Menu
▾
▴
[Cerber-commits] cerb-ng/examples end.cb,1.1.1.1,1.2 openssh.cb,1.2,1.3 passwd.cb,1.2,1.3 ping.cb,1.2,1.3 start.cb,1.2,1.3
|
From: <da...@us...> - 2002-09-15 12:38:24
|
Update of /cvsroot/cerber/cerb-ng/examples
In directory usw-pr-cvs1:/tmp/cvs-serv31283/examples
Modified Files:
end.cb openssh.cb passwd.cb ping.cb start.cb
Log Message:
- Updated example files.
- Implemented rest of [gs]etp*() functions and all fd2*() functions.
- Changed MCB_DEBUG() and MCB_XDEBUG() macros to work with format strings.
- Modfied fcb_desc_getname() function.
- Removed old comments.
- Arguments for operations functions are now in CB_OPARGS #define.
Index: end.cb
===================================================================
RCS file: /cvsroot/cerber/cerb-ng/examples/end.cb,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -C2 -d -r1.1.1.1 -r1.2
*** end.cb 10 Aug 2002 19:17:35 -0000 1.1.1.1
--- end.cb 15 Sep 2002 12:38:20 -0000 1.2
***************
*** 1,4 ****
/*
! * Example cerb-ng configuration file on end
*
* $Id$
--- 1,4 ----
/*
! * Example cerb configuration file on end
*
* $Id$
***************
*** 7,11 ****
/* if sugid wasn't defined earlier, it means that we want to block it */
? pruid != peuid || prgid != pegid {
! return(EPERM)
}
/*
--- 7,11 ----
/* if sugid wasn't defined earlier, it means that we want to block it */
? pruid != peuid || prgid != pegid {
! return(EPERM);
}
/*
***************
*** 18,22 ****
syscall == kldunload ||
syscall == reboot {
! return(EPERM)
}
! return(call())
--- 18,28 ----
syscall == kldunload ||
syscall == reboot {
! return(EPERM);
}
! if (syscall == execve) {
! /* We want to log all execve() activity. */
! log "!INFO! Running %s (proc=%s, ruid=%u, rgid=%u, euid=%u, egid=%u)",
! realpath(arg[0]), pname, pruid, prgid, peuid, pegid);
! }
!
! return(call());
Index: openssh.cb
===================================================================
RCS file: /cvsroot/cerber/cerb-ng/examples/openssh.cb,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -d -r1.2 -r1.3
*** openssh.cb 5 Sep 2002 01:13:30 -0000 1.2
--- openssh.cb 15 Sep 2002 12:38:20 -0000 1.3
***************
*** 1,4 ****
/*
! * Example cerb-ng configuration file for /usr/sbin/sshd (OpenSSH)
*
* $Id$
--- 1,4 ----
/*
! * Example cerb configuration file for /usr/sbin/sshd (OpenSSH)
*
* $Id$
***************
*** 12,16 ****
SSHD_GID = GET_GID("sshd")
! SSHDINODE = GET_INODE("/usr/sbin/sshd")
/*
--- 12,21 ----
SSHD_GID = GET_GID("sshd")
! /*
! * Only inode's number and inode's device made us
! * sure that we're talking about our sshd.
! */
! INODE_SSHD = 1337
! DEV_SSHD = 1338
/*
***************
*** 19,95 ****
*/
? syscall == execve && pruid == 0 {
! reg[0] = realpath(name)
! ? reg[0] == "/usr/sbin/sshd" && inode == SSHDINODE {
! reg[0] = call()
if reg[0] != 0 {
! return(reg[0])
}
/* everything correct, removing uid and gid 0 */
! setpeuid(SSHD_UID)
! setpruid(SSHD_UID)
! setpegid(SSHD_GID)
! setprgid(SSHD_GID)
! return(0)
}
}
! ? pname == PNAME && pinode == SSHDINODE {
? syscall == execve {
/*
* if sshd have no longer SSHD_UID uid, that means, that setuid()
! * was done already, su sshd can run only shells
*/
? pruid != SSHD_UID {
! ? (name == "/bin/sh" && inode == GET_INODE("/bin/sh")) ||
! (name == "/bin/tcsh" && inode == GET_INODE("/bin/tcsh")) {
! return(call())
}
! return(EACCESS)
}
/*
* sshd can only run sshd on SIGHUP
! * (it can run also login programm if UseLogin yes, but...)
*/
! reg[0] = realpath(name)
? reg[0] == "/usr/sbin/sshd" &&
! inode == SSHDINODE {
! return(call())
}
! return(EPERM)
}
? syscall == open {
! ? name == "/var/run/sshd.pid" &&
! flags == (O_WRONLY | O_CREAT | O_TRUNC) {
/* setting effective uid to 0 */
! reg[0] = peuid
! setpeuid(0)
! reg[1] = call() /* calling open() */
! setpeuid(reg[0])
! return(reg[1])
}
! ? flags == O_RDWR {
! ? name == "/etc/skeykeys" ||
! name == "/var/log/lastlog" ||
! name == "/var/log/utmp" {
! reg[0] = peuid
! setpeuid(0)
! reg[1] = call() /* calling open() */
! setpeuid(reg[0])
! return(reg[1])
}
}
! ? name == "/var/log/utmp" && flags == (O_WRONLY | O_CREAT) {
! reg[0] = peuid
! setpeuid(0)
! reg[1] = call() /* calling open() */
! setpeuid(reg[0])
! return(reg[1])
}
! ? name == "/var/log/wtmp" && flags == (O_WRONLY | O_APPEND) {
! reg[0] = peuid
! setpeuid(0)
! reg[1] = call() /* calling open() */
! setpeuid(reg[0])
! return(reg[1])
}
/*
--- 24,108 ----
*/
? syscall == execve && pruid == 0 {
! reg[0] = realpath(name);
! ? reg[0] == "/usr/sbin/sshd" && getinode(reg[0]) == INODE_SSHD &&
! getdev(reg[0]) == DEV_SSHD {
! reg[0] = call();
if reg[0] != 0 {
! return(reg[0]);
}
/* everything correct, removing uid and gid 0 */
! setpruid(SSHD_UID);
! setpeuid(SSHD_UID);
! setprgid(SSHD_GID);
! setpegid(SSHD_GID);
! return(0);
}
}
! ? pname == PNAME && pinode == INODE_SSHD && pdev == DEV_SSHD {
? syscall == execve {
/*
* if sshd have no longer SSHD_UID uid, that means, that setuid()
! * was done already, so sshd can run only shells
*/
? pruid != SSHD_UID {
! ? arg[0] == "/bin/sh" || arg[0] == "/bin/tcsh" ||
! arg[0] == "/bin/zsh" {
! return(call());
}
! log("!WARN! Attempt to run invalid shell %s (proc=%s, "
! "ruid=%u, rgid=%u, euid=%u, egid=%u)",
! realpath(arg[0]), pname, pruid, prgid, peuid, pegid);
! return(EACCESS);
}
/*
* sshd can only run sshd on SIGHUP
! * (it can run also login program if UseLogin yes, but...)
*/
! reg[0] = realpath(name);
? reg[0] == "/usr/sbin/sshd" &&
! getinode(reg[0]) == INODE_SSHD &&
! getdev(reg[0]) == DEV_SSHD) {
! return(call());
}
! log("!WARN! Attempt to run %s (proc=%s, ruid=%u, rgid=%u, "
! "euid=%u, egid=%u)", realpath(arg[0]), pname, pruid, prgid,
! peuid, pegid);
! return(EPERM);
}
? syscall == open {
! ? arg[0] == "/var/run/sshd.pid" &&
! arg[1] == (O_WRONLY | O_CREAT | O_TRUNC) {
/* setting effective uid to 0 */
! reg[0] = peuid;
! setpeuid(0);
! reg[1] = call(); /* calling open() */
! setpeuid(reg[0]);
! return(reg[1]);
}
! ? arg[1] == O_RDWR {
! ? arg[0] == "/etc/skeykeys" ||
! arg[0] == "/var/log/lastlog" ||
! arg[0] == "/var/log/utmp" {
! reg[0] = peuid;
! setpeuid(0);
! reg[1] = call(); /* calling open() */
! setpeuid(reg[0]);
! return(reg[1]);
}
}
! ? arg[0] == "/var/log/utmp" && arg[1] == (O_WRONLY | O_CREAT) {
! reg[0] = peuid;
! setpeuid(0);
! reg[1] = call(); /* calling open() */
! setpeuid(reg[0]);
! return(reg[1]);
}
! ? arg[0] == "/var/log/wtmp" && arg[1] == (O_WRONLY | O_APPEND) {
! reg[0] = peuid;
! setpeuid(0);
! reg[1] = call(); /* calling open() */
! setpeuid(reg[0]);
! return(reg[1]);
}
/*
***************
*** 97,198 ****
* chance to read file as normal user
*/
! ? flags == O_RDONLY {
! ? name == "/etc/spwd.db" ||
! name == "/etc/ssh/ssh_host_dsa_key" ||
! name == "/etc/ssh/ssh_host_key" {
! reg[0] = peuid
! setpeuid(0)
! reg[1] = call() /* calling open() */
! setpeuid(reg[0])
! return(reg[1])
}
}
}
? syscall == __sysctl {
! ? operation == write {
! ? name == "kern.proc.args" ||
! name == "sysctl.name2oid" {
! reg[0] = peuid
! setpeuid(0)
! reg[1] = call() /* calling __sysctl() */
! setpeuid(reg[0])
! return(reg[1])
}
}
}
! ? syscall == seteuid {
! ? euid >= 1000 || (PERMIT_ROOT_LOGIN == 1 && euid == 0) {
! reg[0] = peuid
! setpeuid(0)
! reg[1] = call() /* calling seteuid() */
if reg[1] != 0 {
! setpeuid(reg[0])
}
! return(reg[1])
! }
! }
! ? syscall == setegid {
! ? egid >= 1000 || (PERMIT_ROOT_LOGIN == 1 && egid == 0) {
! reg[0] = peuid
! setpeuid(0)
! reg[1] = call() /* calling setegid() */
! setpeuid(reg[0])
! return(reg[1])
}
}
! ? syscall == setuid {
! ? uid >= 1000 || (PERMIT_ROOT_LOGIN == 1 && uid == 0) {
reg[0] = peuid
! setpeuid(0)
! reg[1] = call() /* calling setuid() */
! if reg[1] != 0 {
! setpeuid(reg[0])
! }
! return(reg[1])
}
}
! ? syscall == setgid {
! ? gid >= 1000 || (PERMIT_ROOT_LOGIN == 1 && gid == 0) {
! reg[0] = peuid
! setpeuid(0)
! reg[1] = call() /* calling setegid() */
! setpeuid(reg[0])
! return(reg[1])
! }
}
? syscall == chown {
! ? name ~ "/dev/tty?" {
! ? (nouid >= 1000 ||
! (PERMIT_ROOT_LOGIN == 1 && nouid == 0)) &&
! (nogid >= 1000 || nogid == -1 || nogid == 4 ||
! (PERMIT_ROOT_LOGIN == 1 && nogid == 0)) {
! reg[0] = peuid
! setpeuid(0)
! reg[1] = call() /* calling chown() */
! setpeuid(reg[0])
! return(reg[1])
}
}
}
? syscall == chmod {
! ? name ~ "/dev/tty?" {
! ? mode == OCTAL(0620) ||
! mode == OCTAL(0622) ||
! mode == OCTAL(0666) {
! reg[0] = peuid
! setpeuid(0)
! reg[1] = call() /* calling chown() */
! setpeuid(reg[0])
! return(reg[1])
}
}
}
? syscall == unlink {
! ? name ~ "/var/run/sshd.pid" {
! reg[0] = peuid
! setpeuid(0)
! reg[1] = call() /* calling open() */
! setpeuid(reg[0])
! return(reg[1])
}
}
--- 110,202 ----
* chance to read file as normal user
*/
! ? arg[1] == O_RDONLY {
! ? arg[0] == "/etc/spwd.db" ||
! arg[0] == "/etc/ssh/ssh_host_dsa_key" ||
! arg[0] == "/etc/ssh/ssh_host_key" {
! reg[0] = peuid;
! setpeuid(0);
! reg[1] = call(); /* calling open() */
! setpeuid(reg[0]);
! return(reg[1]);
}
}
}
? syscall == __sysctl {
! /* this means that process want to change sysctl value */
! ? arg[4] != 0 {
! reg[0] = getsysctlname(arg[0], arg[1]);
! ? reg[0] == "kern.proc.args" ||
! reg[0] == "sysctl.name2oid" {
! reg[0] = peuid;
! setpeuid(0);
! reg[1] = call(); /* calling __sysctl() */
! setpeuid(reg[0]);
! return(reg[1]);
}
}
}
! ? syscall == setuid || syscall == seteuid {
! ? arg[0] >= 1000 || (PERMIT_ROOT_LOGIN == 1 && arg[0] == 0) {
! reg[0] = peuid;
! setpeuid(0);
! reg[1] = call(); /* calling set[e]uid() */
if reg[1] != 0 {
! setpeuid(reg[0]);
}
! return(reg[1]);
}
}
! ? syscall == setgid || syscall == setegid {
! ? arg[0] >= 1000 || (PERMIT_ROOT_LOGIN == 1 && arg[0] == 0) {
reg[0] = peuid
! setpeuid 0
! reg[1] = call /* calling setegid() */
! setpeuid reg[0]
! return reg[1]
}
}
! ? syscall == getuid {
! /* Och, process is trying to check his uid:) */
! pretval0 = 0
! /* We don't even call getuid() syscall */
! return(0);
}
? syscall == chown {
! ? arg[0] ~ "/dev/tty?" {
! /* we'r getting file owner uid and gid */
! reg[0] = getouid(arg[0]);
! reg[1] = getogid(arg[0]);
! ? (reg[0] >= 1000 ||
! (PERMIT_ROOT_LOGIN == 1 && reg[0] == 0)) &&
! (reg[1] >= 1000 || reg[1] == -1 || reg[1] == 4 ||
! (PERMIT_ROOT_LOGIN == 1 && reg[1] == 0)) {
! reg[0] = peuid;
! setpeuid(0);
! reg[1] = call(); /* calling chown() */
! setpeuid(reg[0]);
! return(reg[1]);
}
}
}
? syscall == chmod {
! ? arg[0] ~ "/dev/tty?" {
! ? arg[1] == OCTAL(0620) ||
! arg[1] == OCTAL(0622) ||
! arg[1] == OCTAL(0666) {
! reg[0] = peuid;
! setpeuid(0);
! reg[1] = call(); /* calling chown() */
! setpeuid(reg[0]);
! return(reg[1]);
}
}
}
? syscall == unlink {
! ? arg[0] == "/var/run/sshd.pid" {
! reg[0] = peuid;
! setpeuid(0);
! reg[1] = call(); /* calling open() */
! setpeuid(reg[0]);
! return(reg[1]);
}
}
***************
*** 200,206 ****
/*
! * we don't have to wory about rest syscalls,
! * because sshd isn't run as root
*/
! return(call())
}
--- 204,210 ----
/*
! * We're blockin all rest, because we don't want to remote attacker can
! * use kernels hole (for example in syscalls).
*/
! return(EPERM);
}
Index: passwd.cb
===================================================================
RCS file: /cvsroot/cerber/cerb-ng/examples/passwd.cb,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -d -r1.2 -r1.3
*** passwd.cb 5 Sep 2002 01:13:30 -0000 1.2
--- passwd.cb 15 Sep 2002 12:38:20 -0000 1.3
***************
*** 1,4 ****
/*
! * example cerb-ng configuration file for /usr/bin/passwd
*
* $Id$
--- 1,4 ----
/*
! * example cerb configuration file for /usr/bin/passwd
*
* $Id$
***************
*** 9,16 ****
PNAME = passwd
! PASSWDINODE = GET_INODE("/usr/bin/passwd")
! PWDMKDBINODE = GET_INODE("/usr/sbin/pwd_mkdb")
! ? pname == PNAME && pinode == PASSWDINODE {
/* checking process real uid */
? pruid == 0 { /* if root is calling passwd, checks are not needed */
--- 9,16 ----
PNAME = passwd
! INODE_PASSWD = 666
! INODE_PWD_MKDB = 31337
! ? pname == PNAME && pinode == INODE_PASSWD {
/* checking process real uid */
? pruid == 0 { /* if root is calling passwd, checks are not needed */
***************
*** 19,25 ****
? syscall == execve {
/* we gives access to execute only pwd_mkdb */
! ? name != "/usr/sbin/pwd_mkdb" ||
! inode != PWDMKDBINODE {
! return(EPERM)
}
--- 19,28 ----
? syscall == execve {
/* we gives access to execute only pwd_mkdb */
! ? arg[0] != "/usr/sbin/pwd_mkdb" ||
! getinode(arg[0]) != INODE_PWD_MKDB) {
! log("!!WARN!! Attempt to run %s (proc=%s, ruid=%u, "
! "rgid=%u, euid=%u, egid=%u)", realpath(arg[0]),
! pname, pruid, prgid, peuid, pegid);
! return(EPERM);
}
***************
*** 31,88 ****
getstr(arg[1],3) != "/etc" ||
getstr(arg[1],4) != "-u" ||
! getstr(arg[1],5) != plogin {
! return(EPERM)
}
/* now we set effective uid to 0 */
! reg[0] = peuid
! setpeuid(0)
! reg[1] = call() /* calling execve() */
! setpeuid(reg[0]) /*
! * switching back process effective uid,
! * because for pwd_mkdb we got
! * diffrent rules
! */
! return(reg[1])
}
? syscall == open {
! ? flags == (O_CREAT | O_EXCL | O_RDWR) && mode == OCTAL(0600) {
! reg[0] = realpath(name)
? reg[0] ~ "/etc/pw.??????" {
/* setting effective uid to 0 */
! reg[0] = peuid
! setpeuid(0)
! reg[1] = call() /* calling open() */
! setpeuid(reg[0])
! return(reg[1])
}
}
! ? flags == O_RDONLY {
/*
* passwd want to check old password,
* so euid = 0 again
*/
! ? name == "/etc/spwd.db" {
! reg[0] = peuid
! setpeuid(0)
! reg[1] = call() /* calling open() */
! setpeuid(reg[0])
! return(reg[1])
}
}
}
? syscall == unlink {
? name ~ "/etc/pw.??????" {
! reg[0] = peuid
! setpeuid(0)
! reg[1] = call() /* calling open() */
! setpeuid(reg[0])
! return(reg[1])
}
/*
! * we don't have to wory about rest of syscalls,
* because passwd isn't set-uid-root
*/
! return(call())
}
--- 34,92 ----
getstr(arg[1],3) != "/etc" ||
getstr(arg[1],4) != "-u" ||
! getstr(arg[1],5) != login {
! log("!!WARN!! Wrong arguments (proc=%s, ruid=%u, "
! "rgid=%u, euid=%u, egid=%u)", pname, pruid, prgid,
! peuid, pegid);
! return(EPERM);
}
/* now we set effective uid to 0 */
! reg[0] = peuid;
! setpeuid(0);
! reg[1] = call(); /* calling execve() */
! setpeuid(reg[0]);
! return(reg[1]);
}
? syscall == open {
! /* we got open flags in arg[1] and mode in arg[2] */
! ? arg[1] == (O_CREAT | O_EXCL | O_RDWR) && arg[2] == OCTAL(0600) {
! reg[0] = realpath(arg[0]);
? reg[0] ~ "/etc/pw.??????" {
/* setting effective uid to 0 */
! reg[0] = peuid;
! setpeuid(0);
! reg[1] = call(); /* calling open() */
! setpeuid(reg[0]);
! return(reg[1]);
}
}
! ? arg[1] == O_RDONLY {
/*
* passwd want to check old password,
* so euid = 0 again
*/
! ? arg[0] == "/etc/spwd.db" {
! reg[0] = peuid;
! setpeuid(0);
! reg[1] = call(); /* calling open() */
! setpeuid(reg[0]);
! return(reg[1]);
}
}
}
? syscall == unlink {
+ /* we can remove temporary files */
? name ~ "/etc/pw.??????" {
! reg[0] = peuid;
! setpeuid(0);
! reg[1] = call(); /* calling open() */
! setpeuid(reg[0]);
! return(reg[1]);
}
/*
! * we don't have to wory about rest syscalls,
* because passwd isn't set-uid-root
*/
! return(call());
}
Index: ping.cb
===================================================================
RCS file: /cvsroot/cerber/cerb-ng/examples/ping.cb,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -d -r1.2 -r1.3
*** ping.cb 5 Sep 2002 01:13:30 -0000 1.2
--- ping.cb 15 Sep 2002 12:38:20 -0000 1.3
***************
*** 1,24 ****
/*
! * example cerb-ng configuration file for /sbin/ping
*
* $Id$
*/
! /* Note that /sbin/ping should don't have set-uid-root */
PNAME = ping
! PINGINODE = GET_INODE("/sbin/ping")
!
! ? pname == "ping" && pinode == PINGINODE {
? syscall == socket {
! ? domain == AF_INET && type == SOCK_RAW &&
! protocol == IPPROTO_ICMP {
/* let's change effective uid to 0 */
! reg[0] = peuid
! setpeuid(0)
! reg[1] = call() /* calling socket() */
! setpeuid(reg[0])
! return(reg[1])
}
}
--- 1,23 ----
/*
! * example cerb configuration file for /sbin/ping
*
* $Id$
*/
! /* Note that /sbin/ping don't need set-uid-root! */
PNAME = ping
+ INODE_PING = 88
! ? pname == "ping" && pinode == INODE_PING {
? syscall == socket {
! ? arg[0] == AF_INET && arg[1] == SOCK_RAW &&
! arg[2] == IPPROTO_ICMP {
/* let's change effective uid to 0 */
! reg[0] = peuid;
! setpeuid(0);
! reg[1] = call(); /* calling socket() */
! setpeuid(reg[0]);
! return(reg[1]);
}
}
Index: start.cb
===================================================================
RCS file: /cvsroot/cerber/cerb-ng/examples/start.cb,v
retrieving revision 1.2
retrieving revision 1.3
diff -C2 -d -r1.2 -r1.3
*** start.cb 5 Sep 2002 01:13:30 -0000 1.2
--- start.cb 15 Sep 2002 12:38:20 -0000 1.3
***************
*** 1,4 ****
/*
! * Example cerb-ng configuration file on start
*
* $Id$
--- 1,4 ----
/*
! * Example cerb configuration file on start
*
* $Id$
***************
*** 7,21 ****
? syscall == execve {
/*
! * first of all we will check arguments and enviroments
! * tests what are made by check(args|envs) function:
* - arg/env length (max length is defined with sysctl)
* - number of args/envs (max is defined with sysctl)
* - chars in args/envs are printable?
*/
! ? (reg[0] = check_args) > 0 {
! return(reg[0]) /* something is wrong, don't call execve() */
}
! ? (reg[1] = check_envs) > 0 {
! return(reg[1]) /* something is wrong, don't call execve() */
}
--- 7,43 ----
? syscall == execve {
/*
! * First of all we will check arguments and enviroments.
! * Tests that are made by check(args|envs) function:
* - arg/env length (max length is defined with sysctl)
* - number of args/envs (max is defined with sysctl)
* - chars in args/envs are printable?
*/
! ? (reg[0] = check_args()) > 0 {
! ? reg[0] == 1 {
! reg[1] = "Argument too long.";
! }
! ? reg[0] == 2 {
! reg[1] = "Too many arguments.";
! }
! ? reg[0] == 3 {
! reg[1] = "Suspicious char in argument.";
! }
! log("!WARN! %s (proc=%s, ruid=%u, rgid=%u, euid=%u, egid=%u)",
! reg[1], pname, pruid, prgid, peuid, pegid);
! return(EPERM); /* something is wrong, don't call execve() */
}
! ? (reg[1] = check_envs()) > 0 {
! ? reg[0] == 1 {
! reg[1] = "Environment too long.";
! }
! ? reg[0] == 2 {
! reg[1] = "Too many environments.";
! }
! ? reg[0] == 3 {
! reg[1] = "Suspicious char in environment.";
! }
! log("!WARN! %s (proc=%s, ruid=%u, rgid=%u, euid=%u, egid=%u)",
! reg[1], pname, pruid, prgid, peuid, pegid);
! return(EPERM); /* something is wrong, don't call execve() */
}
***************
*** 31,52 ****
*/
? pruid >= 1000 {
! rmenv("LD_*") /*
! * removing enviroments
! * that match to LD_*
*/
! ? ouid >= 1000 { /*
! * only running own or other
! * users files arn't permited
! */
! return(EPERM)
}
}
}
! /* we could do this in diffrent way */
? pruid >= 1000 {
! rmenv("LD_*")
! reg[0] = realpath(name)
! ? reg[0] ~ "/usr/home/*" || reg[0] ~ "/tmp/*" {
! return(EPERM)
}
}
--- 53,83 ----
*/
? pruid >= 1000 {
! rmld("LD_*"); /*
! * removing enviroments that
! * match to LD_*
*/
! /*
! * getting owner uid of file specified as
! * first argument of syscall
! */
! ? getouid(arg[1]) >= 1000 { /*
! * user can only
! * run system binaries
! */
! log("!WARN! Don't have permission to run %s "
! "(proc=%s, ruid=%u, rgid=%u, euid=%u, "
! "egid=%u)", realpath(arg[0]), pname, pruid,
! prgid, peuid, pegid);
! return(EPERM);
}
}
}
! /* and diffrent way to do ,,noexec'' mechanism */
? pruid >= 1000 {
! rmld("LD_*");
! reg[0] = realpath(arg[0]);
! ? reg[0] ~ "/usr/home/*" || reg[0] ~ "/tmp/*" ||
! reg[0] ~ "/var/tmp/*" {
! return(EPERM);
}
}
|