Menu
▾
▴
[Cerb-commits] cerb-ng/examples apache.cb,NONE,1.1
|
From: <da...@us...> - 2003-03-30 18:24:12
|
Update of /cvsroot/cerber/cerb-ng/examples
In directory sc8-pr-cvs1:/tmp/cvs-serv10338
Added Files:
apache.cb
Log Message:
Added policy for apache1.3+mod_ssl.
--- NEW FILE: apache.cb ---
/*
* Policy: apache.
*
* (c) 2003 Pawel Jakub Dawidek <ni...@ga...>
*
* $Id: apache.cb,v 1.1 2003/03/30 18:24:09 dawidek Exp $
*/
#include <errno.h>
#include <fcntl.h>
#include <sys/syscall.h>
#include <sys/syslog.h>
#include "addons.cbh"
#define APACHE_PNAME "httpd"
#define APACHE_UID GET_UID("nobody")
#define APACHE_GID GET_GID("nobody")
#define APACHE_INODE GET_INODE("/usr/local/sbin/httpd")
#define APACHE_DEV GET_DEV("/usr/local/sbin/httpd")
#define APACHE_PORTS 22,443
#define WWW_UID GET_UID("www")
beginrules
ADD_SYSCALL(
SYS_execve,
SYS_open,
SYS_stat,
SYS_chown,
SYS_chmod,
SYS_unlink,
SYS_bind
);
if (syscall == SYS_execve && ruid == 0) {
if (getinode(arg[0]) == APACHE_INODE &&
getdev(arg[0]) == APACHE_DEV) {
reg[0] = call();
if (reg[0] != 0) {
return(reg[0]);
}
/* everything is correct, removing uid and gid 0 */
setpruid(APACHE_UID);
setpeuid(APACHE_UID);
setprgid(APACHE_GID);
setpegid(APACHE_GID);
setpgroups( [ 65534, 65534 ] );
CB_LOG(LOG_INFO, "Removed uid 0.");
return(0);
}
}
if (finode == APACHE_INODE && fdev == APACHE_DEV && ruid == APACHE_UID) {
if (syscall == SYS_execve) {
CB_LOG(LOG_WARNING, "!WARN! Attempt to run %s(%s)!", arg[0],
realpath(arg[0]));
return(EPERM);
}
if (syscall == SYS_stat) {
if (arg[0] == "/usr/local/etc/apache/ssl.key/server.key") {
reg[0] = sucall();
log(LOG_INFO, "CerbNG:%s: %s(%A) [ret=%d] (with euid 0)",
pname, syscallname, reg[0]);
return(reg[0]);
}
}
if (syscall == SYS_chmod) {
if (arg[0] @ "/var/run/httpd.mm.*.sem" && arg[1] == 0600) {
reg[0] = sucall();
log(LOG_INFO, "CerbNG:%s: %s(%A) [ret=%d] (with euid 0)",
pname, syscallname, reg[0]);
return(reg[0]);
}
}
if (syscall == SYS_chown) {
if (arg[0] @ "/var/run/httpd.mm.*.sem" &&
arg[1] == WWW_UID && arg[2] == -1) {
reg[0] = sucall();
log(LOG_INFO, "CerbNG:%s: %s(%A) [ret=%d] (with euid 0)",
pname, syscallname, reg[0]);
return(reg[0]);
}
}
if (syscall == SYS_unlink) {
if (arg[0] == "/var/run/ssl_scache.db" ||
arg[0] @ "/var/run/ssl_mutex.*" ||
arg[0] @ "/var/run/httpd.lock.*" ||
arg[0] @ "/var/run/httpd.mm.*.sem") {
reg[0] = sucall();
log(LOG_INFO, "CerbNG:%s: %s(%A) [ret=%d] (with euid 0)",
pname, syscallname, reg[0]);
return(reg[0]);
}
}
if (syscall == SYS_bind) {
reg[1] = getport(arg[1]);
if (ismember(reg[1], [ APACHE_PORTS ])) {
reg[0] = sucall();
log(LOG_INFO, "CerbNG:%s: %s(%u) [ret=%d] (with euid 0)",
pname, syscallname, reg[1], reg[0]);
return(reg[0]);
}
}
if (syscall == SYS_open) {
if (arg[1] == O_RDONLY) {
if (arg[0] == "/usr/local/etc/apache/ssl.crt/server.crt" ||
arg[0] == "/usr/local/etc/apache/ssl.key/server.key") {
reg[0] = sucall();
log(LOG_INFO, "CerbNG:%s: %s(%s, %x) [ret=%d] (with euid 0)",
pname, syscallname, arg[0], arg[1], reg[0]);
return(reg[0]);
}
}
if (arg[1] == O_WRONLY) {
if (arg[0] @ "/var/run/ssl_mutex.*" ||
arg[0] @ "/var/run/httpd.lock.*") {
reg[0] = sucall();
log(LOG_INFO, "CerbNG:%s: %s(%s, %x) [ret=%d] (with euid 0)",
pname, syscallname, arg[0], arg[1], reg[0]);
return(reg[0]);
}
}
if (arg[1] == (O_CREAT | O_WRONLY)) {
if (arg[0] @ "/var/run/ssl_mutex.*") {
/* Better be sure and set creation perms to 0600. */
arg[2] = 0600;
reg[0] = sucall();
log(LOG_INFO, "CerbNG:%s: %s(%s, %x, %o) [ret=%d] (with euid 0)",
pname, syscallname, arg[0], arg[1], arg[2], reg[0]);
return(reg[0]);
}
}
if (arg[1] == O_RDWR) {
if (arg[0] == "/var/run/ssl_scache.db") {
reg[0] = sucall();
log(LOG_INFO, "CerbNG:%s: %s(%s, %x) [ret=%d] (with euid 0)",
pname, syscallname, arg[0], arg[1], reg[0]);
return(reg[0]);
}
}
if (arg[1] == (O_CREAT | O_RDWR)) {
if (arg[0] == "/var/run/ssl_scache.db") {
/* Better be sure and set creation perms to 0600. */
arg[2] = 0600;
reg[0] = sucall();
log(LOG_INFO, "CerbNG:%s: %s(%s, %x, %o) [ret=%d] (with euid 0)",
pname, syscallname, arg[0], arg[1], arg[2], reg[0]);
return(reg[0]);
}
}
if (arg[1] == (O_CREAT | O_APPEND | O_WRONLY)) {
if (arg[0] == "/var/log/httpd-access.log" ||
arg[0] == "/var/log/httpd-error.log" ||
arg[0] == "/var/log/ssl_engine_log" ||
arg[0] == "/var/log/ssl_request_log") {
/* Better be sure and set creation perms to 0600. */
arg[2] = 0600;
reg[0] = sucall();
log(LOG_INFO, "CerbNG:%s: %s(%s, %x, %o) [ret=%d] (with euid 0)",
pname, syscallname, arg[0], arg[1], arg[2], reg[0]);
return(reg[0]);
}
}
if (arg[1] == (O_TRUNC | O_CREAT | O_WRONLY)) {
if (arg[0] == "/var/run/httpd.pid") {
/* Better be sure and set creation perms to 0600. */
arg[2] = 0600;
reg[0] = sucall();
log(LOG_INFO, "CerbNG:%s: %s(%s, %x, %o) [ret=%d] (with euid 0)",
pname, syscallname, arg[0], arg[1], arg[2], reg[0]);
return(reg[0]);
}
}
if (arg[1] == (O_EXCL | O_CREAT | O_WRONLY)) {
if (arg[0] @ "/var/run/httpd.lock.*") {
/* Better be sure and set creation perms to 0600. */
arg[2] = 0600;
reg[0] = sucall();
log(LOG_INFO, "CerbNG:%s: %s(%s, %x, %o) [ret=%d] (with euid 0)",
pname, syscallname, arg[0], arg[1], arg[2], reg[0]);
return(reg[0]);
}
}
if (arg[1] == (O_EXCL | O_CREAT | O_RDWR)) {
if (arg[0] @ "/var/run/httpd.mm.*.sem") {
/* Better be sure and set creation perms to 0600. */
arg[2] = 0600;
reg[0] = sucall();
log(LOG_INFO, "CerbNG:%s: %s(%s, %x, %o) [ret=%d] (with euid 0)",
pname, syscallname, arg[0], arg[1], arg[2], reg[0]);
return(reg[0]);
}
}
}
CB_PREPARE();
}
endrules
|