Lines 81-86
Link Here
|
81 |
|
81 |
|
82 |
//#include "localdecls.h" |
82 |
//#include "localdecls.h" |
83 |
#include "sandbox.h" |
83 |
#include "sandbox.h" |
|
|
84 |
#include "sbnotify.h" |
84 |
|
85 |
|
85 |
/* Macros to check if a function should be executed */ |
86 |
/* Macros to check if a function should be executed */ |
86 |
#define FUNCTION_SANDBOX_SAFE(func, path) \ |
87 |
#define FUNCTION_SANDBOX_SAFE(func, path) \ |
Lines 158-163
Link Here
|
158 |
static char *filter_path(const char *, int follow_link); |
159 |
static char *filter_path(const char *, int follow_link); |
159 |
static int is_sandbox_on(); |
160 |
static int is_sandbox_on(); |
160 |
static int is_sandbox_pid(); |
161 |
static int is_sandbox_pid(); |
|
|
162 |
static void sbnotify_event(int event_flags, const char * canonical, const char * func_name, int result); |
163 |
static void sbnotify_log(const char * buffer); |
164 |
static int get_sbnotify_eventmask(); |
161 |
|
165 |
|
162 |
/* Wrapped functions */ |
166 |
/* Wrapped functions */ |
163 |
|
167 |
|
Lines 375-380
Link Here
|
375 |
result = true_chmod(path, mode); |
379 |
result = true_chmod(path, mode); |
376 |
} |
380 |
} |
377 |
|
381 |
|
|
|
382 |
sbnotify_event(SBN_MODIFY|SBN_ATTRIB, canonic, "chmod", result); |
383 |
|
378 |
return result; |
384 |
return result; |
379 |
} |
385 |
} |
380 |
|
386 |
|
Lines 391-396
Link Here
|
391 |
result = true_chown(path, owner, group); |
397 |
result = true_chown(path, owner, group); |
392 |
} |
398 |
} |
393 |
|
399 |
|
|
|
400 |
sbnotify_event(SBN_MODIFY|SBN_ATTRIB, canonic, "chown", result); |
401 |
|
394 |
return result; |
402 |
return result; |
395 |
} |
403 |
} |
396 |
|
404 |
|
Lines 408-413
Link Here
|
408 |
result = true_open(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode); |
416 |
result = true_open(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode); |
409 |
} |
417 |
} |
410 |
|
418 |
|
|
|
419 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "create", result); |
420 |
|
411 |
return result; |
421 |
return result; |
412 |
} |
422 |
} |
413 |
|
423 |
|
Lines 424-429
Link Here
|
424 |
result = true_fopen(pathname, mode); |
434 |
result = true_fopen(pathname, mode); |
425 |
} |
435 |
} |
426 |
|
436 |
|
|
|
437 |
if (*mode == 'r' && ((strcmp(mode, "r") == 0) || |
438 |
/* The strspn accept args are known non-writable modifiers */ |
439 |
(strlen(++mode) == strspn(mode, "xbtmc")))) |
440 |
sbnotify_event(SBN_ACCESS, canonic, "fopen", (int)result); |
441 |
else |
442 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "fopen", (int)result); |
443 |
|
427 |
return result; |
444 |
return result; |
428 |
} |
445 |
} |
429 |
|
446 |
|
Lines 440-445
Link Here
|
440 |
result = true_lchown(path, owner, group); |
457 |
result = true_lchown(path, owner, group); |
441 |
} |
458 |
} |
442 |
|
459 |
|
|
|
460 |
sbnotify_event(SBN_MODIFY|SBN_ATTRIB, canonic, "lchown", result); |
461 |
|
443 |
return result; |
462 |
return result; |
444 |
} |
463 |
} |
445 |
|
464 |
|
Lines 457-462
Link Here
|
457 |
result = true_link(oldpath, newpath); |
476 |
result = true_link(oldpath, newpath); |
458 |
} |
477 |
} |
459 |
|
478 |
|
|
|
479 |
sbnotify_event(SBN_LINK_FROM, old_canonic, "link", result ); |
480 |
sbnotify_event(SBN_MODIFY|SBN_LINK_TO|SBN_CREATE, new_canonic, "link", result ); |
481 |
|
460 |
return result; |
482 |
return result; |
461 |
} |
483 |
} |
462 |
|
484 |
|
Lines 483-488
Link Here
|
483 |
result = true_mkdir(pathname, mode); |
505 |
result = true_mkdir(pathname, mode); |
484 |
} |
506 |
} |
485 |
|
507 |
|
|
|
508 |
sbnotify_event(SBN_MODIFY|SBN_CREATE, canonic, "mkdir", result ); |
509 |
|
486 |
return result; |
510 |
return result; |
487 |
} |
511 |
} |
488 |
|
512 |
|
Lines 499-504
Link Here
|
499 |
result = true_opendir(name); |
523 |
result = true_opendir(name); |
500 |
} |
524 |
} |
501 |
|
525 |
|
|
|
526 |
sbnotify_event(SBN_ACCESS, canonic, "opendir", (int)result ); |
527 |
|
502 |
return result; |
528 |
return result; |
503 |
} |
529 |
} |
504 |
|
530 |
|
Lines 544-549
Link Here
|
544 |
result = true_open(pathname, flags, mode); |
570 |
result = true_open(pathname, flags, mode); |
545 |
} |
571 |
} |
546 |
|
572 |
|
|
|
573 |
if(flags & (O_WRONLY | O_RDWR)) |
574 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "open", result ); |
575 |
else |
576 |
sbnotify_event(SBN_ACCESS, canonic, "open", result ); |
577 |
|
547 |
return result; |
578 |
return result; |
548 |
} |
579 |
} |
549 |
|
580 |
|
Lines 561-566
Link Here
|
561 |
result = true_rename(oldpath, newpath); |
592 |
result = true_rename(oldpath, newpath); |
562 |
} |
593 |
} |
563 |
|
594 |
|
|
|
595 |
sbnotify_event(SBN_MODIFY|SBN_MOVE_FROM|SBN_DELETE, old_canonic, "rename", result ); |
596 |
sbnotify_event(SBN_MODIFY|SBN_MOVE_TO|SBN_CREATE, new_canonic, "rename", result ); |
597 |
|
564 |
return result; |
598 |
return result; |
565 |
} |
599 |
} |
566 |
|
600 |
|
Lines 577-582
Link Here
|
577 |
result = true_rmdir(pathname); |
611 |
result = true_rmdir(pathname); |
578 |
} |
612 |
} |
579 |
|
613 |
|
|
|
614 |
sbnotify_event(SBN_MODIFY|SBN_DELETE, canonic, "rmdir", result ); |
615 |
|
580 |
return result; |
616 |
return result; |
581 |
} |
617 |
} |
582 |
|
618 |
|
Lines 594-599
Link Here
|
594 |
result = true_symlink(oldpath, newpath); |
630 |
result = true_symlink(oldpath, newpath); |
595 |
} |
631 |
} |
596 |
|
632 |
|
|
|
633 |
sbnotify_event(SBN_SYMLINK_FROM, old_canonic, "symlink", result ); |
634 |
sbnotify_event(SBN_MODIFY|SBN_SYMLINK_TO|SBN_CREATE, new_canonic, "symlink", result ); |
635 |
|
597 |
return result; |
636 |
return result; |
598 |
} |
637 |
} |
599 |
|
638 |
|
Lines 610-615
Link Here
|
610 |
result = true_truncate(path, length); |
649 |
result = true_truncate(path, length); |
611 |
} |
650 |
} |
612 |
|
651 |
|
|
|
652 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "truncate", result ); |
653 |
|
613 |
return result; |
654 |
return result; |
614 |
} |
655 |
} |
615 |
|
656 |
|
Lines 624-629
Link Here
|
624 |
* a device node, bug #79836. */ |
665 |
* a device node, bug #79836. */ |
625 |
if (0 == strncmp(canonic, "/dev/", 5)) { |
666 |
if (0 == strncmp(canonic, "/dev/", 5)) { |
626 |
errno = EACCES; |
667 |
errno = EACCES; |
|
|
668 |
sbnotify_event(SBN_MODIFY|SBN_DELETE, canonic, "unlink", result ); |
627 |
return result; |
669 |
return result; |
628 |
} |
670 |
} |
629 |
|
671 |
|
Lines 633-638
Link Here
|
633 |
result = true_unlink(pathname); |
675 |
result = true_unlink(pathname); |
634 |
} |
676 |
} |
635 |
|
677 |
|
|
|
678 |
sbnotify_event(SBN_MODIFY|SBN_DELETE, canonic, "unlink", result ); |
679 |
|
636 |
return result; |
680 |
return result; |
637 |
} |
681 |
} |
638 |
|
682 |
|
Lines 652-657
Link Here
|
652 |
result = true_open64(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode); |
696 |
result = true_open64(pathname, O_CREAT | O_WRONLY | O_TRUNC, mode); |
653 |
} |
697 |
} |
654 |
|
698 |
|
|
|
699 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "creat64", result); |
700 |
|
655 |
return result; |
701 |
return result; |
656 |
} |
702 |
} |
657 |
|
703 |
|
Lines 668-673
Link Here
|
668 |
result = true_fopen64(pathname, mode); |
714 |
result = true_fopen64(pathname, mode); |
669 |
} |
715 |
} |
670 |
|
716 |
|
|
|
717 |
if (*mode == 'r' && ((strcmp(mode, "r") == 0) || |
718 |
/* The strspn accept args are known non-writable modifiers */ |
719 |
(strlen(++mode) == strspn(mode, "xbtmc")))) |
720 |
sbnotify_event(SBN_ACCESS, canonic, "fopen64", (int)result); |
721 |
else |
722 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "fopen64", (int)result); |
723 |
|
671 |
return result; |
724 |
return result; |
672 |
} |
725 |
} |
673 |
|
726 |
|
Lines 693-698
Link Here
|
693 |
result = true_open64(pathname, flags, mode); |
746 |
result = true_open64(pathname, flags, mode); |
694 |
} |
747 |
} |
695 |
|
748 |
|
|
|
749 |
if(flags & (O_WRONLY | O_RDWR)) |
750 |
sbnotify_event(SBN_MODIFY|SBN_WRITE, canonic, "open64", result); |
751 |
else |
752 |
sbnotify_event(SBN_ACCESS, canonic, "open64", result); |
753 |
|
696 |
return result; |
754 |
return result; |
697 |
} |
755 |
} |
698 |
|
756 |
|
Lines 709-714
Link Here
|
709 |
result = true_truncate64(path, length); |
767 |
result = true_truncate64(path, length); |
710 |
} |
768 |
} |
711 |
|
769 |
|
|
|
770 |
sbnotify_event(SBN_MODIFY, canonic, "truncate64", result); |
771 |
|
712 |
return result; |
772 |
return result; |
713 |
} |
773 |
} |
714 |
|
774 |
|
Lines 824-829
Link Here
|
824 |
|
884 |
|
825 |
errno = old_errno; |
885 |
errno = old_errno; |
826 |
|
886 |
|
|
|
887 |
sbnotify_event(SBN_EXECUTE, filename, "execve", result ); |
888 |
|
827 |
return result; |
889 |
return result; |
828 |
} |
890 |
} |
829 |
|
891 |
|
Lines 1496-1501
Link Here
|
1496 |
} |
1558 |
} |
1497 |
} |
1559 |
} |
1498 |
|
1560 |
|
|
|
1561 |
static void sbnotify_event( int event_flags, const char * canonical, const char * func_name, int result ) |
1562 |
{ |
1563 |
event_flags = event_flags | SBN_ACCESS; |
1564 |
if (result<0) event_flags = event_flags | SBN_ERROR; |
1565 |
if (event_flags & get_sbnotify_eventmask()) |
1566 |
{ |
1567 |
char buffer[512]; |
1568 |
sprintf(buffer, "%d\t%s\t%s\t%d\n", event_flags, canonical, func_name, result); |
1569 |
sbnotify_log((const char *)&buffer); |
1570 |
} |
1571 |
} |
1572 |
|
1573 |
static void sbnotify_log(const char * buffer) |
1574 |
{ |
1575 |
char *log_path = getenv("SBNOTIFY_LOG"); |
1576 |
if (log_path == NULL) return; |
1577 |
int log_file = true_open(log_path, |
1578 |
O_APPEND | O_WRONLY |
1579 |
| O_CREAT, |
1580 |
S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); |
1581 |
if (log_file >= 0) { |
1582 |
write(log_file, buffer, strlen(buffer)); |
1583 |
close(log_file); |
1584 |
} |
1585 |
} |
1586 |
|
1587 |
static int get_sbnotify_eventmask() |
1588 |
{ |
1589 |
const char * env_var = getenv("SBNOTIFY_EVENTMASK"); |
1590 |
if (NULL != env_var) { |
1591 |
int value; |
1592 |
if (1==sscanf( env_var, "%i", &value)) |
1593 |
return value; |
1594 |
} |
1595 |
return 0; |
1596 |
} |
1597 |
|
1499 |
#include "getcwd.c" |
1598 |
#include "getcwd.c" |
1500 |
#include "canonicalize.c" |
1599 |
#include "canonicalize.c" |
1501 |
#include "sandbox_futils.c" |
1600 |
#include "sandbox_futils.c" |