBN_SYMLINK_FROM, old_canonic, "symlink", result ); |
633 |
sbnotify_event(SBN_MODIFY|SBN_SYMLINK_TO|SBN_CREATE, new_canonic, "symlink", result ); |
634 |
|
597 |
return result; |
635 |
return result; |
598 |
} |
636 |
} |
599 |
|
637 |
|
Lines 610-615
Link Here
|
610 |
result = true_truncate(path, length); |
648 |
result = true_truncate(path, length); |
611 |
} |
649 |
} |
612 |
|
650 |
|
|
|
651 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "truncate", result ); |
652 |
|
613 |
return result; |
653 |
return result; |
614 |
} |
654 |
} |
615 |
|
655 |
|
Lines 624-629
Link Here
|
624 |
* a device node, bug #79836. */ |
664 |
* a device node, bug #79836. */ |
625 |
if (0 == strncmp(canonic, "/dev/", 5)) { |
665 |
if (0 == strncmp(canonic, "/dev/", 5)) { |
626 |
errno = EACCES; |
666 |
errno = EACCES; |
|
|
667 |
sbnotify_event(SBN_MODIFY|SBN_DELETE, canonic, "unlink", result ); |
627 |
return result; |
668 |
return result; |
628 |
} |
669 |
} |
629 |
|
670 |
|
Lines 633-638
Link Here
|
633 |
result = true_unlink(pathname); |
674 |
result = true_unlink(pathname); |
634 |
} |
675 |
} |
635 |
|
676 |
|
|
|
677 |
sbnotify_event(SBN_MODIFY|SBN_DELETE, canonic, "unlink", result ); |
678 |
|
636 |
return result; |
679 |
return result; |
637 |
} |
680 |
} |
638 |
|
681 |
|
Lines 652-657
Link Here
|
652 |
result = true_open64(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode); |
695 |
result = true_open64(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode); |
653 |
} |
696 |
} |
654 |
|
697 |
|
|
|
698 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "creat64", result); |
699 |
|
655 |
return result; |
700 |
return result; |
656 |
} |
701 |
} |
657 |
|
702 |
|
Lines 668-673
Link Here
|
668 |
result = true_fopen64(pathname, mode); |
713 |
result = true_fopen64(pathname, mode); |
669 |
} |
714 |
} |
670 |
|
715 |
|
|
|
716 |
int len = strlen(mode); |
717 |
if ((len>0 && (mode[0]=='w' || mode[0]=='a')) || (len>1 && mode[1]=='+')) |
718 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "fopen", (int)result); |
719 |
else |
720 |
sbnotify_event(SBN_ACCESS, canonic, "fopen", (int)result); |
721 |
|
671 |
return result; |
722 |
return result; |
672 |
} |
723 |
} |
673 |
|
724 |
|
Lines 693-698
Link Here
|
693 |
result = true_open64(pathname, flags, mode); |
744 |
result = true_open64(pathname, flags, mode); |
694 |
} |
745 |
} |
695 |
|
746 |
|
|
|
747 |
if(flags & (O_WRONLY | O_RDWR)) |
748 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "open64", result); |
749 |
else |
750 |
sbnotify_event(SBN_ACCESS, canonic, "open64", result); |
751 |
|
696 |
return result; |
752 |
return result; |
697 |
} |
753 |
} |
698 |
|
754 |
|
Lines 709-714
Link Here
|
709 |
result = true_truncate64(path, length); |
765 |
result = true_truncate64(path, length); |
710 |
} |
766 |
} |
711 |
|
767 |
|
|
|
768 |
sbnotify_event(SBN_MODIFY, canonic, "truncate64", result); |
769 |
|
712 |
return result; |
770 |
return result; |
713 |
} |
771 |
} |
714 |
|
772 |
|
Lines 824-829
Link Here
|
824 |
|
882 |
|
825 |
errno = old_errno; |
883 |
errno = old_errno; |
826 |
|
884 |
|
|
|
885 |
sbnotify_event(SBN_EXECUTE, filename, "execve", result ); |
886 |
|
827 |
return result; |
887 |
return result; |
828 |
} |
888 |
} |
829 |
|
889 |
|
Lines 1496-1501
Link Here
|
1496 |
} |
1556 |
} |
1497 |
} |
1557 |
} |
1498 |
|
1558 |
|
|
|
1559 |
static void sbnotify_event( int event_flags, const char * canonical, const char * func_name, int result ) |
1560 |
{ |
1561 |
event_flags = event_flags | SBN_ACCESS; |
1562 |
if (result<0) event_flags = event_flags | SBN_ERROR; |
1563 |
if (event_flags & get_sbnotify_eventmask()) |
1564 |
{ |
1565 |
char buffer[512]; |
1566 |
sprintf(buffer, "%d\t%s\t%s\t%d\n", event_flags, canonical, func_name, result); |
1567 |
sbnotify_log((const char *)&buffer); |
1568 |
} |
1569 |
} |
1570 |
|
1571 |
static void sbnotify_log(const char * buffer) |
1572 |
{ |
1573 |
char *log_path = getenv("SBNOTIFY_LOG"); |
1574 |
if (log_path == NULL) return; |
1575 |
int log_file = true_open(log_path, |
1576 |
O_APPEND | O_WRONLY |
1577 |
| O_CREAT, |
1578 |
S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
1579 |
if (log_file >= 0) { |
1580 |
write(log_file, buffer, strlen(buffer)); |
1581 |
close(log_file); |
1582 |
} |
1583 |
} |
1584 |
|
1585 |
static int get_sbnotify_eventmask() |
1586 |
{ |
1587 |
const char * env_var = getenv("SBNOTIFY_EVENTMASK"); |
1588 |
if (NULL != env_var) { |
1589 |
int value; |
1590 |
if (1==sscanf( env_var, "%i", &value)) |
1591 |
return value; |
1592 |
} |
1593 |
return 0; |
1594 |
} |
1595 |
|
1499 |
#include "getcwd.c" |
1596 |
#include "getcwd.c" |
1500 |
#include "canonicalize.c" |
1597 |
#include "canonicalize.c" |
1501 |
#include "sandbox_futils.c" |
1598 |
#include "sandbox_futils.c" |