You can subscribe to this list here.
2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(11) |
Jun
(28) |
Jul
(27) |
Aug
(16) |
Sep
(37) |
Oct
(26) |
Nov
(119) |
Dec
(42) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2003 |
Jan
(76) |
Feb
(43) |
Mar
(99) |
Apr
(59) |
May
(42) |
Jun
(72) |
Jul
(61) |
Aug
(56) |
Sep
(19) |
Oct
|
Nov
|
Dec
|
From: <da...@us...> - 2003-07-14 23:30:35
|
Update of /cvsroot/cerber/cerb-ng/kcerb In directory sc8-pr-cvs1:/tmp/cvs-serv27893 Modified Files: Makefile Log Message: This shouldn't be here. Index: Makefile =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/Makefile,v retrieving revision 1.50 retrieving revision 1.51 diff -u -d -r1.50 -r1.51 --- Makefile 14 Jul 2003 23:27:09 -0000 1.50 +++ Makefile 14 Jul 2003 23:30:31 -0000 1.51 @@ -10,7 +10,6 @@ NCPU!= /sbin/sysctl -n hw.ncpu OSVERSION!=/sbin/sysctl -n kern.osreldate -OSVERSION=400000 CFLAGS+=-Icontrib |
From: <da...@us...> - 2003-07-14 23:27:12
|
Update of /cvsroot/cerber/cerb-ng/kcerb In directory sc8-pr-cvs1:/tmp/cvs-serv26666 Modified Files: Makefile cerb_globals.h cerb_malloc.c Log Message: - Don't panic when reallocing also. - Hide warning about freeing pointer not from the list behind CB_DEBUG_SAFEMALLOC. Requested by: Dariusz Kulinski <ta...@ta...> Index: Makefile =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/Makefile,v retrieving revision 1.49 retrieving revision 1.50 diff -u -d -r1.49 -r1.50 --- Makefile 2 Jul 2003 09:03:18 -0000 1.49 +++ Makefile 14 Jul 2003 23:27:09 -0000 1.50 @@ -10,6 +10,7 @@ NCPU!= /sbin/sysctl -n hw.ncpu OSVERSION!=/sbin/sysctl -n kern.osreldate +OSVERSION=400000 CFLAGS+=-Icontrib Index: cerb_globals.h =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_globals.h,v retrieving revision 1.68 retrieving revision 1.69 diff -u -d -r1.68 -r1.69 --- cerb_globals.h 11 Jul 2003 22:14:25 -0000 1.68 +++ cerb_globals.h 14 Jul 2003 23:27:09 -0000 1.69 @@ -118,6 +118,7 @@ #undef CB_DEBUG_PRISON /* debug for actions on jails */ #undef CB_DEBUG_GETVAL /* debug for fcb_getval() function */ #undef CB_DEBUG_OPERR /* debug for operations errors */ +#undef CB_DEBUG_SAFEMALLOC /* debug for safe malloc() */ /* Invariants. */ #define CB_INVARIANTS Index: cerb_malloc.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_malloc.c,v retrieving revision 1.30 retrieving revision 1.31 diff -u -d -r1.30 -r1.31 --- cerb_malloc.c 14 Jul 2003 22:28:11 -0000 1.30 +++ cerb_malloc.c 14 Jul 2003 23:27:09 -0000 1.31 @@ -136,6 +136,7 @@ return (newptr); if (addr == NULL) { +add: if (ccb_mem_debug) memset(newptr, 0xd0, size); tmp = malloc(sizeof(struct scb_malloc), M_CERB, M_WAITOK); @@ -163,8 +164,12 @@ break; } } - MCB_ASSERT(tmp != NULL, "%p is not allocated by " - "fcb_(m|re)alloc().", addr); +#ifdef CB_DEBUG_SAFEMALLOC + MCB_PRCONS("CerbNG: %p is not allocated by fcb_(m|re)alloc() " + "or you have played with cerb.mem.safe_malloc sysctl.\n", + addr); +#endif + goto add; MCB_MALLOC_UNLOCK(); } @@ -195,8 +200,10 @@ } } MCB_MALLOC_UNLOCK(); +#ifdef CB_DEBUG_SAFEMALLOC MCB_PRCONS("CerbNG: %p is not allocated by fcb_malloc() or you have " "played with cerb.mem.safe_malloc sysctl.\n", addr); +#endif free(addr, M_CERB); } #endif /* CERB_SAFEMALLOC */ |
From: <da...@us...> - 2003-07-14 22:28:17
|
Update of /cvsroot/cerber/cerb-ng/kcerb In directory sc8-pr-cvs1:/tmp/cvs-serv16905 Modified Files: cerb_malloc.c Log Message: Don't panic when address to free isn't on list. It could be removed from list when cerb.mem.safe_malloc was changed to 0 and then back to 1. Reported by: Dariusz Kulinski <ta...@ta...> Index: cerb_malloc.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_malloc.c,v retrieving revision 1.29 retrieving revision 1.30 diff -u -d -r1.29 -r1.30 --- cerb_malloc.c 13 Jul 2003 17:51:01 -0000 1.29 +++ cerb_malloc.c 14 Jul 2003 22:28:11 -0000 1.30 @@ -190,13 +190,14 @@ free(addr, M_CERB); LIST_REMOVE(tmp, m_next); free(tmp, M_CERB); - goto end; + MCB_MALLOC_UNLOCK(); + return; } } - MCB_ASSERT(0, "%p is not allocated by fcb_malloc().\n", addr); -end: MCB_MALLOC_UNLOCK(); - return; + MCB_PRCONS("CerbNG: %p is not allocated by fcb_malloc() or you have " + "played with cerb.mem.safe_malloc sysctl.\n", addr); + free(addr, M_CERB); } #endif /* CERB_SAFEMALLOC */ |
From: <da...@us...> - 2003-07-13 18:24:38
|
Update of /cvsroot/cerber/cerb-ng/examples In directory sc8-pr-cvs1:/tmp/cvs-serv2774 Modified Files: Makefile addons.cbh Log Message: Fixed policies installation. Reported by: Dariusz Kulinski <ta...@ta...> Index: Makefile =================================================================== RCS file: /cvsroot/cerber/cerb-ng/examples/Makefile,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- Makefile 2 Jul 2003 13:16:56 -0000 1.1 +++ Makefile 13 Jul 2003 18:24:34 -0000 1.2 @@ -7,12 +7,14 @@ # DESTDIR=/usr/local -POLICIES=*.cb *.cbh +POLICIES=*.cb *.cbh *.h POLICIESDIR=${DESTDIR}/etc/cerb/policies all: + cp -f ../kcerb/cerb_globals.h ../kcerb/cerb_types.h . clean: + rm -f cerb_globals.h cerb_types.h install: ${POLICIES} install -m 755 -o root -g wheel -d ${POLICIESDIR} Index: addons.cbh =================================================================== RCS file: /cvsroot/cerber/cerb-ng/examples/addons.cbh,v retrieving revision 1.27 retrieving revision 1.28 diff -u -d -r1.27 -r1.28 --- addons.cbh 4 Jul 2003 14:14:00 -0000 1.27 +++ addons.cbh 13 Jul 2003 18:24:34 -0000 1.28 @@ -14,8 +14,8 @@ #include <netinet/in.h> #include <sys/syslog.h> #include <sys/errno.h> -#include "../kcerb/cerb_globals.h" -#include "../kcerb/cerb_types.h" +#include "cerb_globals.h" +#include "cerb_types.h" #ifdef errno #undef errno |
From: <da...@us...> - 2003-07-13 17:51:05
|
Update of /cvsroot/cerber/cerb-ng/kcerb In directory sc8-pr-cvs1:/tmp/cvs-serv27695 Modified Files: cerb_action.c cerb_ask.c cerb_fdesc.c cerb_main.c cerb_malloc.c cerb_string.h cerb_syscalls.c cerb_sysctl.c cerb_trace.c cerb_urules.c cerb_usersysctl.c cerb_usmalloc.c Log Message: - Added macros: + MCB_PRCONS(), + MCB_PRTTY(), + MCB_PRSTDOUT(). - Don't use uprintf()/printf(), use new macros instead. - Style fixes, removed some redundant '\n', etc. Index: cerb_action.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_action.c,v retrieving revision 1.124 retrieving revision 1.125 diff -u -d -r1.124 -r1.125 --- cerb_action.c 11 Jul 2003 22:14:25 -0000 1.124 +++ cerb_action.c 13 Jul 2003 17:51:01 -0000 1.125 @@ -109,7 +109,7 @@ CB_SHUTUP_COMPILER(); - MCB_DEBUG("Operation %s is not implemented yet.\n", tcb_opname[fun]); + MCB_DEBUG("Operation %s is not implemented yet.", tcb_opname[fun]); } /* @@ -1826,7 +1826,7 @@ for (j = 0; (*bp)[j] != '=' && (*bp)[j] != '\0'; ++j) ; (*bp)[j] = '\0'; - MCB_DEBUG("Removed ENV: %s.\n", *bp); + MCB_DEBUG("Removed ENV: %s.", *bp); #endif for (q = bp; *q != NULL; ++q) *q = *(q + 1); Index: cerb_ask.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_ask.c,v retrieving revision 1.5 retrieving revision 1.6 diff -u -d -r1.5 -r1.6 --- cerb_ask.c 29 Jun 2003 16:40:53 -0000 1.5 +++ cerb_ask.c 13 Jul 2003 17:51:01 -0000 1.6 @@ -66,7 +66,7 @@ LIST_FOREACH(th, &vcb_ask_head, thd_asknext) { #ifdef CB_DEBUG_ASK MCB_DEBUG("ASK: Unloading cerb, waking up process %s " - "[pid=%u]\n", th->thd_proc->p_comm, th->thd_proc->p_pid); + "[pid=%u].", th->thd_proc->p_comm, th->thd_proc->p_pid); #endif th->thd_errno = -1; wakeup(&th->thd_suspendid); @@ -201,11 +201,11 @@ register struct scb_thdata *th; u_int i = 0; - uprintf("\n"); + MCB_PRSTDOUT("\n"); MCB_THREAD_LOCK(); LIST_FOREACH(th, &vcb_ask_head, thd_asknext) { ++i; - uprintf("%u. %s [ruid=%u:euid=%u] ID: %u\n", i, + MCB_PRSTDOUT("%u. %s [ruid=%u:euid=%u] ID: %u\n", i, th->thd_proc->p_comm, th->thd_proc->p_cred->p_ruid, th->thd_proc->p_ucred->cr_uid, th->thd_suspendid); } Index: cerb_fdesc.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_fdesc.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -d -r1.16 -r1.17 --- cerb_fdesc.c 1 Jul 2003 10:09:29 -0000 1.16 +++ cerb_fdesc.c 13 Jul 2003 17:51:01 -0000 1.17 @@ -117,7 +117,7 @@ if (fd->fd_fp > fp) break; MCB_ASSERT(fd->fd_fp != fp, "Descriptor already on the list? " - "(name=%s).\n", fd->fd_name); + "(name=%s).", fd->fd_name); fdl = fd; } @@ -525,22 +525,22 @@ MCB_FDESC_LOCK(); - uprintf("\n"); + MCB_PRSTDOUT("\n"); if (SLIST_EMPTY(&vcb_fdesc_head)) { - uprintf("List is empty.\n"); + MCB_PRSTDOUT("List is empty.\n"); goto end; } - uprintf("----- Start -----\n"); + MCB_PRSTDOUT("----- Start -----\n"); i = 0; SLIST_FOREACH(fd, &vcb_fdesc_head, fd_next) { if (fcb_stringmatch(match, fd->fd_name)) { - uprintf("%3d. fp=%p, file=%s\n", ++i, fd->fd_fp, + MCB_PRSTDOUT("%3d. fp=%p, file=%s\n", ++i, fd->fd_fp, fd->fd_name); } } if (i == 0) - uprintf("No match.\n"); - uprintf("----- End -----\n"); + MCB_PRSTDOUT("No match.\n"); + MCB_PRSTDOUT("----- End -----\n"); end: MCB_FDESC_UNLOCK(); } Index: cerb_main.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_main.c,v retrieving revision 1.40 retrieving revision 1.41 diff -u -d -r1.40 -r1.41 --- cerb_main.c 29 Jun 2003 20:50:44 -0000 1.40 +++ cerb_main.c 13 Jul 2003 17:51:01 -0000 1.41 @@ -31,6 +31,7 @@ #include "cerb_gregs.h" #include "cerb_fdesc.h" #include "cerb_ask.h" +#include "cerb_string.h" #if 0 #include "cerb_dev.h" #endif @@ -48,7 +49,7 @@ ; if (j == MCB_NARGS(i)) continue; - printf("CerbNG: ERROR: Desynch with number of arguments " + MCB_PRSTDOUT("CerbNG: ERROR: Desynch with number of arguments " "for syscall %s (%u != %u), better unload cerb.\n", syscallnames[i], MCB_NARGS(i), j); return; Index: cerb_malloc.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_malloc.c,v retrieving revision 1.28 retrieving revision 1.29 diff -u -d -r1.28 -r1.29 --- cerb_malloc.c 1 Jul 2003 10:09:29 -0000 1.28 +++ cerb_malloc.c 13 Jul 2003 17:51:01 -0000 1.29 @@ -35,6 +35,7 @@ #include "cerb_rules.h" #include "cerb_thread.h" #include "cerb_lock.h" +#include "cerb_string.h" MALLOC_DEFINE(M_CERB, "cerb", "Cerb's allocations"); @@ -64,8 +65,8 @@ tmp1 = LIST_FIRST(&vcb_malloc_head); while (tmp1 != NULL) { tmp2 = LIST_NEXT(tmp1, m_next); - printf("fcb_malloc: !!MEMORY LEAK!! Clearing: address=%p, " - "size=%5lu [%s:%u]\n", tmp1->m_addr, + MCB_PRSTDOUT("fcb_malloc: !!MEMORY LEAK!! Clearing: " + "address=%p, size=%5lu [%s:%u]\n", tmp1->m_addr, (u_long)tmp1->m_size, tmp1->m_file, tmp1->m_line); free(tmp1->m_addr, M_CERB); free(tmp1, M_CERB); @@ -97,22 +98,22 @@ register struct scb_malloc *tmp; register u_int i; - uprintf("\n"); + MCB_PRSTDOUT("\n"); if (!ccb_mem_safe_malloc) { - uprintf("Safemalloc is OFF.\n"); + MCB_PRSTDOUT("Safemalloc is OFF.\n"); return; } if (LIST_EMPTY(&vcb_malloc_head)) { - uprintf("List is empty.\n"); + MCB_PRSTDOUT("List is empty.\n"); return; } MCB_MALLOC_LOCK(); i = 0; LIST_FOREACH(tmp, &vcb_malloc_head, m_next) { - uprintf("Rule %3d: address=%p, size=%5lu [%s:%u]\n", ++i, + MCB_PRSTDOUT("Rule %3d: address=%p, size=%5lu [%s:%u]\n", ++i, tmp->m_addr, (u_long)tmp->m_size, tmp->m_file, tmp->m_line); } MCB_MALLOC_UNLOCK(); @@ -163,7 +164,7 @@ } } MCB_ASSERT(tmp != NULL, "%p is not allocated by " - "fcb_(m|re)alloc().\n", addr); + "fcb_(m|re)alloc().", addr); MCB_MALLOC_UNLOCK(); } @@ -208,8 +209,8 @@ { if (!LIST_EMPTY(&th->thd_mtemp_head)) { - printf("kcerb:%s:%s:%s: Memory leak? List head isn't NULL!\n", - __func__, th->thd_proc->p_comm, + MCB_PRCONS("kcerb:%s:%s:%s: Memory leak? List head isn't " + "NULL!\n", __func__, th->thd_proc->p_comm, syscallnames[th->thd_syscall]); } } Index: cerb_string.h =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_string.h,v retrieving revision 1.21 retrieving revision 1.22 diff -u -d -r1.21 -r1.22 --- cerb_string.h 2 Jul 2003 03:36:28 -0000 1.21 +++ cerb_string.h 13 Jul 2003 17:51:01 -0000 1.22 @@ -22,6 +22,10 @@ #define CB_PRNT_TTY 1 #define CB_PRNT_STDOUT 2 +#define MCB_PRCONS(fmt, args...) fcb_printf(CB_PRNT_CONSOLE, fmt ,##args) +#define MCB_PRTTY(fmt, args...) fcb_printf(CB_PRNT_TTY, fmt ,##args) +#define MCB_PRSTDOUT(fmt, args...) fcb_printf(CB_PRNT_STDOUT, fmt ,##args) + struct scb_prnt { struct proc *pr_proc; Index: cerb_syscalls.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_syscalls.c,v retrieving revision 1.53 retrieving revision 1.54 diff -u -d -r1.53 -r1.54 --- cerb_syscalls.c 12 Jul 2003 22:03:03 -0000 1.53 +++ cerb_syscalls.c 13 Jul 2003 17:51:01 -0000 1.54 @@ -40,6 +40,7 @@ #include "cerb_operations.h" #include "cerb_addons.h" #include "cerb_trace.h" +#include "cerb_string.h" #include "cerb_syscalls.h" @@ -112,7 +113,7 @@ ret = th->thd_errno; break; case CB_CONFIG_EX: - printf("CONFERR: %s %s\n", th->thd_proc->p_comm, + MCB_PRCONS("CONFERR: %s %s\n", th->thd_proc->p_comm, syscallnames[th->thd_syscall]); ret = th->thd_errno; #ifdef CERB_TRACE @@ -120,20 +121,20 @@ fcb_trace_gen(th); #endif if (ccb_off_on_error) { - printf("Turning cerb OFF.\n"); + MCB_PRCONS("Turning cerb OFF.\n"); fcb_rule_set(-1); } break; case CB_FATAL_EX: ret = th->thd_errno; - printf("CerbNG: FATAL ERROR!\n"); + MCB_PRCONS("CerbNG: FATAL ERROR!\n"); #if 0 panic("Fatal error!"); #endif break; #ifdef CB_INVARIANTS default: - MCB_ASSERT(0, "Invalid jmp_buf value: %d.\n", + MCB_ASSERT(0, "Invalid jmp_buf value: %d.", th->thd_jmpval); #endif } Index: cerb_sysctl.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_sysctl.c,v retrieving revision 1.35 retrieving revision 1.36 diff -u -d -r1.35 -r1.36 --- cerb_sysctl.c 2 Jul 2003 03:36:28 -0000 1.35 +++ cerb_sysctl.c 13 Jul 2003 17:51:01 -0000 1.36 @@ -155,7 +155,7 @@ return (EPERM); if (memlock.sl_locked != 0 || memlock.sl_want != 0) { - printf("memlock: locked: %d, want: %d\n", memlock.sl_locked, + MCB_PRCONS("memlock: locked: %d, want: %d\n", memlock.sl_locked, memlock.sl_want); return (EBUSY); } @@ -185,7 +185,7 @@ return (EPERM); if (memlock.sl_locked != 0 || memlock.sl_want != 0) { - printf("memlock: locked: %d, want: %d\n", memlock.sl_locked, + MCB_PRCONS("memlock: locked: %d, want: %d\n", memlock.sl_locked, memlock.sl_want); return (EBUSY); } @@ -519,7 +519,7 @@ SYSCTL_STATIC_CHILDREN(/* top of sysctl tree */), OID_AUTO, "cerb", CTLFLAG_RW, 0, "cerb level"); if (root == NULL) { - printf("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", "cerb"); + MCB_PRSTDOUT("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", "cerb"); return (EINVAL); } SYSCTL_ADD_PROC(&sctl_cerb, SYSCTL_CHILDREN(root), OID_AUTO, @@ -528,9 +528,10 @@ sysctl_ctx_init(&sctl_cerb_rules); n_root = SYSCTL_ADD_NODE(&sctl_cerb_rules, SYSCTL_CHILDREN(root), - OID_AUTO, "rules", CTLFLAG_RW, 0, "cerb.rules level"); + OID_AUTO, "rules", CTLFLAG_RW, 0, "cerb.rules level"); if (n_root == NULL) { - printf("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", "cerb.rules"); + MCB_PRSTDOUT("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", + "cerb.rules"); return (EINVAL); } SYSCTL_ADD_PROC(&sctl_cerb_rules, SYSCTL_CHILDREN(n_root), OID_AUTO, @@ -545,9 +546,9 @@ sysctl_ctx_init(&sctl_cerb_syscalls); n_root = SYSCTL_ADD_NODE(&sctl_cerb_syscalls, SYSCTL_CHILDREN(root), - OID_AUTO, "syscalls", CTLFLAG_RW, 0, "cerb.syscalls level"); + OID_AUTO, "syscalls", CTLFLAG_RW, 0, "cerb.syscalls level"); if (n_root == NULL) { - printf("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", + MCB_PRSTDOUT("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", "cerb.syscalls"); return (EINVAL); } @@ -557,9 +558,10 @@ sysctl_ctx_init(&sctl_cerb_threads); n_root = SYSCTL_ADD_NODE(&sctl_cerb_threads, SYSCTL_CHILDREN(root), - OID_AUTO, "threads", CTLFLAG_RW, 0, "cerb.threads level"); + OID_AUTO, "threads", CTLFLAG_RW, 0, "cerb.threads level"); if (n_root == NULL) { - printf("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", "cerb.threads"); + MCB_PRSTDOUT("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", + "cerb.threads"); return (EINVAL); } SYSCTL_ADD_PROC(&sctl_cerb_threads, SYSCTL_CHILDREN(n_root), OID_AUTO, @@ -570,9 +572,10 @@ #ifdef CERB_SAFEMALLOC sysctl_ctx_init(&sctl_cerb_mem); n_root = SYSCTL_ADD_NODE(&sctl_cerb_mem, SYSCTL_CHILDREN(root), - OID_AUTO, "mem", CTLFLAG_RW, 0, "cerb.mem level"); + OID_AUTO, "mem", CTLFLAG_RW, 0, "cerb.mem level"); if (n_root == NULL) { - printf("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", "cerb.mem"); + MCB_PRSTDOUT("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", + "cerb.mem"); return (EINVAL); } SYSCTL_ADD_PROC(&sctl_cerb_mem, SYSCTL_CHILDREN(n_root), OID_AUTO, @@ -590,9 +593,10 @@ sysctl_ctx_init(&sctl_cerb_fdesc); n_root = SYSCTL_ADD_NODE(&sctl_cerb_fdesc, SYSCTL_CHILDREN(root), - OID_AUTO, "fdesc", CTLFLAG_RW, 0, "cerb.fdesc level"); + OID_AUTO, "fdesc", CTLFLAG_RW, 0, "cerb.fdesc level"); if (n_root == NULL) { - printf("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", "cerb.fdesc"); + MCB_PRSTDOUT("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", + "cerb.fdesc"); return (EINVAL); } SYSCTL_ADD_PROC(&sctl_cerb_fdesc, SYSCTL_CHILDREN(n_root), OID_AUTO, @@ -608,9 +612,10 @@ sysctl_ctx_init(&sctl_cerb_ask); n_root = SYSCTL_ADD_NODE(&sctl_cerb_ask, SYSCTL_CHILDREN(root), - OID_AUTO, "ask", CTLFLAG_RW, 0, "cerb.ask level"); + OID_AUTO, "ask", CTLFLAG_RW, 0, "cerb.ask level"); if (n_root == NULL) { - printf("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", "cerb.ask"); + MCB_PRSTDOUT("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", + "cerb.ask"); return (EINVAL); } SYSCTL_ADD_PROC(&sctl_cerb_ask, SYSCTL_CHILDREN(n_root), OID_AUTO, @@ -629,9 +634,10 @@ #ifdef CERB_TRACE sysctl_ctx_init(&sctl_cerb_trace); n_root = SYSCTL_ADD_NODE(&sctl_cerb_trace, SYSCTL_CHILDREN(root), - OID_AUTO, "trace", CTLFLAG_RW, 0, "cerb.trace level"); + OID_AUTO, "trace", CTLFLAG_RW, 0, "cerb.trace level"); if (n_root == NULL) { - printf("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", "cerb.trace"); + MCB_PRSTDOUT("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", + "cerb.trace"); return (EINVAL); } SYSCTL_ADD_PROC(&sctl_cerb_trace, SYSCTL_CHILDREN(n_root), OID_AUTO, @@ -645,9 +651,10 @@ sysctl_ctx_init(&sctl_cerb_misc); n_root = SYSCTL_ADD_NODE(&sctl_cerb_misc, SYSCTL_CHILDREN(root), - OID_AUTO, "misc", CTLFLAG_RW, 0, "cerb.misc level"); + OID_AUTO, "misc", CTLFLAG_RW, 0, "cerb.misc level"); if (n_root == NULL) { - printf("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", "cerb.misc"); + MCB_PRSTDOUT("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", + "cerb.misc"); return (EINVAL); } SYSCTL_ADD_PROC(&sctl_cerb_misc, SYSCTL_CHILDREN(n_root), OID_AUTO, @@ -659,9 +666,10 @@ sysctl_ctx_init(&sctl_cerb_version); n_root = SYSCTL_ADD_NODE(&sctl_cerb_version, SYSCTL_CHILDREN(root), - OID_AUTO, "version", CTLFLAG_RW, 0, "cerb.version level"); + OID_AUTO, "version", CTLFLAG_RW, 0, "cerb.version level"); if (n_root == NULL) { - printf("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", "cerb.version"); + MCB_PRSTDOUT("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", + "cerb.version"); return (EINVAL); } SYSCTL_ADD_UINT(&sctl_cerb_version, SYSCTL_CHILDREN(n_root), Index: cerb_trace.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_trace.c,v retrieving revision 1.12 retrieving revision 1.13 diff -u -d -r1.12 -r1.13 --- cerb_trace.c 2 Jul 2003 03:36:28 -0000 1.12 +++ cerb_trace.c 13 Jul 2003 17:51:01 -0000 1.13 @@ -54,9 +54,6 @@ #endif } -/* - * If stat == 1, fcb_tree_gen() was called on conferr. - */ void fcb_trace_gen(struct scb_thdata *th) { @@ -64,7 +61,7 @@ struct scb_labhead *labels_head; #endif - fcb_printf(CB_PRNT_CONSOLE, "TRACE START:\n"); + MCB_PRCONS("TRACE START:\n"); if (vcb_head != NULL) { #ifdef CERB_LABELS labels_head = fcb_tree_labels(vcb_head, vcb_nrules); @@ -74,7 +71,7 @@ fcb_trace_show(th, vcb_head, 0, CB_PRNT_CONSOLE); #endif } - fcb_printf(CB_PRNT_CONSOLE, "TRACE END.\n"); + MCB_PRCONS("TRACE END.\n"); } void Index: cerb_urules.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_urules.c,v retrieving revision 1.78 retrieving revision 1.79 diff -u -d -r1.78 -r1.79 --- cerb_urules.c 2 Jul 2003 09:03:18 -0000 1.78 +++ cerb_urules.c 13 Jul 2003 17:51:01 -0000 1.79 @@ -41,6 +41,9 @@ #include "cerb_action.h" #include "cerb_tree.h" #include "cerb_urules.h" +#ifdef _KERNEL +#include "cerb_string.h" +#endif #ifdef _KERNEL @@ -274,7 +277,7 @@ if (tmp != NULL) { /* Clearing old rules. */ - uprintf("CLEARING TABLE %d\n", uap->ca_ntab); + MCB_PRSTDOUT("CLEARING TABLE %d\n", uap->ca_ntab); for (i = 0; i < ntmp; ++i) fcb_rule_free(&tmp[i]); MCB_FREE_L(tmp); @@ -458,7 +461,7 @@ if (size >= CB_MAXSTRSIZE_G) { MCB_XERROR("String too long: " "%u (should be less than " - "%u).\n", (u_int)size, + "%u).", (u_int)size, CB_MAXSTRSIZE_G); return (EINVAL); } @@ -467,7 +470,7 @@ if (size >= CB_MAXDEFPSIZE_G) { MCB_XERROR("Table too big: %u " "(should be less than " - "%u).\n", (u_int)size, + "%u).", (u_int)size, CB_MAXDEFPSIZE_G); return (EINVAL); } @@ -746,15 +749,15 @@ }; if (scno >= SYS_MAXSYSCALL) { - printf("kcerb: Syscall number to big: %u.\n", scno); + MCB_PRSTDOUT("kcerb: Syscall number to big: %u.\n", scno); return (0); } tabsize = sizeof(invalid_scalls) / sizeof(u_int); for (i = 0; i < tabsize; ++i) { if (scno == invalid_scalls[i]) { - printf("kcerb: Syscall ,,%s'' can't be catched.\n", - syscallnames[scno]); + MCB_PRSTDOUT("kcerb: Syscall ,,%s'' can't be " + "catched.\n", syscallnames[scno]); return (0); } } Index: cerb_usersysctl.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_usersysctl.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- cerb_usersysctl.c 1 Jul 2003 10:09:29 -0000 1.4 +++ cerb_usersysctl.c 13 Jul 2003 17:51:01 -0000 1.5 @@ -20,6 +20,7 @@ #include "cerb_malloc.h" #include "cerb_sysctl.h" #include "cerb_usersysctl.h" +#include "cerb_string.h" #include "libkcerb.h" @@ -96,7 +97,8 @@ oidp = SYSCTL_ADD_NODE(&scn->scn_list, SYSCTL_CHILDREN(oidp), OID_AUTO, "user", CTLFLAG_RW, 0, "cerb.user level"); if (oidp == NULL) { - printf("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", "cerb.user"); + MCB_PRSTDOUT("CerbNG: SYSCTL_ADD_NODE(%s) failed!\n", + "cerb.user"); fcb_free(scn); return (EINVAL); Index: cerb_usmalloc.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_usmalloc.c,v retrieving revision 1.15 retrieving revision 1.16 diff -u -d -r1.15 -r1.16 --- cerb_usmalloc.c 12 Jul 2003 23:26:35 -0000 1.15 +++ cerb_usmalloc.c 13 Jul 2003 17:51:01 -0000 1.16 @@ -58,7 +58,7 @@ out = vm->vm_daddr + ctob(vm->vm_dsize) - size; #ifdef CB_DEBUG_USM - MCB_DEBUG("Allocated address at: %p, %lu.\n", out, (u_long)size); + MCB_DEBUG("Allocated address at: %p, %lu.", out, (u_long)size); #endif return (out); } @@ -100,7 +100,7 @@ } SLIST_INSERT_HEAD(&th->thd_usm_prot_head, up, up_next); #ifdef CB_DEBUG_USM - MCB_DEBUG("Added %p: %p-%p\n", (void *)up->up_map, (void *)up->up_start, + MCB_DEBUG("Added %p: %p-%p.", (void *)up->up_map, (void *)up->up_start, (void *)up->up_end); #endif } @@ -116,7 +116,7 @@ fcb_usm_vm_map_protect(up->up_map, up->up_start, up->up_end, VM_PROT_ALL); #ifdef CB_DEBUG_USM - MCB_DEBUG("Protection ALL %p: %p-%p\n", (void *)up->up_map, + MCB_DEBUG("Protection ALL %p: %p-%p.", (void *)up->up_map, (void *)up->up_start, (void *)up->up_end); #endif fcb_free(up); @@ -139,7 +139,7 @@ int error; #ifdef CB_DEBUG_USM - MCB_DEBUG("usm_copy: src=%p dst=%p size=%lu.\n", src, dst, + MCB_DEBUG("usm_copy: src=%p dst=%p size=%lu.", src, dst, (u_long)size); #endif start = (vm_offset_t)dst; @@ -162,7 +162,7 @@ if (error != 0) { #ifdef CB_DEBUG_USM - MCB_DEBUG("usm_copy: error=%d\n", error); + MCB_DEBUG("usm_copy: error=%d.", error); #endif return (error); } @@ -171,7 +171,7 @@ if (bcmp(src, (void *)start, size) != 0) { error = EINVAL; #ifdef CB_DEBUG_USM - MCB_DEBUG("usm_copy: comparsion error=%d\n", error); + MCB_DEBUG("usm_copy: comparsion error=%d.", error); #endif } @@ -187,7 +187,7 @@ int error; #ifdef CB_DEBUG_USM - MCB_DEBUG("usm_store: dst=%p val=%p.\n", dst, val); + MCB_DEBUG("usm_store: dst=%p val=%p.", dst, val); #endif start = (vm_offset_t)dst; end = (vm_offset_t)dst + sizeof(void *); @@ -209,7 +209,7 @@ if (error != 0) { #ifdef CB_DEBUG_USM - MCB_DEBUG("usm_store: error=%d\n", error); + MCB_DEBUG("usm_store: error=%d.", error); #endif return (error); } @@ -218,7 +218,7 @@ if (bcmp(&val, (void *)start, sizeof(void *)) != 0) { error = EINVAL; #ifdef CB_DEBUG_USM - MCB_DEBUG("usm_store: comparsion error=%d\n", error); + MCB_DEBUG("usm_store: comparsion error=%d.", error); #endif } @@ -248,7 +248,7 @@ */ return (EINVAL); } else - MCB_DEBUG("new == base!\n"); + MCB_DEBUG("new == base!"); if (new > old) { vm_size_t diff; |
From: <da...@us...> - 2003-07-12 23:26:37
|
Update of /cvsroot/cerber/cerb-ng/kcerb In directory sc8-pr-cvs1:/tmp/cvs-serv31120 Modified Files: cerb_usmalloc.c Log Message: Use MCB_DEBUG() macro instead of printf(). Index: cerb_usmalloc.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_usmalloc.c,v retrieving revision 1.14 retrieving revision 1.15 diff -u -d -r1.14 -r1.15 --- cerb_usmalloc.c 12 Jul 2003 22:03:04 -0000 1.14 +++ cerb_usmalloc.c 12 Jul 2003 23:26:35 -0000 1.15 @@ -100,8 +100,8 @@ } SLIST_INSERT_HEAD(&th->thd_usm_prot_head, up, up_next); #ifdef CB_DEBUG_USM - printf("%s: Added %p: %p-%p\n", __func__, (void *)up->up_map, - (void *)up->up_start, (void *)up->up_end); + MCB_DEBUG("Added %p: %p-%p\n", (void *)up->up_map, (void *)up->up_start, + (void *)up->up_end); #endif } @@ -116,7 +116,7 @@ fcb_usm_vm_map_protect(up->up_map, up->up_start, up->up_end, VM_PROT_ALL); #ifdef CB_DEBUG_USM - printf("%s: Protection ALL %p: %p-%p\n", __func__, (void *)up->up_map, + MCB_DEBUG("Protection ALL %p: %p-%p\n", (void *)up->up_map, (void *)up->up_start, (void *)up->up_end); #endif fcb_free(up); |
From: <da...@us...> - 2003-07-12 22:03:08
|
Update of /cvsroot/cerber/cerb-ng/kcerb In directory sc8-pr-cvs1:/tmp/cvs-serv13015 Modified Files: cerb_syscalls.c cerb_thread.c cerb_thread.h cerb_usmalloc.c cerb_usmalloc.h Log Message: Fixed 'Bus error' for some special situations. Reported by: Dariusz Kulinski <ta...@ta...> We need to remember all pages that we've changed protection and their vm_maps and restore protection before freeing them. Because in FreeBSD's VM specification 'max_protection' could not be increased, we need to our local version of vm_map_protect() function, that will allow for this. It was also optimised for cerb. Discussed with: Alan L. Cox <alc@FreeBSD.org> Index: cerb_syscalls.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_syscalls.c,v retrieving revision 1.52 retrieving revision 1.53 diff -u -d -r1.52 -r1.53 --- cerb_syscalls.c 26 Jun 2003 08:44:38 -0000 1.52 +++ cerb_syscalls.c 12 Jul 2003 22:03:03 -0000 1.53 @@ -162,8 +162,7 @@ tcb_op[CB_CALL_O](th, NULL, 0, &retv, CB_CALL_O); ret = retv.v_ret; end: - if (th->thd_syscall != SYS_execve) - fcb_usm_clear(th); + fcb_usm_cleanup(th, ret); fcb_mtemp_clear(th); #ifdef CERB_TRACE fcb_trace_clear(th); Index: cerb_thread.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_thread.c,v retrieving revision 1.25 retrieving revision 1.26 diff -u -d -r1.25 -r1.26 --- cerb_thread.c 29 Jun 2003 16:40:53 -0000 1.25 +++ cerb_thread.c 12 Jul 2003 22:03:03 -0000 1.26 @@ -80,10 +80,11 @@ tmp->thd_errno = errno; tmp->thd_step = step; tmp->thd_jmpval = 0; - tmp->thd_usm_end = NULL; tmp->thd_grlock = -1; tmp->thd_suspendid = 0; LIST_INIT(&tmp->thd_mtemp_head); + tmp->thd_usm_end = NULL; + SLIST_INIT(&tmp->thd_usm_prot_head); #ifdef CERB_TRACE STAILQ_INIT(&tmp->thd_trace_head); #endif @@ -128,7 +129,7 @@ for (i = 0; i < CB_NREGS_G; ++i) fcb_regfree(tmp, i); if (tmp->thd_proc != NULL) - fcb_usm_clear(tmp); + fcb_usm_cleanup(tmp, 0); fcb_mtemp_clear(tmp); MCB_FREE(tmp); } Index: cerb_thread.h =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_thread.h,v retrieving revision 1.22 retrieving revision 1.23 diff -u -d -r1.22 -r1.23 --- cerb_thread.h 26 Jun 2003 08:44:38 -0000 1.22 +++ cerb_thread.h 12 Jul 2003 22:03:04 -0000 1.23 @@ -28,6 +28,7 @@ struct scb_val; struct scb_mtemp; +struct scb_usm_prot; #ifdef CERB_TRACE struct scb_trace; #endif @@ -41,10 +42,11 @@ jmp_buf thd_jmpbuf; u_int thd_jmpval; u_int thd_step; - caddr_t thd_usm_end; int thd_grlock; u_int thd_suspendid; LIST_HEAD(, scb_mtemp) thd_mtemp_head; + caddr_t thd_usm_end; + SLIST_HEAD(, scb_usm_prot) thd_usm_prot_head; #ifdef CERB_TRACE STAILQ_HEAD(, scb_trace) thd_trace_head; #endif Index: cerb_usmalloc.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_usmalloc.c,v retrieving revision 1.13 retrieving revision 1.14 diff -u -d -r1.13 -r1.14 --- cerb_usmalloc.c 23 Jun 2003 15:11:34 -0000 1.13 +++ cerb_usmalloc.c 12 Jul 2003 22:03:04 -0000 1.14 @@ -31,6 +31,11 @@ #include "cerb_usmalloc.h" +int fcb_usm_vm_map_protect(vm_map_t map, vm_offset_t start, vm_offset_t end, + vm_prot_t new_prot); +int fcb_usm_obreak(struct vmspace *vm, char *nsize); + + void * fcb_usm_alloc(struct scb_thdata *th, size_t size) { @@ -58,7 +63,7 @@ return (out); } -void +static void fcb_usm_clear(struct scb_thdata *th) { @@ -79,6 +84,47 @@ #endif } +static void +fcb_usm_add_prot(struct scb_thdata *th, register struct scb_usm_prot *up) +{ + register struct scb_usm_prot *cur; + + SLIST_FOREACH(cur, &th->thd_usm_prot_head, up_next) { + if (cur->up_map == up->up_map && + cur->up_start == up->up_start && + cur->up_end == up->up_end) { + /* Already exists. */ + fcb_free(up); + return; + } + } + SLIST_INSERT_HEAD(&th->thd_usm_prot_head, up, up_next); +#ifdef CB_DEBUG_USM + printf("%s: Added %p: %p-%p\n", __func__, (void *)up->up_map, + (void *)up->up_start, (void *)up->up_end); +#endif +} + +void +fcb_usm_cleanup(register struct scb_thdata *th, int ret) +{ + register struct scb_usm_prot *up; + + while (!SLIST_EMPTY(&th->thd_usm_prot_head)) { + up = SLIST_FIRST(&th->thd_usm_prot_head); + SLIST_REMOVE_HEAD(&th->thd_usm_prot_head, up_next); + fcb_usm_vm_map_protect(up->up_map, up->up_start, up->up_end, + VM_PROT_ALL); +#ifdef CB_DEBUG_USM + printf("%s: Protection ALL %p: %p-%p\n", __func__, (void *)up->up_map, + (void *)up->up_start, (void *)up->up_end); +#endif + fcb_free(up); + } + if (th->thd_syscall != SYS_execve || ret != 0) + fcb_usm_clear(th); +} + /* * When we're changing syscall argument, we should allocate new portion * of memory in process' vmspace, copy data there and change syscall @@ -87,8 +133,9 @@ int fcb_usm_copy(struct scb_thdata *th, void *src, void *dst, size_t size) { - vm_offset_t start, end; vm_map_t map = &th->thd_proc->p_vmspace->vm_map; + vm_offset_t start, end; + struct scb_usm_prot *up; int error; #ifdef CB_DEBUG_USM @@ -100,17 +147,18 @@ /* * We have to set both ,,protection'' and ,,max_protection''. */ - /* Setting ,,max_protection''. */ - vm_map_protect(map, start, end, VM_PROT_ALL, TRUE); - /* Setting ,,protection''. */ - vm_map_protect(map, start, end, VM_PROT_ALL, FALSE); + fcb_usm_vm_map_protect(map, start, end, VM_PROT_ALL); error = copyout(src, (void *)start, size); - /* ===> Here could be a race condition. */ + /* ===> [1] Here could be a race condition. */ - /* Setting ,,max_protection'' (this sets ,,protection'' as well). */ - vm_map_protect(map, start, end, VM_PROT_READ, TRUE); + fcb_usm_vm_map_protect(map, start, end, VM_PROT_READ); + up = fcb_malloc(sizeof(struct scb_usm_prot)); + up->up_map = map; + up->up_start = start; + up->up_end = end; + fcb_usm_add_prot(th, up); if (error != 0) { #ifdef CB_DEBUG_USM @@ -119,7 +167,7 @@ return (error); } - /* ===> Check if there was a race. */ + /* ===> Check if there [1] was a race. */ if (bcmp(src, (void *)start, size) != 0) { error = EINVAL; #ifdef CB_DEBUG_USM @@ -133,8 +181,9 @@ int fcb_usm_store(struct scb_thdata *th, void *dst, void *val) { - vm_offset_t start, end; vm_map_t map = &th->thd_proc->p_vmspace->vm_map; + vm_offset_t start, end; + struct scb_usm_prot *up; int error; #ifdef CB_DEBUG_USM @@ -145,17 +194,18 @@ /* * We have to set both ,,protection'' and ,,max_protection''. */ - /* Setting ,,max_protection''. */ - vm_map_protect(map, start, end, VM_PROT_ALL, TRUE); - /* Setting ,,protection''. */ - vm_map_protect(map, start, end, VM_PROT_ALL, FALSE); + fcb_usm_vm_map_protect(map, start, end, VM_PROT_ALL); error = copyout(&val, (void *)start, sizeof(void *)); - /* ===> Here could be a race condition. */ + /* ===> [1] Here could be a race condition. */ - /* Setting ,,max_protection'' (this sets ,,protection'' as well). */ - vm_map_protect(map, start, end, VM_PROT_READ, TRUE); + fcb_usm_vm_map_protect(map, start, end, VM_PROT_READ); + up = fcb_malloc(sizeof(struct scb_usm_prot)); + up->up_map = map; + up->up_start = start; + up->up_end = end; + fcb_usm_add_prot(th, up); if (error != 0) { #ifdef CB_DEBUG_USM @@ -164,7 +214,7 @@ return (error); } - /* ===> Check if there was a race. */ + /* ===> Check if there [1] was a race. */ if (bcmp(&val, (void *)start, sizeof(void *)) != 0) { error = EINVAL; #ifdef CB_DEBUG_USM @@ -218,4 +268,136 @@ } return (0); +} + +/* + * vm_map_clip_start: [ internal use only ] + * + * Asserts that the given entry begins at or after + * the specified address; if necessary, + * it splits the entry into two. + */ +#define vm_map_clip_start(map, entry, startaddr) \ +{ \ + if (startaddr > entry->start) \ + _vm_map_clip_start(map, entry, startaddr); \ +} + +extern void _vm_map_clip_start(vm_map_t map, vm_map_entry_t entry, + vm_offset_t start); + +/* + * vm_map_clip_end: [ internal use only ] + * + * Asserts that the given entry ends at or before + * the specified address; if necessary, + * it splits the entry into two. + */ + +#define vm_map_clip_end(map, entry, endaddr) \ +{ \ + if (endaddr < entry->end) \ + _vm_map_clip_end(map, entry, endaddr); \ +} + +extern void _vm_map_clip_end(vm_map_t map, vm_map_entry_t entry, + vm_offset_t end); + +/* + * VM_MAP_RANGE_CHECK: [ internal use only ] + * + * Asserts that the starting and ending region + * addresses fall within the valid range of the map. + */ +#define VM_MAP_RANGE_CHECK(map, start, end) \ + { \ + if (start < vm_map_min(map)) \ + start = vm_map_min(map); \ + if (end > vm_map_max(map)) \ + end = vm_map_max(map); \ + if (start > end) \ + start = end; \ + } + +/* + * vm_map_protect: + * + * Sets the protection of the specified address + * region in the target map. If "set_max" is + * specified, the maximum protection is to be set; + * otherwise, only the current protection is affected. + * + * This version of vm_map_protect() allow increasing + * max_protection, it is needed for my syscall's arguments + * protection mechnism. + * It is also optimised to change bofh (protection and max_protection) + * fields. + */ +int +fcb_usm_vm_map_protect(vm_map_t map, vm_offset_t start, vm_offset_t end, + vm_prot_t new_prot) +{ + vm_map_entry_t current; + vm_map_entry_t entry; + + vm_map_lock(map); + + VM_MAP_RANGE_CHECK(map, start, end); + + if (vm_map_lookup_entry(map, start, &entry)) { + vm_map_clip_start(map, entry, start); + } else { + entry = entry->next; + } + + /* + * Make a first pass to check for protection violations. + */ + + current = entry; + while ((current != &map->header) && (current->start < end)) { + if (current->eflags & MAP_ENTRY_IS_SUB_MAP) { + vm_map_unlock(map); + return (KERN_INVALID_ARGUMENT); + } + current = current->next; + } + + /* + * Go back and fix up protections. [Note that clipping is not + * necessary the second time.] + */ + + current = entry; + + while ((current != &map->header) && (current->start < end)) { + vm_prot_t old_prot; + + vm_map_clip_end(map, current, end); + + old_prot = current->protection; + + current->max_protection = current->protection = new_prot; + /* + * Update physical map if necessary. Worry about copy-on-write + * here -- CHECK THIS XXX + */ + + if (current->protection != old_prot) { +#define MASK(entry) (((entry)->eflags & MAP_ENTRY_COW) ? ~VM_PROT_WRITE : \ + VM_PROT_ALL) + + pmap_protect(map->pmap, current->start, + current->end, + current->protection & MASK(current)); +#undef MASK + } + + vm_map_simplify_entry(map, current); + + current = current->next; + } + + vm_map_unlock(map); + return (KERN_SUCCESS); } Index: cerb_usmalloc.h =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_usmalloc.h,v retrieving revision 1.8 retrieving revision 1.9 diff -u -d -r1.8 -r1.9 --- cerb_usmalloc.h 23 Jun 2003 15:11:34 -0000 1.8 +++ cerb_usmalloc.h 12 Jul 2003 22:03:04 -0000 1.9 @@ -18,11 +18,18 @@ #include <vm/vm_map.h> +struct scb_usm_prot { + vm_map_t up_map; + vm_offset_t up_start; + vm_offset_t up_end; + SLIST_ENTRY(scb_usm_prot) up_next; +}; + + struct scb_thdata; void *fcb_usm_alloc(struct scb_thdata *th, size_t size); -void fcb_usm_clear(struct scb_thdata *th); +void fcb_usm_cleanup(register struct scb_thdata *th, int ret); int fcb_usm_copy(struct scb_thdata *th, void *src, void *dst, size_t size); int fcb_usm_store(struct scb_thdata *th, void *dst, void *val); -int fcb_usm_obreak(struct vmspace *vm, char *nsize); #endif /* _CERB_USMALLOC_H_ */ |
From: <da...@us...> - 2003-07-11 22:14:28
|
Update of /cvsroot/cerber/cerb-ng/kcerb In directory sc8-pr-cvs1:/tmp/cvs-serv30109 Modified Files: cerb_action.c cerb_addons.c cerb_globals.h cerb_gregs.c Log Message: Structs prison have to treated individually, because we have to manage reference count for every jail. This should fix panics on malloc()+0x2af. Many thanks for submitter of this bug: Pawel Rutkowski <so...@rs...> Index: cerb_action.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_action.c,v retrieving revision 1.123 retrieving revision 1.124 diff -u -d -r1.123 -r1.124 --- cerb_action.c 4 Jul 2003 14:14:01 -0000 1.123 +++ cerb_action.c 11 Jul 2003 22:14:25 -0000 1.124 @@ -68,18 +68,35 @@ if (v->v_id == ECB_EMPTY_I) return; - if (v->v_type == CB_STRPTR_T && v->v_strp != NULL) { + if (MCB_ISVAL(v->v_type) || v->v_ptr == NULL) + goto end; + + if (v->v_type == CB_STRPTR_T) { for (i = 0; i < v->v_size - 1; ++i) { fcb_mtemp_remove(th, v->v_strp[i]); MCB_FREE(v->v_strp[i]); } } - if (MCB_ISPTR(v->v_type)) { + if (v->v_type == CB_ST_PRISON_T) { +#ifdef CB_DEBUG_PRISON + MCB_DEBUG("Decreased reference count for jail %s from %u.", + v->v_prison->pr_host, v->v_prison->pr_ref); +#endif + if (--v->v_prison->pr_ref == 0) { +#ifdef CB_DEBUG_PRISON + MCB_DEBUG("Clearing jail %s.", v->v_prison->pr_host); +#endif + if (v->v_prison->pr_linux != NULL) + FREE(v->v_prison->pr_linux, M_PRISON); + FREE(v->v_prison, M_PRISON); + } + } else if (MCB_ISPTR(v->v_type)) { fcb_mtemp_remove(th, v->v_ptr); MCB_FREE(v->v_ptr); } +end: v->v_id = ECB_EMPTY_I; v->v_val = 0; v->v_type = ECB_EMPTY_I; Index: cerb_addons.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_addons.c,v retrieving revision 1.34 retrieving revision 1.35 diff -u -d -r1.34 -r1.35 --- cerb_addons.c 1 Jul 2003 10:09:29 -0000 1.34 +++ cerb_addons.c 11 Jul 2003 22:14:25 -0000 1.35 @@ -442,9 +442,18 @@ return (size); } case CB_ST_PRISON_T: + if (zone == CB_USR_ZONE) { + MCB_XCONFERR(th, EINVAL, "Prison struct couldn't be " + "put into syscall argument."); + } +#ifdef CB_DEBUG_PRISON + MCB_DEBUG("Increased reference count for jail %s from %u.", + rv->v_prison->pr_host, rv->v_prison->pr_ref); +#endif + rv->v_prison->pr_ref++; + lv->v_prison = rv->v_prison; lv->v_size = sizeof(struct prison); - size = sizeof(struct prison); - break; + return (size); case CB_ST_SOCKADDR_T: switch (rv->v_sockaddr->sa_family) { case AF_INET: @@ -464,9 +473,8 @@ } break; case CB_PTR_T: - lv->v_size = rv->v_size; - size = rv->v_size; - if (lv->v_size == 0) { + size = lv->v_size = rv->v_size; + if (size == 0) { error = EINVAL; goto fail; } @@ -598,7 +606,7 @@ #endif goto fail; } - realsize = size * sizeof(register_t); + realsize = size * sizeof(int); defp = fcb_usm_alloc(th, realsize); if (defp == NULL) { #ifdef CB_DEBUG_GETVAL Index: cerb_globals.h =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_globals.h,v retrieving revision 1.67 retrieving revision 1.68 diff -u -d -r1.67 -r1.68 --- cerb_globals.h 4 Jul 2003 14:14:01 -0000 1.67 +++ cerb_globals.h 11 Jul 2003 22:14:25 -0000 1.68 @@ -115,6 +115,7 @@ #undef CB_DEBUG_ASK /* debug for ask mechanism */ #define CB_DEBUG_ASK #undef CB_DEBUG_USERSYSCTL /* debug for user sysctl functions */ +#undef CB_DEBUG_PRISON /* debug for actions on jails */ #undef CB_DEBUG_GETVAL /* debug for fcb_getval() function */ #undef CB_DEBUG_OPERR /* debug for operations errors */ Index: cerb_gregs.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_gregs.c,v retrieving revision 1.12 retrieving revision 1.13 diff -u -d -r1.12 -r1.13 --- cerb_gregs.c 18 Jun 2003 17:34:55 -0000 1.12 +++ cerb_gregs.c 11 Jul 2003 22:14:25 -0000 1.13 @@ -13,6 +13,7 @@ #include <sys/queue.h> #include <sys/libkern.h> #include <sys/jail.h> +#include <sys/syslog.h> #include "cerb_globals.h" #include "cerb_malloc.h" @@ -90,12 +91,30 @@ if (v->v_id == ECB_EMPTY_I) return; + if (MCB_ISVAL(v->v_type) || v->v_ptr == NULL) + goto end; + if (v->v_type == CB_STRPTR_T && v->v_strp != NULL) { for (i = 0; i < v->v_size; ++i) MCB_FREE(v->v_strp[i]); } - if (MCB_ISPTR(v->v_type)) + if (v->v_type == CB_ST_PRISON_T) { +#ifdef CB_DEBUG_PRISON + MCB_DEBUG("Decreased reference count for jail %s from %u.", + v->v_prison->pr_host, v->v_prison->pr_ref); +#endif + if (--v->v_prison->pr_ref == 0) { +#ifdef CB_DEBUG_PRISON + MCB_DEBUG("Clearing jail %s.", v->v_prison->pr_host); +#endif + if (v->v_prison->pr_linux != NULL) + FREE(v->v_prison->pr_linux, M_PRISON); + FREE(v->v_prison, M_PRISON); + } + } else if (MCB_ISPTR(v->v_type)) { MCB_FREE(v->v_ptr); + } +end: v->v_id = ECB_EMPTY_I; v->v_val = 0; v->v_type = CB_EMPTY_T; |
From: <da...@us...> - 2003-07-08 18:08:58
|
Update of /cvsroot/cerber/lrexec In directory sc8-pr-cvs1:/tmp/cvs-serv23624 Added Files: LICENSE Log Message: Added LICENSE file. --- NEW FILE: LICENSE --- Copyright (c) 2003 Pawel Jakub Dawidek <ni...@ga...> All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
From: <da...@us...> - 2003-07-08 18:04:22
|
Update of /cvsroot/cerber/lrexec In directory sc8-pr-cvs1:/tmp/cvs-serv23109 Modified Files: README Log Message: Update README. Index: README =================================================================== RCS file: /cvsroot/cerber/lrexec/README,v retrieving revision 1.2 retrieving revision 1.3 diff -u -d -r1.2 -r1.3 --- README 12 Feb 2003 02:00:52 -0000 1.2 +++ README 8 Jul 2003 18:04:19 -0000 1.3 @@ -7,27 +7,36 @@ */ lrexec provides tight noexec mechanism and execve() logging. +lrexec should compile without any warnings and run without any problems +on FreeBSD 4.x and FreeBSD 5.x systems. sysctl variables: - lrexec.logall: < 0 - log only execve() that isn't permited because of noexec - mechanism, - == 0 - log only unprivileged users success execve() call, + lrexec.logall: < 0 - log only execve() that isn't permited because of + noexec mechanism, + == 0 - log only unprivileged users success execve() + call, > 0 - log every success execve() call. + lrexec.logargs: < 0 - don't log execve() arguments, > 0 - log no more arguments than this sysctl, - == 0 - log every argument (only limit is buffer size defined - in LRE_BUFSIZ #define). - lrexec.exec_group: >= 0 - only root and members of this group are permited - to run non-system binaries, - < 0 - noexec mechanism is off. - lrexec.max_bin_uid: >= 0 - if owner uid of executed binary is bigger than this - sysctl, it is treated as non-system binary, - < 0 - if owner uid of executed binary is equal to real - uid of actual process, then binary is treated as - non-system binary. - lrexec.envclean: 1 - remove LD_* envs when process isn't member of - lrexec.exec_group group, - 0 - don't remove LD_* envs. + == 0 - log every argument (only limit is buffer size + defined in LRE_BUFSIZ #define). + + lrexec.exec_group: >= 0 - only root and members of this group are + permited to run non-system binaries, + < 0 - noexec mechanism is off. + + lrexec.max_bin_uid: >= 0 - if owner uid of executed binary is bigger + than this sysctl, it is treated as non-system + binary, + < 0 - if owner uid of executed binary is equal to + real uid of actual process, then binary is + treated as non-system binary. + + lrexec.envclean: 1 - remove LD_* envs when process isn't member of + lrexec.exec_group group (that's why noexec + mechanism is tighty), + 0 - don't remove LD_* envs. Sample log looks like this: |
From: <da...@us...> - 2003-07-08 17:59:35
|
Update of /cvsroot/cerber/lrexec In directory sc8-pr-cvs1:/tmp/cvs-serv21812 Modified Files: lrexec.c Log Message: - This version is for now FreeBSD independend, it compiles and run on FreeBSD 4.x and FreeBSD 5.x. Tested on: FreeBSD 4.8-STABLE/i386/UP FreeBSD 4.8-STABLE/i386/SMP FreeBSD 5.1-CURRENT/i386/UP FreeBSD 5.1-CURRENT/i386/SMP - Added descriptions for sysctls. - Added log output parsing, non-printable characters are changed to '.'. - Better validaddr() function. Index: lrexec.c =================================================================== RCS file: /cvsroot/cerber/lrexec/lrexec.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- lrexec.c 12 Feb 2003 03:37:53 -0000 1.4 +++ lrexec.c 8 Jul 2003 17:59:24 -0000 1.5 @@ -37,49 +37,126 @@ #define LRE_BUFSIZ 256 -#define LRE_VALIDADDR(addr) (fusword(addr) != -1) + +#if __FreeBSD_version < 500000 +#define PROC_LOCK(p) +#define PROC_UNLOCK(p) +#define mtx_lock(mtx) +#define mtx_unlock(mtx) + +#define LRE_ENTITY (p) +#else +#define LRE_ENTITY (td) +#endif static sy_call_t *lre_old_execve; -SYSCTL_NODE(, OID_AUTO, lrexec, CTLFLAG_RW, 0, "rexec-level"); +SYSCTL_NODE(, OID_AUTO, lrexec, CTLFLAG_RW, 0, "lrexec-level"); static int lre_sysctl_logall = LRE_LOGALL; -SYSCTL_INT(_lrexec, OID_AUTO, logall, CTLFLAG_RW, &lre_sysctl_logall, 0, ""); +SYSCTL_INT(_lrexec, OID_AUTO, logall, CTLFLAG_RW, &lre_sysctl_logall, 0, + "Log also root's calls"); static int lre_sysctl_logargs = LRE_LOGARGS; -SYSCTL_INT(_lrexec, OID_AUTO, logargs, CTLFLAG_RW, &lre_sysctl_logargs, 0, ""); +SYSCTL_INT(_lrexec, OID_AUTO, logargs, CTLFLAG_RW, &lre_sysctl_logargs, 0, + "Log arguments"); static int lre_sysctl_exec_group = LRE_EXEC_GROUP; -SYSCTL_INT(_lrexec, OID_AUTO, exec_group, CTLFLAG_RW, &lre_sysctl_exec_group, 0, ""); +SYSCTL_INT(_lrexec, OID_AUTO, exec_group, CTLFLAG_RW, &lre_sysctl_exec_group, 0, + "Members of this are permited to run own binaries"); static int lre_sysctl_max_bin_uid = LRE_MAX_BIN_UID; -SYSCTL_INT(_lrexec, OID_AUTO, max_bin_uid, CTLFLAG_RW, &lre_sysctl_max_bin_uid, 0, ""); +SYSCTL_INT(_lrexec, OID_AUTO, max_bin_uid, CTLFLAG_RW, &lre_sysctl_max_bin_uid, + 0, "Files with owner UID bigger than that are treated as user's binaries"); static u_int lre_sysctl_envclean = LRE_ENVCLEAN; -SYSCTL_UINT(_lrexec, OID_AUTO, envclean, CTLFLAG_RW, &lre_sysctl_envclean, 0, ""); +SYSCTL_UINT(_lrexec, OID_AUTO, envclean, CTLFLAG_RW, &lre_sysctl_envclean, 0, + "Remove LD_* environment variables"); +/* + * This macro checks if given address is in vmspace of current process. + */ +static __inline int +lre_validaddr(const void *addr) +{ + char buf; + + if (copyin(addr, &buf, sizeof(buf)) == 0) + return (1); + else + return (0); +} + +#define NA '.' +static char * +lre_printable(register u_char *buf) +{ + char *retbuf = buf; + static const u_char allowed_char[] = + { + 0, NA, NA, NA, NA, NA, NA, '\a', + '\b', '\t', '\n', NA, '\v', '\r', NA, NA, + NA, NA, NA, NA, NA, NA, NA, NA, + NA, NA, NA, 27, NA, NA, NA, NA, + ' ', '!', '"', '#', '$', '%', '&', '\'', + '(', ')', '*', '+', ',', '-', '.', '/', + '0', '1', '2', '3', '4', '5', '6', '7', + '8', '9', ':', ';', '<', '=', '>', '?', + '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G', + 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', + 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', + 'X', 'Y', 'Z', '[', '\\', ']', '^', '_', + '`', 'a', 'b', 'c', 'd', 'e', 'f', 'g', + 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', + 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', + 'x', 'y', 'z', '{', '|', '}', '~', NA, + NA, NA, NA, NA, NA, NA, NA, NA, + NA, NA, NA, NA, NA, NA, NA, NA, + NA, NA, NA, NA, NA, NA, NA, NA, + NA, NA, NA, NA, NA, NA, NA, NA, + NA, NA, NA, NA, NA, NA, NA, NA, + NA, NA, NA, NA, NA, NA, NA, NA, + NA, NA, NA, NA, NA, NA, NA, NA, + NA, NA, NA, NA, NA, NA, NA, NA, + NA, NA, NA, NA, NA, NA, NA, NA, + NA, NA, NA, NA, NA, NA, NA, NA, + NA, NA, NA, NA, NA, NA, NA, NA, + NA, NA, NA, NA, NA, NA, NA, NA, + NA, NA, NA, NA, NA, NA, NA, NA, + NA, NA, NA, NA, NA, NA, NA, NA, + NA, NA, NA, NA, NA, NA, NA, NA, + NA, NA, NA, NA, NA, NA, NA, NA + }; + + for (; *buf != '\0'; ++buf) + *buf = allowed_char[*buf]; + + return (retbuf); +} + /* check if allowed to run own binaries */ static int -lre_noexec(register struct proc *p) +lre_noexec(register struct ucred *cred) { register int i; - if (p->p_cred->p_ruid == 0 || lre_sysctl_exec_group < 0) + if (cred->cr_uid == 0 || lre_sysctl_exec_group < 0) return (0); - for (i = 0; i < p->p_ucred->cr_ngroups; ++i) { - if (p->p_ucred->cr_groups[i] == lre_sysctl_exec_group) + for (i = 0; i < cred->cr_ngroups; ++i) { + if (cred->cr_groups[i] == (u_int)lre_sysctl_exec_group) return (0); } return (1); } +#if __FreeBSD_version < 500000 static size_t -lre_strlcat(char *dst, const char *src, size_t size) +strlcat(char *dst, const char *src, size_t size) { register const char *s; register char *d; @@ -106,6 +183,7 @@ *d = '\0'; return (dlen + (s - src)); } +#endif static int lre_envclean(char **envv) @@ -115,11 +193,11 @@ if (!lre_sysctl_envclean) return (0); - if (!LRE_VALIDADDR(envv)) + if (!lre_validaddr(envv)) return (EFAULT); for (bp = envv; *bp != NULL; ++bp) { - if (!LRE_VALIDADDR(*bp)) + if (!lre_validaddr(*bp)) return (EFAULT); if (strncmp(*bp, "LD_", 3) == 0) { @@ -135,8 +213,18 @@ } static int +#if __FreeBSD_version < 500000 lre_execve(register struct proc *p, register struct execve_args *uap) +#else +lre_execve(register struct thread *td, register struct execve_args *uap) +#endif { +#if __FreeBSD_version < 500000 + struct ucred *cred = p->p_ucred; +#else + struct proc *p = td->td_proc; + struct ucred *cred = td->td_ucred; +#endif register u_int i; struct nameidata nd, *ndp; struct vattr va; @@ -146,108 +234,139 @@ char *retbuf, *freebuf; int error, ret; - if (lre_sysctl_logall == 0 && p->p_cred->p_ruid == 0) - return (lre_old_execve(p, uap)); + if (lre_sysctl_logall == 0 && cred->cr_uid == 0) + return (lre_old_execve(LRE_ENTITY, uap)); - if (lre_sysctl_logall >= 0 || lre_noexec(p)) { + if (lre_sysctl_logall >= 0 || lre_noexec(cred)) { +#if __FreeBSD_version < 500000 ret = textvp_fullpath(p, &retbuf, &freebuf); - if (ret != 0) - retbuf = "[null]"; - snprintf(buf, sizeof(buf), "lrexec: %s(%s) [login=%s pid=%u ruid=%u " - "euid=%u groups=", p->p_comm, retbuf, p->p_session->s_login, - p->p_pid, p->p_cred->p_ruid, p->p_ucred->cr_uid); +#else + ret = vn_fullpath(td, p->p_textvp, &retbuf, &freebuf); +#endif + PROC_LOCK(p); + snprintf(buf, sizeof(buf), "lrexec: %s%s%s%s [login=%s pid=%u " + "ruid=%u euid=%u groups=", p->p_comm, ret == 0 ? "(" : "", + ret == 0 ? retbuf : "", ret == 0 ? ")" : "", + p->p_session->s_login, p->p_pid, +#if __FreeBSD_version < 500000 + p->p_cred->p_ruid, +#else + cred->cr_ruid, +#endif + p->p_ucred->cr_uid); + PROC_UNLOCK(p); if (ret == 0) free(freebuf, M_TEMP); - for (i = 0; i < p->p_ucred->cr_ngroups - 1; i++) { - snprintf(tmpbuf, sizeof(tmpbuf), "%u,", p->p_ucred->cr_groups[i]); - lre_strlcat(buf, tmpbuf, sizeof(buf)); + for (i = 0; i < (u_int)cred->cr_ngroups - 1; i++) { + snprintf(tmpbuf, sizeof(tmpbuf), "%u,", cred->cr_groups[i]); + strlcat(buf, tmpbuf, sizeof(buf)); } - snprintf(tmpbuf, sizeof(tmpbuf), "%u] -> ", p->p_ucred->cr_groups[i]); - lre_strlcat(buf, tmpbuf, sizeof(buf)); + snprintf(tmpbuf, sizeof(tmpbuf), "%u] -> ", cred->cr_groups[i]); + strlcat(buf, tmpbuf, sizeof(buf)); } - if (lre_noexec(p)) { + if (lre_noexec(cred)) { error = lre_envclean(uap->envv); if (error != 0) return (error); ndp = &nd; - NDINIT(ndp, LOOKUP, FOLLOW | SAVENAME, UIO_USERSPACE, uap->fname, p); + mtx_lock(&Giant); + NDINIT(ndp, LOOKUP, FOLLOW | SAVENAME, UIO_USERSPACE, + uap->fname, LRE_ENTITY); error = namei(ndp); - if (error != 0) + if (error != 0) { + mtx_unlock(&Giant); return (error); - error = VOP_GETATTR(ndp->ni_vp, &va, p->p_ucred, p); - VOP_UNLOCK(ndp->ni_vp, 0, p); + } + error = VOP_GETATTR(ndp->ni_vp, &va, cred, LRE_ENTITY); + VOP_UNLOCK(ndp->ni_vp, 0, LRE_ENTITY); if (ndp->ni_vp) { NDFREE(ndp, NDF_ONLY_PNBUF); vrele(ndp->ni_vp); } + mtx_unlock(&Giant); if (error != 0) return (error); - if ((lre_sysctl_max_bin_uid >= 0 && va.va_uid > lre_sysctl_max_bin_uid) || - (lre_sysctl_max_bin_uid < 0 && va.va_uid != p->p_cred->p_ruid)) { - lre_strlcat(buf, "permission denied: ", sizeof(buf)); - lre_strlcat(buf, uap->fname, sizeof(buf)); + if ((lre_sysctl_max_bin_uid >= 0 && + va.va_uid > (u_int)lre_sysctl_max_bin_uid) || + (lre_sysctl_max_bin_uid < 0 && + va.va_uid != cred->cr_uid)) { + strlcat(buf, "permission denied: ", sizeof(buf)); + strlcat(buf, uap->fname, sizeof(buf)); error = EACCES; goto end; } } if (lre_sysctl_logall < 0) - return (lre_old_execve(p, uap)); + return (lre_old_execve(LRE_ENTITY, uap)); if (lre_sysctl_logargs >= 0) { - if (!LRE_VALIDADDR(uap->argv) || !LRE_VALIDADDR(uap->argv[0])) + if (!lre_validaddr(uap->argv) || !lre_validaddr(uap->argv[0])) return (EFAULT); snprintf(args, sizeof(args), " [args: \"%s\"", uap->argv[0]); for (i = 1; uap->argv[i] != NULL; ++i) { - if (!LRE_VALIDADDR(uap->argv[i])) + if (!lre_validaddr(uap->argv[i])) return (EFAULT); - if (lre_sysctl_logargs > 0 && i >= lre_sysctl_logargs) { - lre_strlcat(args, " ...", sizeof(args)); + if (lre_sysctl_logargs > 0 && + i >= (u_int)lre_sysctl_logargs) { + strlcat(args, " ...", sizeof(args)); break; } - lre_strlcat(args, " \"", sizeof(args)); - lre_strlcat(args, uap->argv[i], sizeof(args)); - lre_strlcat(args, "\"", sizeof(args)); + strlcat(args, " \"", sizeof(args)); + strlcat(args, uap->argv[i], sizeof(args)); + strlcat(args, "\"", sizeof(args)); } - lre_strlcat(args, "]", sizeof(args)); + strlcat(args, "]", sizeof(args)); } - oldeuid = p->p_ucred->cr_uid; - oldegid = p->p_ucred->cr_gid; + oldeuid = cred->cr_uid; + oldegid = cred->cr_gid; - error = lre_old_execve(p, uap); + error = lre_old_execve(LRE_ENTITY, uap); if (error != 0) return (error); - lre_strlcat(buf, p->p_comm, sizeof(buf)); - lre_strlcat(buf, "(", sizeof(buf)); + PROC_LOCK(p); + strlcat(buf, p->p_comm, sizeof(buf)); + PROC_UNLOCK(p); +#if __FreeBSD_version < 500000 ret = textvp_fullpath(p, &retbuf, &freebuf); - if (ret != 0) - retbuf = "[null]"; - lre_strlcat(buf, retbuf, sizeof(buf)); - if (ret == 0) +#else + ret = vn_fullpath(td, p->p_textvp, &retbuf, &freebuf); +#endif + if (ret == 0) { + strlcat(buf, "(", sizeof(buf)); + strlcat(buf, retbuf, sizeof(buf)); + strlcat(buf, ")", sizeof(buf)); free(freebuf, M_TEMP); - lre_strlcat(buf, ")", sizeof(buf)); - - if (oldeuid != p->p_ucred->cr_uid || oldegid != p->p_ucred->cr_gid) { - lre_strlcat(buf, " [", sizeof(buf)); - if (oldeuid != p->p_ucred->cr_uid) { - snprintf(tmpbuf, sizeof(tmpbuf), "euid=%u", p->p_ucred->cr_uid); - lre_strlcat(buf, tmpbuf, sizeof(buf)); - if (oldegid != p->p_ucred->cr_gid) - lre_strlcat(buf, ", ", sizeof(buf)); + } +#if __FreeBSD_version < 500000 + cred = p->p_ucred; +#else + cred_update_thread(td); + cred = td->td_ucred; +#endif + if (oldeuid != cred->cr_uid || oldegid != cred->cr_gid) { + strlcat(buf, " [", sizeof(buf)); + if (oldeuid != cred->cr_uid) { + snprintf(tmpbuf, sizeof(tmpbuf), "euid=%u", + cred->cr_uid); + strlcat(buf, tmpbuf, sizeof(buf)); + if (oldegid != cred->cr_gid) + strlcat(buf, ", ", sizeof(buf)); } - if (oldegid != p->p_ucred->cr_gid) { - snprintf(tmpbuf, sizeof(tmpbuf), "egid=%u", p->p_ucred->cr_gid); - lre_strlcat(buf, tmpbuf, sizeof(buf)); + if (oldegid != cred->cr_gid) { + snprintf(tmpbuf, sizeof(tmpbuf), "egid=%u", + cred->cr_gid); + strlcat(buf, tmpbuf, sizeof(buf)); } - lre_strlcat(buf, "]", sizeof(buf)); + strlcat(buf, "]", sizeof(buf)); } if (lre_sysctl_logargs >= 0) - lre_strlcat(buf, args, sizeof(args)); + strlcat(buf, args, sizeof(args)); end: - log(LOG_INFO, "%s\n", buf); + log(LOG_INFO, "%s\n", lre_printable(buf)); return (error); } |
From: <da...@us...> - 2003-07-07 12:16:20
|
Update of /cvsroot/cerber/cerb-ng/examples In directory sc8-pr-cvs1:/tmp/cvs-serv14709 Modified Files: restricted-msgbuf.cb Log Message: Added logging jailhost. Submitted by: Pawel Rutkowski <so...@rs...> Index: restricted-msgbuf.cb =================================================================== RCS file: /cvsroot/cerber/cerb-ng/examples/restricted-msgbuf.cb,v retrieving revision 1.1 retrieving revision 1.2 diff -u -d -r1.1 -r1.2 --- restricted-msgbuf.cb 7 Jul 2003 11:58:35 -0000 1.1 +++ restricted-msgbuf.cb 7 Jul 2003 12:16:18 -0000 1.2 @@ -49,8 +49,8 @@ if (reg[0] == "kern.msgbuf" || reg[0] == "machdep.msgbuf") { if (ruid == 0 && isjailed() && !(RESTRICTED_MSGBUF_ALLOW_JAILED_ROOT)) { - log(LOG_INFO, "Jailed root isn't permitted to read sysctl %s", - reg[0]); + log(LOG_INFO, "Jailed root isn't permitted to read sysctl %s (jailhost: %s)", + reg[0], getjailhost()); return EPERM; } if (ruid > 0 && ismember(RESTRICTED_MSGBUF_GID, groups) < 0) { |
From: <da...@us...> - 2003-07-07 11:58:38
|
Update of /cvsroot/cerber/cerb-ng/examples In directory sc8-pr-cvs1:/tmp/cvs-serv12006 Added Files: restricted-msgbuf.cb Log Message: Added policy restricted-msgbuf for protecting sysctls kern.msgbuf and machdep.msgbuf. Requested by: Pawel Rutkowski <pa...@rs...> --- NEW FILE: restricted-msgbuf.cb --- /* * Policy: restricted-msgbuf. * * (c) 2003 Pawel Jakub Dawidek <ni...@ga...> * * $Id: restricted-msgbuf.cb,v 1.1 2003/07/07 11:58:35 dawidek Exp $ */ /* * This policy protects sysctls: kern.msgbuf, machdep.msgbuf. * Only non-jailed root and members of group 'msgbuf' are permitted to read * them by default. Permitted group ID could be changed via sysctl * cerb.user.restricted_msgbuf.gid. We could also permit reading to jailed * root by setting cerb.user.restricted_msgbuf.allow_jailed_root to 1. * * Idea of this policy from: Pawel Rutkowski <pa...@rs...> */ #include "addons.cbh" #if CERB_VERSION < 2003032101 #error Newer CerbNG required for this policy. #endif #define RESTRICTED_MSGBUF_GID GET_GID("msgbuf") /* Don't allow jailed root to see those sysctls. */ #define RESTRICTED_MSGBUF_ALLOW_JAILED_ROOT 0 beginrules REGISTER("restricted-msgbuf") #if CERB_VERSION >= 2003062901 if (INITRUN()) { crsysctl("restricted_msgbuf"); crsysctl("restricted_msgbuf.gid", RESTRICTED_MSGBUF_GID); #undef RESTRICTED_MSGBUF_GID #define RESTRICTED_MSGBUF_GID CB_SYSCTL("restricted_msgbuf.gid") crsysctl("restricted_msgbuf.allow_jailed_root", RESTRICTED_MSGBUF_ALLOW_JAILED_ROOT); #undef RESTRICTED_MSGBUF_ALLOW_JAILED_ROOT #define RESTRICTED_MSGBUF_ALLOW_JAILED_ROOT CB_SYSCTL("restricted_msgbuf.allow_jailed_root") } #endif ADD_SYSCALL(SYS___sysctl); if(syscall == SYS___sysctl && !isnull(arg[2])) { reg[0] = sysctlname(tabrange(arg[0], arg[1])); if (reg[0] == "kern.msgbuf" || reg[0] == "machdep.msgbuf") { if (ruid == 0 && isjailed() && !(RESTRICTED_MSGBUF_ALLOW_JAILED_ROOT)) { log(LOG_INFO, "Jailed root isn't permitted to read sysctl %s", reg[0]); return EPERM; } if (ruid > 0 && ismember(RESTRICTED_MSGBUF_GID, groups) < 0) { log(LOG_INFO, "User %s isn't permitted to read sysctl %s", login, reg[0]); return EPERM; } } } endrules |
From: <da...@us...> - 2003-07-04 14:14:05
|
Update of /cvsroot/cerber/cerb-ng/kcerb In directory sc8-pr-cvs1:/tmp/cvs-serv29656/kcerb Modified Files: cerb_action.c cerb_globals.h cerb_operations.master Log Message: - Removed gettabsize() operation. There is already size() operation. - Added macro gettabsize() for backward compatibility. Index: cerb_action.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_action.c,v retrieving revision 1.122 retrieving revision 1.123 diff -u -d -r1.122 -r1.123 --- cerb_action.c 2 Jul 2003 03:36:28 -0000 1.122 +++ cerb_action.c 4 Jul 2003 14:14:01 -0000 1.123 @@ -1912,36 +1912,6 @@ } void -fcb_op_gettabsize(CB_OPARGS) -{ - - CB_SHUTUP_COMPILER(); - - if (nvals != 1) { - MCB_XCONFERR(th, EINVAL, "Invalid number of arguments: %u " - "(should be %u).", nvals, 1); - } - - if (!MCB_ISTAB(v[0]->v_type)) { - MCB_XCONFERR(th, EINVAL, "Invalid type of argument %u: %s " - "(should be %s, %s or %s).", 0, tcb_typename[v[0]->v_type], - tcb_typename[CB_STRPTR_T], tcb_typename[CB_DEFPTR_T], - tcb_typename[CB_UDEFPTR_T]); - } - - if (v[0]->v_ptr == NULL) - th->thd_errno = EFAULT; - retv->v_id = ECB_CONST_I; - retv->v_uval = v[0]->v_size; -#if 0 - if (v[0]->v_type == CB_STRPTR_T && retv->v_uval > 0) - retv->v_uval--; -#endif - retv->v_type = CB_UDEF_T; - retv->v_size = 0; -} - -void fcb_op_tabrange(CB_OPARGS) { u_int start, n, end; Index: cerb_globals.h =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_globals.h,v retrieving revision 1.66 retrieving revision 1.67 diff -u -d -r1.66 -r1.67 --- cerb_globals.h 2 Jul 2003 03:36:28 -0000 1.66 +++ cerb_globals.h 4 Jul 2003 14:14:01 -0000 1.67 @@ -15,7 +15,7 @@ #define CB_VERSION_G "CURRENT" /* CerbNG version. */ -#define CERB_VERSION 2003062901 +#define CERB_VERSION 2003070401 #define CB_NREGS_G 50 /* How many registers (in rules) should be allocated */ Index: cerb_operations.master =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_operations.master,v retrieving revision 1.42 retrieving revision 1.43 diff -u -d -r1.42 -r1.43 --- cerb_operations.master 29 Jun 2003 20:50:44 -0000 1.42 +++ cerb_operations.master 4 Jul 2003 14:14:01 -0000 1.43 @@ -129,7 +129,6 @@ "isnull" isnull ISNULL "rmenv" rmenv RMENV "getelem" getelem GETELEM -"gettabsize" gettabsize GETTABSIZE "tabrange" tabrange TABRANGE "ismember" membership ISMEMBER "matchmember" membership MATCHMEMBER |
From: <da...@us...> - 2003-07-04 14:14:03
|
Update of /cvsroot/cerber/cerb-ng/examples In directory sc8-pr-cvs1:/tmp/cvs-serv29656/examples Modified Files: addons.cbh Log Message: - Removed gettabsize() operation. There is already size() operation. - Added macro gettabsize() for backward compatibility. Index: addons.cbh =================================================================== RCS file: /cvsroot/cerber/cerb-ng/examples/addons.cbh,v retrieving revision 1.26 retrieving revision 1.27 diff -u -d -r1.26 -r1.27 --- addons.cbh 1 Jul 2003 16:14:06 -0000 1.26 +++ addons.cbh 4 Jul 2003 14:14:00 -0000 1.27 @@ -38,6 +38,10 @@ #define MKNULL(type) null(type) #endif +#if CERB_VERSION >= 2003070401 +#define gettabsize(tab) size(tab) +#endif + #if CERB_VERSION >= 2003033101 #define INITRUN() (syscall == SYS_MAXSYSCALL) |
From: <da...@us...> - 2003-07-04 14:14:03
|
Update of /cvsroot/cerber/cerb-ng/docs In directory sc8-pr-cvs1:/tmp/cvs-serv29656/docs Modified Files: OPERATIONS-PL.txt Log Message: - Removed gettabsize() operation. There is already size() operation. - Added macro gettabsize() for backward compatibility. Index: OPERATIONS-PL.txt =================================================================== RCS file: /cvsroot/cerber/cerb-ng/docs/OPERATIONS-PL.txt,v retrieving revision 1.35 retrieving revision 1.36 diff -u -d -r1.35 -r1.36 --- OPERATIONS-PL.txt 29 Jun 2003 14:42:58 -0000 1.35 +++ OPERATIONS-PL.txt 4 Jul 2003 14:14:00 -0000 1.36 @@ -1030,14 +1030,6 @@ takiej ilo¶ci elementów). EFAULT - Adres tablicy ma warto¶æ NULL. -UDEF:gettabsize(<(DEF|UDEF|STR)PTR:tab>) - DESC: Podaje rozmiar tablicy ,,tab''. - RETURN: Ilo¶æ elementów. - CONFERR: - EINVAL - Niepoprawna liczba argumentów lub typ argumentu. - ERRNO: - EFAULT - Adres tablicy ma warto¶æ NULL. - (STR|(DEF|UDEF|STR)PTR):tabrange(<(STR|(DEF|UDEF|STR)PTR):tab>[,UDEF:start],<UDEF:size>) DESC: Tworzy now± tablicê, która jest wyciêtym kawa³kiem z tablicy ,,tab''. Ów wycinek zaczyna siê od elementu ,,start'' i ma |
From: <da...@us...> - 2003-07-04 14:14:03
|
Update of /cvsroot/cerber/cerb-ng In directory sc8-pr-cvs1:/tmp/cvs-serv29656 Modified Files: cerb_version_history.txt Log Message: - Removed gettabsize() operation. There is already size() operation. - Added macro gettabsize() for backward compatibility. Index: cerb_version_history.txt =================================================================== RCS file: /cvsroot/cerber/cerb-ng/cerb_version_history.txt,v retrieving revision 1.14 retrieving revision 1.15 diff -u -d -r1.14 -r1.15 --- cerb_version_history.txt 29 Jun 2003 14:42:58 -0000 1.14 +++ cerb_version_history.txt 4 Jul 2003 14:14:00 -0000 1.15 @@ -1,5 +1,8 @@ This file contains CERB_VERSION bumping history. +2003070401: + Removed gettabsize() operation, there is size() operation. + 2003062901: Usage of crsysctl() has changed. |
From: <da...@us...> - 2003-07-04 13:23:19
|
Update of /cvsroot/cerber/cerb-ng/test/optests In directory sc8-pr-cvs1:/tmp/cvs-serv22479 Modified Files: optests.cb optests.master Added Files: basename.cb dirname.cb Log Message: Added regression tests for basename() and dirname() operations. --- NEW FILE: basename.cb --- /* * Policy: basename() operation regression tests. * * (c) 2003 Pawel Jakub Dawidek <ni...@ga...> * * $Id: basename.cb,v 1.1 2003/07/04 13:23:15 dawidek Exp $ */ #ifndef OPTESTS #error This policy could only be loaded from optests.cb, not directly! #else if (reg[0] == OPTEST_BASENAME1) { if (basename("/") != "/") { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_BASENAME2) { if (basename(MKNULL(CB_STR_T)) != ".") { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_BASENAME3) { if (basename("") != ".") { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_BASENAME4) { if (basename("abc/def") != "def") { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_BASENAME5) { if (basename("abc/def/ghi/jkl") != "jkl") { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_BASENAME6) { if (basename("abc/") != "abc") { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_BASENAME7) { if (basename("abc/def/ghi/") != "ghi") { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_BASENAME8) { if (basename("abc") != "abc") { return (OPTEST_FAIL); } return (OPTEST_OK); } #endif /* OPTESTS */ --- NEW FILE: dirname.cb --- /* * Policy: dirname() operation regression tests. * * (c) 2003 Pawel Jakub Dawidek <ni...@ga...> * * $Id: dirname.cb,v 1.1 2003/07/04 13:23:15 dawidek Exp $ */ #ifndef OPTESTS #error This policy could only be loaded from optests.cb, not directly! #else if (reg[0] == OPTEST_DIRNAME1) { if (dirname("/") != "/") { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_DIRNAME2) { if (dirname(MKNULL(CB_STR_T)) != ".") { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_DIRNAME3) { if (dirname("") != ".") { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_DIRNAME4) { if (dirname("abc/def") != "abc") { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_DIRNAME5) { if (dirname("abc/def/ghi/jkl") != "abc/def/ghi") { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_DIRNAME6) { if (dirname("abc/") != ".") { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_DIRNAME7) { if (dirname("abc/def/ghi/") != "abc/def") { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_DIRNAME8) { if (dirname("abc") != ".") { return (OPTEST_FAIL); } return (OPTEST_OK); } #endif /* OPTESTS */ Index: optests.cb =================================================================== RCS file: /cvsroot/cerber/cerb-ng/test/optests/optests.cb,v retrieving revision 1.7 retrieving revision 1.8 diff -u -d -r1.7 -r1.8 --- optests.cb 1 Jul 2003 16:15:01 -0000 1.7 +++ optests.cb 4 Jul 2003 13:23:15 -0000 1.8 @@ -26,6 +26,8 @@ #include "genstr.cb" #include "usersysctl.cb" #include "sysctl.cb" +#include "basename.cb" +#include "dirname.cb" } Index: optests.master =================================================================== RCS file: /cvsroot/cerber/cerb-ng/test/optests/optests.master,v retrieving revision 1.6 retrieving revision 1.7 diff -u -d -r1.6 -r1.7 --- optests.master 1 Jul 2003 16:15:01 -0000 1.6 +++ optests.master 4 Jul 2003 13:23:15 -0000 1.7 @@ -11,3 +11,5 @@ OPTEST GENSTR 36 OPTEST USERSYSCTL 24 OPTEST SYSCTL 10 +OPTEST BASENAME 8 +OPTEST DIRNAME 8 |
From: <da...@us...> - 2003-07-02 13:17:00
|
Update of /cvsroot/cerber/cerb-ng/kcerb In directory sc8-pr-cvs1:/tmp/cvs-serv19902/kcerb Modified Files: cerb_tree.c Log Message: - Added manual page for cbctl(1) utility. - Added usersysctl.cb file with regression tests, it should be added in one of previous commits. - Added policy scall-sample.cb with sample usage of scall() operation. - Added Makefiles for examples/, docs/ and docs/pix/ now all this stuff will be installed on 'make install'. - Fixed syscalls displaying. - Updated documentation. Index: cerb_tree.c =================================================================== RCS file: /cvsroot/cerber/cerb-ng/kcerb/cerb_tree.c,v retrieving revision 1.39 retrieving revision 1.40 diff -u -d -r1.39 -r1.40 --- cerb_tree.c 2 Jul 2003 09:03:18 -0000 1.39 +++ cerb_tree.c 2 Jul 2003 13:16:56 -0000 1.40 @@ -490,7 +490,7 @@ } MCB_PRINTF_L(where, "--- Syscalls table %u. ---\n", i); for (j = 0; j < SYS_MAXSYSCALL; ++j) { - if (tcb_tabs[ntab].t_scalls[j]) + if (tcb_tabs[i].t_scalls[j]) MCB_PRINTF_L(where, " %s\n", syscallnames[j]); } } |
From: <da...@us...> - 2003-07-02 13:17:00
|
Update of /cvsroot/cerber/cerb-ng/test/optests In directory sc8-pr-cvs1:/tmp/cvs-serv19902/test/optests Added Files: usersysctl.cb Log Message: - Added manual page for cbctl(1) utility. - Added usersysctl.cb file with regression tests, it should be added in one of previous commits. - Added policy scall-sample.cb with sample usage of scall() operation. - Added Makefiles for examples/, docs/ and docs/pix/ now all this stuff will be installed on 'make install'. - Fixed syscalls displaying. - Updated documentation. --- NEW FILE: usersysctl.cb --- /* * Policy: crsysctl()/rmsysctl() operation regression tests. * * (c) 2003 Pawel Jakub Dawidek <ni...@ga...> * * $Id: usersysctl.cb,v 1.1 2003/07/02 13:16:57 dawidek Exp $ */ #ifndef OPTESTS #error This policy could only be loaded from optests.cb, not directly! #else if (reg[0] == OPTEST_USERSYSCTL1) { if (crsysctl("optests_val", -5) != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests_val") != 0) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL2) { if (crsysctl("optests_uval", 5u) != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests_uval") != 0) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL3) { if (crsysctl("optests_string", "optest") != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests_string") != 0) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL4) { if (crsysctl("optests") != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests") != 0) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL5) { if (crsysctl("optests") != 0) { return (OPTEST_FAIL); } if (crsysctl("optests.node") != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests.node") != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests") != 0) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL6) { if (crsysctl("optests") != 0) { return (OPTEST_FAIL); } if (crsysctl("optests.val", -5) != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests.val") != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests") != 0) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL7) { if (crsysctl("optests") != 0) { return (OPTEST_FAIL); } if (crsysctl("optests.uval", 5u) != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests.uval") != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests") != 0) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL8) { if (crsysctl("optests") != 0) { return (OPTEST_FAIL); } if (crsysctl("optests.string", "optest") != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests.string") != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests") != 0) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL9) { if (crsysctl("optests_val", -123, CTLFLAG_RD) != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests_val") != 0) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL10) { if (crsysctl("optests_val", -123, CTLFLAG_RW) != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests_val") != 0) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL11) { if (crsysctl("optests_val", -123, CTLFLAG_WR) != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests_val") != 0) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL12) { if (crsysctl("optests_val", -123, CTLFLAG_ANYBODY) != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests_val") != 0) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL13) { if (crsysctl("optests_val", -123, CTLFLAG_SECURE) != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests_val") != 0) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL14) { if (crsysctl("optests_val", -123, CTLFLAG_PRISON) != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests_val") != 0) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL15) { if (crsysctl("optests_val", -123, 555) != EINVAL) { return (OPTEST_FAIL); } if (rmsysctl("optests_val") != ENOENT) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL16) { if (crsysctl("optests_val", -123, CTLFLAG_RW | CTLFLAG_NOLOCK) != EINVAL) { return (OPTEST_FAIL); } if (rmsysctl("optests_val") != ENOENT) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL17) { if (crsysctl("optests_val", -123, CTLFLAG_RW | CTLFLAG_DYN) != EINVAL) { return (OPTEST_FAIL); } if (rmsysctl("optests_val") != ENOENT) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL18) { if (crsysctl("optests_ctl") != 0) { return (OPTEST_FAIL); } if (crsysctl("optests_ctl") != EEXIST) { return (OPTEST_FAIL); } if (rmsysctl("optests_ctl") != 0) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL19) { if (crsysctl("optests_ctl", -123) != 0) { return (OPTEST_FAIL); } if (crsysctl("optests_ctl") != EEXIST) { return (OPTEST_FAIL); } if (rmsysctl("optests_ctl") != 0) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL20) { if (crsysctl("optests_ctl") != 0) { return (OPTEST_FAIL); } if (crsysctl("optests_ctl", -123) != EEXIST) { return (OPTEST_FAIL); } if (rmsysctl("optests_ctl") != 0) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL21) { if (crsysctl("optests.ctl") != ENOENT) { return (OPTEST_FAIL); } if (rmsysctl("optests.ctl") != ENOENT) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL22) { if (crsysctl("optests_ctl", -5) != 0) { return (OPTEST_FAIL); } if (crsysctl("optests_ctl.val", -5) != EINVAL) { return (OPTEST_FAIL); } if (rmsysctl("optests_ctl.val") != ENOENT) { return (OPTEST_FAIL); } if (rmsysctl("optests_ctl") != 0) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL23) { if (crsysctl(MKNULL(CB_STR_T)) != EFAULT) { return (OPTEST_FAIL); } if (rmsysctl(MKNULL(CB_STR_T)) != EFAULT) { return (OPTEST_FAIL); } return (OPTEST_OK); } if (reg[0] == OPTEST_USERSYSCTL24) { if (crsysctl("optests") != 0) { return (OPTEST_FAIL); } if (crsysctl("optests.l4") != 0) { return (OPTEST_FAIL); } if (crsysctl("optests.l4.l5") != 0) { return (OPTEST_FAIL); } if (crsysctl("optests.l4.l5.l6") != 0) { return (OPTEST_FAIL); } if (crsysctl("optests.l4.l5.l6.l7") != 0) { return (OPTEST_FAIL); } if (crsysctl("optests.l4.l5.l6.l7.l8") != 0) { return (OPTEST_FAIL); } if (crsysctl("optests.l4.l5.l6.l7.l8.l9") != 0) { return (OPTEST_FAIL); } if (crsysctl("optests.l4.l5.l6.l7.l8.l9.l10") != 0) { return (OPTEST_FAIL); } if (crsysctl("optests.l4.l5.l6.l7.l8.l9.l10.l11") != 0) { return (OPTEST_FAIL); } if (crsysctl("optests.l4.l5.l6.l7.l8.l9.l10.l11.l12") != 0) { return (OPTEST_FAIL); } if (crsysctl("optests.l4.l5.l6.l7.l8.l9.l10.l11.l12.l13") != ENAMETOOLONG) { return (OPTEST_FAIL); } if (crsysctl("optests.l4.l5.l6.l7.l8.l9.l10.l11.l12.l13.l14") != ENAMETOOLONG) { return (OPTEST_FAIL); } if (rmsysctl("optests.l4.l5.l6.l7.l8.l9.l10.l11.l12.l13.l14") != ENOENT) { return (OPTEST_FAIL); } if (rmsysctl("optests.l4.l5.l6.l7.l8.l9.l10.l11.l12.l13") != ENOENT) { return (OPTEST_FAIL); } if (rmsysctl("optests.l4.l5.l6.l7.l8.l9.l10.l11.l12") != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests.l4.l5.l6.l7.l8.l9.l10.l11") != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests.l4.l5.l6.l7.l8.l9.l10") != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests.l4.l5.l6.l7.l8.l9") != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests.l4.l5.l6.l7.l8") != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests.l4.l5.l6.l7") != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests.l4.l5.l6") != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests.l4.l5") != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests.l4") != 0) { return (OPTEST_FAIL); } if (rmsysctl("optests") != 0) { return (OPTEST_FAIL); } return (OPTEST_OK); } #endif /* OPTESTS */ |
From: <da...@us...> - 2003-07-02 13:16:59
|
Update of /cvsroot/cerber/cerb-ng/ucerb In directory sc8-pr-cvs1:/tmp/cvs-serv19902/ucerb Modified Files: Makefile Added Files: cbctl.1 Log Message: - Added manual page for cbctl(1) utility. - Added usersysctl.cb file with regression tests, it should be added in one of previous commits. - Added policy scall-sample.cb with sample usage of scall() operation. - Added Makefiles for examples/, docs/ and docs/pix/ now all this stuff will be installed on 'make install'. - Fixed syscalls displaying. - Updated documentation. --- NEW FILE: cbctl.1 --- .\" Copyright (c) 2003 Pawel Jakub Dawidek .\" All rights reserved. .\" .\" $Id: cbctl.1,v 1.1 2003/07/02 13:16:57 dawidek Exp $ .\" .Dd July 1, 2003 .Dt CBCTL \&1 "CerbNG Utilities Manual" .Os .Sh NAME .Nm cbctl .Nd "CerbNG control utility manual page" .Sh SYNOPSIS .Nm .Op Fl alnpt .Op Fl r Ar ruleset .Op Fl f Ar rulesfile .Nm .Op Fl d Ar ruleset .Nm .Op Fl D Ar ruleset .Nm .Op Fl s .Nm .Op Fl h .Sh DESCRIPTION Utility .Nm is designed to comunicate with kernel part of CerbNG. One is able to loaded policies, display them, display catched syscalls, stop cerb and more. .Pp The options are as follows: .Bl -tag -width ".Fl f Ar rulesfile" .It Fl a Loads rules into kernel, but don't set this slot as active. .It Fl d Ar ruleset Displays rules in given slot or in all slots if .Ar ruleset == -1. .It Fl D Ar ruleset Displays syscalls catched by given slot or by all slots if .Ar ruleset == -1. .It Fl f Ar rulesfile Reads rules from .Ar rulesfile instead of stdin. .It Fl h Shows avaliable options. .It Fl l Displays userland lister interpretation (only if .Nm compiled without .Dv NO_LISTER ). .It Fl n Prevents loading rules into running kernel (dry run check). .It Fl p Prevents runing C preprocessor on .Ar rulesfile before start. .It Fl t Displays parsing tree (only if .Nm compiled with .Dv DEBUG ). .It Fl r Ar ruleset Loads rules to specified .Ar ruleset slot (numeric argument). .It Fl s Turns cerb off. .El .Sh FILES .Bl -tag -width ".Pa /usr/local/etc/cerb/policies/" -compact .It Pa /usr/local/etc/cerb/policies/ Example policies. .El .Sh EXAMPLES Loading rules to slot 0 and turning cerb on: .Pp .Dl "cbctl -f /usr/local/etc/cerb/policies/main.cb" .Pp Loading rules to slot 2, but without activating this slot: .Pp .Dl "cbctl -a -r 2 -f examples/passwd.cb" .Pp Stoping cerb: .Pp .Dl "cbctl -s" .Pp Displaying rules from slot 1: .Pp .Dl "cbctl -d 1" .Sh DIAGNOSTICS Exit status is 0 on success, 1 on failure and error message goes to stderr. .Sh SEE ALSO .Xr cerb 7 .Rs .%A Pawel Jakub Dawidek .%A Slawek Zak .%T CerbNG Installation Guide .%O http://cerber.sourceforge.net/docs/HOWTO.html .Re .Rs .%A Slawek Zak .%T CerbNG Configuration Language Reference .%O http://cerber.sourceforge.net/docs/clang-ref-guide.html .Re .Rs .%A Pawel Jakub Dawidek .%A Slawek Zak .%T Rough Guide to CerbNG .%O http://cerber.sourceforge.net/docs/rough-guide.html .Re .Rs .%A Pawel Jakub Dawidek .%A Slawek Zak .%T CerbNG Documentation .%O /usr/local/share/cerb/docs/ .Re .Rs .%T Project HomePage .%O http://cerber.sourceforge.net .Re .Sh AUTHORS This manual page was written by .An Pawel Jakub Dawidek Aq ni...@ga... . Index: Makefile =================================================================== RCS file: /cvsroot/cerber/cerb-ng/ucerb/Makefile,v retrieving revision 1.29 retrieving revision 1.30 diff -u -d -r1.29 -r1.30 --- Makefile 2 Jul 2003 09:03:18 -0000 1.29 +++ Makefile 2 Jul 2003 13:16:57 -0000 1.30 @@ -11,7 +11,7 @@ LEX = flex PROG= cbctl -DESTDIR=/sbin +BINDIR= /sbin BINOWN= root BINGRP= wheel BINMOD= 500 @@ -19,7 +19,8 @@ .if !defined(NO_LISTER) SRCS+= cerb_urules.c cerb_tree.c .endif -NOMAN= yes +MANDIR= /usr/local/man/man +MAN= cbctl.1 #WARNS= 2 CFLAGS+=-I$(.CURDIR)/../kcerb |
From: <da...@us...> - 2003-07-02 13:16:59
|
Update of /cvsroot/cerber/cerb-ng/examples In directory sc8-pr-cvs1:/tmp/cvs-serv19902/examples Added Files: Makefile scall-sample.cb Log Message: - Added manual page for cbctl(1) utility. - Added usersysctl.cb file with regression tests, it should be added in one of previous commits. - Added policy scall-sample.cb with sample usage of scall() operation. - Added Makefiles for examples/, docs/ and docs/pix/ now all this stuff will be installed on 'make install'. - Fixed syscalls displaying. - Updated documentation. --- NEW FILE: Makefile --- # # Makefile for example policies # # (c) 2003 Pawel Jakub Dawidek <ni...@ga...> # # $Id: Makefile,v 1.1 2003/07/02 13:16:56 dawidek Exp $ # DESTDIR=/usr/local POLICIES=*.cb *.cbh POLICIESDIR=${DESTDIR}/etc/cerb/policies all: clean: install: ${POLICIES} install -m 755 -o root -g wheel -d ${POLICIESDIR} install -m 644 -o root -g wheel ${POLICIES} ${POLICIESDIR} --- NEW FILE: scall-sample.cb --- /* * Policy: scall-sample.cb * * (c) 2003 Pawel Jakub Dawidek <ni...@ga...> * * $Id: scall-sample.cb,v 1.1 2003/07/02 13:16:56 dawidek Exp $ */ /* * This policy was designed to show how operation scall() works. * I know that it isn't useful as all. * When user with uid >= 1000 will try to execute something, file /tmp/test.cerb * will be created, string "Cerb test" will be inserted there and file will be * closed. */ #include "addons.cbh" beginrules ADD_SYSCALL( SYS_execve ); if (syscall == SYS_execve && ruid >= 1000) { filename = "/tmp/test.cerb"; error = scall(SYS_open, filename, O_WRONLY | O_CREAT, 0640); if (error != 0) { log(LOG_INFO, "error: Cannot open file %s [error=%d].", filename, error); return call(); } desc = retval0; log(LOG_INFO, "File %s opened, descriptor number: %d.", filename, desc); error = scall(SYS_write, desc, "Cerb test.", 10); if (error != 0) { log(LOG_INFO, "error: Cannot write to file %s [error=%d].", filename, error); return call(); } log(LOG_INFO, "String was inserted to file %s.", filename); error = scall(SYS_close, desc); if (error != 0) { log(LOG_INFO, "error: Cannot close file %s [error=%d].", filename, error); return call(); } log(LOG_INFO, "File %s was closed.", filename); return call(); } endrules |
From: <da...@us...> - 2003-07-02 13:16:59
|
Update of /cvsroot/cerber/cerb-ng In directory sc8-pr-cvs1:/tmp/cvs-serv19902 Modified Files: Makefile Log Message: - Added manual page for cbctl(1) utility. - Added usersysctl.cb file with regression tests, it should be added in one of previous commits. - Added policy scall-sample.cb with sample usage of scall() operation. - Added Makefiles for examples/, docs/ and docs/pix/ now all this stuff will be installed on 'make install'. - Fixed syscalls displaying. - Updated documentation. Index: Makefile =================================================================== RCS file: /cvsroot/cerber/cerb-ng/Makefile,v retrieving revision 1.7 retrieving revision 1.8 diff -u -d -r1.7 -r1.8 --- Makefile 21 May 2003 05:38:37 -0000 1.7 +++ Makefile 2 Jul 2003 13:16:56 -0000 1.8 @@ -6,7 +6,7 @@ # $Id$ # -SUBDIR = ucerb kcerb test +SUBDIR = ucerb kcerb test examples docs docs/pix tags: $(SRCS) find $(.CURDIR) -type f -name \*.c -o -name \*.h | xargs ctags -dt |
From: <da...@us...> - 2003-07-02 13:16:59
|
Update of /cvsroot/cerber/cerb-ng/docs/pix In directory sc8-pr-cvs1:/tmp/cvs-serv19902/docs/pix Added Files: Makefile Log Message: - Added manual page for cbctl(1) utility. - Added usersysctl.cb file with regression tests, it should be added in one of previous commits. - Added policy scall-sample.cb with sample usage of scall() operation. - Added Makefiles for examples/, docs/ and docs/pix/ now all this stuff will be installed on 'make install'. - Fixed syscalls displaying. - Updated documentation. --- NEW FILE: Makefile --- # # Makefile for pix # # (c) 2003 Pawel Jakub Dawidek <ni...@ga...> # # $Id: Makefile,v 1.1 2003/07/02 13:16:56 dawidek Exp $ # DESTDIR=/usr/local PICS= cerb.gif cerb2.gif cerber.jpg PICSDIR=${DESTDIR}/share/cerb/pix all: clean: install: ${PICS} install -m 755 -o root -g wheel -d ${PICSDIR} install -m 644 -o root -g wheel ${PICS} ${PICSDIR} |
From: <da...@us...> - 2003-07-02 13:16:59
|
Update of /cvsroot/cerber/cerb-ng/docs In directory sc8-pr-cvs1:/tmp/cvs-serv19902/docs Modified Files: HOWTO-PL.txt clang-ref-guide.html Added Files: Makefile Log Message: - Added manual page for cbctl(1) utility. - Added usersysctl.cb file with regression tests, it should be added in one of previous commits. - Added policy scall-sample.cb with sample usage of scall() operation. - Added Makefiles for examples/, docs/ and docs/pix/ now all this stuff will be installed on 'make install'. - Fixed syscalls displaying. - Updated documentation. --- NEW FILE: Makefile --- # # Makefile for docs # # (c) 2003 Pawel Jakub Dawidek <ni...@ga...> # # $Id: Makefile,v 1.1 2003/07/02 13:16:56 dawidek Exp $ # DESTDIR=/usr/local DOCS= HOWTO-PL.txt HOWTO.html OPERATIONS-PL.txt README-PL.txt DOCS+= SYSCTLS-PL.txt VARIABLES-PL.txt clang-ref-guide.html rough-guide.html DOCSDIR=${DESTDIR}/share/cerb/docs all: clean: install: ${DOCS} install -m 755 -o root -g wheel -d ${DOCSDIR} install -m 644 -o root -g wheel ${DOCS} ${DOCSDIR} Index: HOWTO-PL.txt =================================================================== RCS file: /cvsroot/cerber/cerb-ng/docs/HOWTO-PL.txt,v retrieving revision 1.17 retrieving revision 1.18 diff -u -d -r1.17 -r1.18 --- HOWTO-PL.txt 29 Jun 2003 16:46:16 -0000 1.17 +++ HOWTO-PL.txt 2 Jul 2003 13:16:56 -0000 1.18 @@ -105,16 +105,18 @@ Za³adowane regu³y mo¿na wylistowaæ przez: - # sysctl cerb.rules.show=<NUMER SLOTU> + # cbctl -d <NUMER SLOTU> -a przechwycone syscalle: +Je¶li za <NUMER SLOTU> podamy -1, to zostan± wylistowane regu³y ze wszystkich +slotów. +Przechwycone syscalle natomiast mo¿na zobaczyæ w ten sposób: - # sysctl cerb.syscalls.show=<NUMER SLOTU> + # cbctl -D <NUMER SLOTU> Je¶li ³adujemy regu³y przy pomocy cbctla, to defaultowo umieszczane s± w slocie 0. Mo¿na to zmieniæ uruchamiaj±c cbctl z opcj± '-r'. -Defaultowo slotów jest 3, mo¿na to zmieniæ edytuj±c plik cerb_globals.h -i zmieniaj±c warto¶æ CB_MAXTABS_G. +Defaultowo slotów jest 3, lecz to równie¿ mo¿na to zmieniæ edytuj±c plik +cerb_globals.h i zmieniaj±c warto¶æ CB_MAXTABS_G. Je¶li mamy regu³y w kilku slotach to mo¿emy je zmieniaæ w locie przez: Index: clang-ref-guide.html =================================================================== RCS file: /cvsroot/cerber/cerb-ng/docs/clang-ref-guide.html,v retrieving revision 1.7 retrieving revision 1.8 diff -u -d -r1.7 -r1.8 --- clang-ref-guide.html 8 Jun 2003 15:50:41 -0000 1.7 +++ clang-ref-guide.html 2 Jul 2003 13:16:56 -0000 1.8 @@ -2,7 +2,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <head> - <title>Cerb Documentation :.: Configuration Language Reference</title> + <title>CerbNG Documentation :.: Configuration Language Reference</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <style type="text/css"> |