From: <da...@us...> - 2003-09-24 21:22:49
|
Update of /cvsroot/cerber/cerb-ng/examples In directory sc8-pr-cvs1:/tmp/cvs-serv31447/examples Modified Files: apache.cb audit.cb crontab.cb noexec-by-group.cb restricted-debug.cb restricted-link.cb restricted-msgbuf.cb syslogd.cb unprivileged-chroot.cb Log Message: Changed operation name from ismember() to tabindex(). Index: apache.cb =================================================================== RCS file: /cvsroot/cerber/cerb-ng/examples/apache.cb,v retrieving revision 1.21 retrieving revision 1.22 diff -u -d -r1.21 -r1.22 --- apache.cb 12 Aug 2003 12:36:30 -0000 1.21 +++ apache.cb 24 Sep 2003 21:21:26 -0000 1.22 @@ -129,7 +129,7 @@ if (syscall == SYS_bind && (getfamily(arg[1]) == AF_INET || getfamily(arg[1]) == AF_INET6)) { reg[1] = getport(arg[1]); - if (ismember(reg[1], [ APACHE_PORTS ]) >= 0) { + if (tabindex(reg[1], [ APACHE_PORTS ]) >= 0) { reg[0] = sucall(); CB_LOG(APACHE_VERBOSE, LOG_INFO, "CerbNG:%s: %s(%u) " "[ret=%d] (with euid 0)", pname, syscallname, @@ -249,7 +249,7 @@ } else { if (syscall == SYS_bind && (getfamily(arg[1]) == AF_INET || getfamily(arg[1]) == AF_INET6)) { reg[0] = getport(arg[1]); - if (ismember(reg[0], [ APACHE_PORTS ]) >= 0) { + if (tabindex(reg[0], [ APACHE_PORTS ]) >= 0) { CB_LOGEXT(APACHE_VERBOSE, LOG_INFO, "Port %u is " "reserved for httpd(8)!", reg[0]); return EPERM; Index: audit.cb =================================================================== RCS file: /cvsroot/cerber/cerb-ng/examples/audit.cb,v retrieving revision 1.6 retrieving revision 1.7 diff -u -d -r1.6 -r1.7 --- audit.cb 11 Aug 2003 23:11:19 -0000 1.6 +++ audit.cb 24 Sep 2003 21:21:26 -0000 1.7 @@ -33,7 +33,7 @@ ADD_ALLSYSCALLS(); #ifdef AUDIT_GROUP -if (ismember(AUDIT_GROUP, groups) >= 0) { +if (tabindex(AUDIT_GROUP, groups) >= 0) { #endif #ifdef AUDIT_PREFIX reg[0] = genstr("%? => ", AUDIT_PREFIX); Index: crontab.cb =================================================================== RCS file: /cvsroot/cerber/cerb-ng/examples/crontab.cb,v retrieving revision 1.13 retrieving revision 1.14 diff -u -d -r1.13 -r1.14 --- crontab.cb 12 Aug 2003 12:36:30 -0000 1.13 +++ crontab.cb 24 Sep 2003 21:21:26 -0000 1.14 @@ -142,7 +142,7 @@ } } } - if (syscall == SYS_chdir && ismember(0, groups) < 0) { + if (syscall == SYS_chdir && tabindex(0, groups) < 0) { if (arg[0] == "/var/cron") { /* * Members of wheel group are permited to chdir() @@ -156,7 +156,7 @@ return reg[0]; } } - if (syscall == SYS_stat && ismember(0, groups) < 0) { + if (syscall == SYS_stat && tabindex(0, groups) < 0) { if (cdir == "/var/cron" && arg[0] == "tabs") { arg[0] = "/var/cron/tabs"; /* race prevention */ addgroup(0); Index: noexec-by-group.cb =================================================================== RCS file: /cvsroot/cerber/cerb-ng/examples/noexec-by-group.cb,v retrieving revision 1.14 retrieving revision 1.15 diff -u -d -r1.14 -r1.15 --- noexec-by-group.cb 12 Aug 2003 12:36:30 -0000 1.14 +++ noexec-by-group.cb 24 Sep 2003 21:21:26 -0000 1.15 @@ -36,7 +36,7 @@ ADD_SYSCALL(SYS_execve); if (syscall == SYS_execve && ruid >= 1000 && - ismember(NOEXEC_BY_GROUP_GID, groups) < 0) { + tabindex(NOEXEC_BY_GROUP_GID, groups) < 0) { reg[0] = rmenv("LD_*"); /* Removing enviroments that match to LD_* */ if (reg[0] > 0) { CB_LOGEXT(NOEXEC_BY_GROUP_VERBOSE, LOG_WARNING, "Removed %u " Index: restricted-debug.cb =================================================================== RCS file: /cvsroot/cerber/cerb-ng/examples/restricted-debug.cb,v retrieving revision 1.11 retrieving revision 1.12 diff -u -d -r1.11 -r1.12 --- restricted-debug.cb 12 Aug 2003 12:36:31 -0000 1.11 +++ restricted-debug.cb 24 Sep 2003 21:21:27 -0000 1.12 @@ -39,7 +39,7 @@ * Allow debug syscalls only for root and ,,debug'' group members. */ if (syscall == SYS_ptrace || syscall == SYS_ktrace) { - if (ruid > 0 && ismember(RESTRICTED_DEBUG_GID, groups) < 0) { + if (ruid > 0 && tabindex(RESTRICTED_DEBUG_GID, groups) < 0) { CB_LOGEXT(RESTRICTED_DEBUG_VERBOSE, LOG_WARNING, "!!WARN!! " "Syscall %s() isn't permited.", syscallname); return EPERM; Index: restricted-link.cb =================================================================== RCS file: /cvsroot/cerber/cerb-ng/examples/restricted-link.cb,v retrieving revision 1.10 retrieving revision 1.11 diff -u -d -r1.10 -r1.11 --- restricted-link.cb 12 Aug 2003 12:36:31 -0000 1.10 +++ restricted-link.cb 24 Sep 2003 21:21:27 -0000 1.11 @@ -36,7 +36,7 @@ ADD_SYSCALL(SYS_link); if (syscall == SYS_link && ruid > 0 && - ismember(RESTRICTED_LINK_ALLOW_GID, groups) < 0) { + tabindex(RESTRICTED_LINK_ALLOW_GID, groups) < 0) { if (getouid(arg[0]) != ruid) { CB_LOGEXT(RESTRICTED_LINK_VERBOSE, LOG_WARNING, "!WARN! Don't " "have permission for link creation to %s (%s).", arg[0], Index: restricted-msgbuf.cb =================================================================== RCS file: /cvsroot/cerber/cerb-ng/examples/restricted-msgbuf.cb,v retrieving revision 1.4 retrieving revision 1.5 diff -u -d -r1.4 -r1.5 --- restricted-msgbuf.cb 12 Aug 2003 12:36:31 -0000 1.4 +++ restricted-msgbuf.cb 24 Sep 2003 21:21:27 -0000 1.5 @@ -58,7 +58,7 @@ "%s)", reg[0], getjailhost()); return EPERM; } - if (ruid > 0 && ismember(RESTRICTED_MSGBUF_GID, groups) < 0) { + if (ruid > 0 && tabindex(RESTRICTED_MSGBUF_GID, groups) < 0) { CB_LOG(RESTRICTED_MSGBUF_VERBOSE, LOG_INFO, "User %s " "isn't permitted to read sysctl %s", login, reg[0]); return EPERM; Index: syslogd.cb =================================================================== RCS file: /cvsroot/cerber/cerb-ng/examples/syslogd.cb,v retrieving revision 1.15 retrieving revision 1.16 diff -u -d -r1.15 -r1.16 --- syslogd.cb 22 Aug 2003 22:17:16 -0000 1.15 +++ syslogd.cb 24 Sep 2003 21:21:27 -0000 1.16 @@ -156,7 +156,7 @@ (getfamily(arg[1]) == AF_INET || getfamily(arg[1]) == AF_INET6)) { reg[1] = getport(arg[1]); reg[2] = getip(arg[1]); - if (reg[1] == SYSLOGD_PORT && ismember(reg[2], SYSLOGD_IPS) >= 0) { + if (reg[1] == SYSLOGD_PORT && tabindex(reg[2], SYSLOGD_IPS) >= 0) { reg[0] = sucall(); CB_LOGEXT(SYSLOGD_VERBOSE, LOG_INFO, "Binding to %s|%u " "[ret=%d].", reg[2], reg[1], reg[0]); @@ -175,7 +175,7 @@ } } else { if (syscall == SYS_bind && getfamily(arg[1]) == AF_INET) { - if (!isjailed() || (isjailed() && ismember(getjailip(), SYSLOGD_IPS) >= 0)) { + if (!isjailed() || (isjailed() && tabindex(getjailip(), SYSLOGD_IPS) >= 0)) { reg[0] = getport(arg[1]); if (reg[0] == SYSLOGD_PORT) { CB_LOGEXT(SYSLOGD_VERBOSE, LOG_INFO, "Port %u " Index: unprivileged-chroot.cb =================================================================== RCS file: /cvsroot/cerber/cerb-ng/examples/unprivileged-chroot.cb,v retrieving revision 1.7 retrieving revision 1.8 diff -u -d -r1.7 -r1.8 --- unprivileged-chroot.cb 12 Aug 2003 12:36:31 -0000 1.7 +++ unprivileged-chroot.cb 24 Sep 2003 21:21:27 -0000 1.8 @@ -39,7 +39,7 @@ ADD_SYSCALL(SYS_chroot); -if (syscall == SYS_chroot && ruid > 0 && ismember(CHROOT_GID, groups) >= 0) { +if (syscall == SYS_chroot && ruid > 0 && tabindex(CHROOT_GID, groups) >= 0) { reg[1] = realpath(arg[0]); if (reg[1] !@ CHROOT_NONSUID_PATH) { return EPERM; |