diff options
| author | Lauri Aarnio <Lauri.Aarnio@iki.fi> | 2009-01-29 17:35:42 +0200 |
|---|---|---|
| committer | Lauri Leukkunen <lle@rahina.org> | 2009-02-10 08:38:10 +0200 |
| commit | 8aa891dae16bd4998176fa5ce987f15051490255 (patch) | |
| tree | af8c35aa20c68f1839927ac3fb271007f7851474 | |
| parent | 905e4b3d3ad88ef66587707ed975184afaff9dcc (diff) | |
Added a mechanism for finding currently active exec policy
- set name of the selected exec policy to an environment
variable before every exec, and also added a lua function
which locates the currently active policy (soon to be used
by the "devel"mode..)
| -rw-r--r-- | include/sb2.h | 1 | ||||
| -rw-r--r-- | lua_scripts/argvenvp.lua | 4 | ||||
| -rw-r--r-- | lua_scripts/mapping.lua | 41 | ||||
| -rw-r--r-- | lua_scripts/pathmaps/devel/00_default.lua | 8 | ||||
| -rw-r--r-- | lua_scripts/pathmaps/emulate/00_default.lua | 7 | ||||
| -rw-r--r-- | lua_scripts/pathmaps/install/00_default.lua | 6 | ||||
| -rw-r--r-- | lua_scripts/pathmaps/simple/00_default.lua | 6 | ||||
| -rw-r--r-- | lua_scripts/pathmaps/tools/00_default.lua | 7 | ||||
| -rw-r--r-- | luaif/argvenvp.c | 22 | ||||
| -rw-r--r-- | luaif/luaif.c | 8 | ||||
| -rw-r--r-- | preload/libsb2.c | 5 |
11 files changed, 108 insertions, 7 deletions
diff --git a/include/sb2.h b/include/sb2.h index d9808ac..00f4716 100644 --- a/include/sb2.h +++ b/include/sb2.h @@ -111,6 +111,7 @@ extern char *sbox_orig_ld_library_path; extern char *sbox_binary_name; extern char *sbox_real_binary_name; extern char *sbox_orig_binary_name; +extern char *sbox_active_exec_policy_name; extern int pthread_library_is_available; /* flag */ extern pthread_t (*pthread_self_fnptr)(void); diff --git a/lua_scripts/argvenvp.lua b/lua_scripts/argvenvp.lua index ac65000..a5480f9 100644 --- a/lua_scripts/argvenvp.lua +++ b/lua_scripts/argvenvp.lua @@ -672,6 +672,10 @@ function sb_execve_postprocess(rule, exec_policy, exec_type, sb.log("debug", string.format("sb_execve_postprocess:type=%s", exec_type)) + if (exec_policy.name) then + table.insert(envp, "__SB2_EXEC_POLICY_NAME="..exec_policy.name) + end + -- End of generic part. Rest of postprocessing depends on type of -- the executable. diff --git a/lua_scripts/mapping.lua b/lua_scripts/mapping.lua index 4688a4a..320ea78 100644 --- a/lua_scripts/mapping.lua +++ b/lua_scripts/mapping.lua @@ -66,6 +66,45 @@ function sb2_procfs_mapper(binary_name, func_name, rp, path, rule) return nil, ret_path, false end +-- all_exec_policies is a table, defined by the mapping rule file +all_exec_policies = nil + +-- return the exec policy used for this process +-- +local active_exec_policy_checked = false +local active_exec_policy_ptr = nil + +function get_active_exec_policy() + if (active_exec_policy_checked == false) then + local ep_name = sb.get_active_exec_policy_name() + + if (ep_name and all_exec_policies ~= nil) then + -- Name of it is known, try to find the object itself + for i = 1, table.maxn(all_exec_policies) do + if all_exec_policies[i].name == ep_name then + active_exec_policy_ptr = all_exec_policies[i] + break + end + end + if (debug_messages_enabled) then + if active_exec_policy_ptr then + sb.log("debug", "Found active Exec policy "..ep_name) + else + sb.log("debug", "FAILED to find active Exec policy "..ep_name) + end + end + else + -- Don't know what exec policy is active + if (debug_messages_enabled) then + sb.log("debug", "Unknown active Exec policy") + end + end + + active_exec_policy_checked = true + end + return active_exec_policy_ptr +end + -- Load mode-specific rules. -- A mode file must define three variables: -- 1. rule_file_interface_version (string) is checked and must match, @@ -98,6 +137,8 @@ function load_and_check_rules() -- -- (version 19 is in intermediate version; -- several interface changes will follow) + -- - added "all_exec_policies" list to all + -- mapping modes -- Differences between version 17 and 18: -- - added sb2_procfs_mapper() -- Differences between version 16 and 17: diff --git a/lua_scripts/pathmaps/devel/00_default.lua b/lua_scripts/pathmaps/devel/00_default.lua index f66a20d..f7d5295 100644 --- a/lua_scripts/pathmaps/devel/00_default.lua +++ b/lua_scripts/pathmaps/devel/00_default.lua @@ -635,3 +635,11 @@ exec_policy_chains = { devel_exec_policies } +-- This table lists all exec policies - this is used when the current +-- process wants to locate the currently active policy +all_exec_policies = { + exec_policy_host_os, + exec_policy_target, + exec_policy_tools, +} + diff --git a/lua_scripts/pathmaps/emulate/00_default.lua b/lua_scripts/pathmaps/emulate/00_default.lua index 421fb61..d7630a5 100644 --- a/lua_scripts/pathmaps/emulate/00_default.lua +++ b/lua_scripts/pathmaps/emulate/00_default.lua @@ -208,3 +208,10 @@ exec_policy_chains = { all_exec_policies_chain } +-- This table lists all exec policies - this is used when the current +-- process wants to locate the currently active policy +all_exec_policies = { + exec_policy_target, + default_exec_policy, +} + diff --git a/lua_scripts/pathmaps/install/00_default.lua b/lua_scripts/pathmaps/install/00_default.lua index 29fcb81..7ca7161 100644 --- a/lua_scripts/pathmaps/install/00_default.lua +++ b/lua_scripts/pathmaps/install/00_default.lua @@ -105,3 +105,9 @@ exec_policy_chains = { all_exec_policies_chain } +-- This table lists all exec policies - this is used when the current +-- process wants to locate the currently active policy +all_exec_policies = { + default_exec_policy, +} + diff --git a/lua_scripts/pathmaps/simple/00_default.lua b/lua_scripts/pathmaps/simple/00_default.lua index 71a7ca2..34ab4ca 100644 --- a/lua_scripts/pathmaps/simple/00_default.lua +++ b/lua_scripts/pathmaps/simple/00_default.lua @@ -120,3 +120,9 @@ exec_policy_chains = { all_exec_policies_chain } +-- This table lists all exec policies - this is used when the current +-- process wants to locate the currently active policy +all_exec_policies = { + default_exec_policy, +} + diff --git a/lua_scripts/pathmaps/tools/00_default.lua b/lua_scripts/pathmaps/tools/00_default.lua index efbf3bc..24f6054 100644 --- a/lua_scripts/pathmaps/tools/00_default.lua +++ b/lua_scripts/pathmaps/tools/00_default.lua @@ -160,3 +160,10 @@ exec_policy_chains = { all_exec_policies_chain } +-- This table lists all exec policies - this is used when the current +-- process wants to locate the currently active policy +all_exec_policies = { + exec_policy_tools, + default_exec_policy, +} + diff --git a/luaif/argvenvp.c b/luaif/argvenvp.c index 1ac11fc..dd5e8be 100644 --- a/luaif/argvenvp.c +++ b/luaif/argvenvp.c @@ -141,7 +141,8 @@ int sb_execve_postprocess(char *exec_type, char ***envp) { struct lua_instance *luaif; - int res, new_argc, new_envc; + int res, new_argc; + int replace_environment = 0; luaif = get_lua(); if (!luaif) return(0); @@ -170,7 +171,7 @@ int sb_execve_postprocess(char *exec_type, /* args: rule, exec_policy, exec_type, mapped_file, filename, * binaryname, argv, envp - * returns: err, mapped_file, filename, argc, argv, envc, envp */ + * returns: res, mapped_file, filename, argc, argv, envc, envp */ lua_call(luaif->lua, 8, 7); res = lua_tointeger(luaif->lua, -7); @@ -178,7 +179,7 @@ int sb_execve_postprocess(char *exec_type, case 0: /* exec arguments were modified, replace contents of - * argv and envp vectors */ + * argv vector */ SB_LOG(SB_LOGLEVEL_DEBUG, "sb_execve_postprocess: Updated argv&envp"); free(*mapped_file); @@ -191,14 +192,14 @@ int sb_execve_postprocess(char *exec_type, new_argc = lua_tointeger(luaif->lua, -4); lua_string_table_to_strvec(luaif, -3, argv, new_argc); - new_envc = lua_tointeger(luaif->lua, -2); - strvec_free(*envp); - lua_string_table_to_strvec(luaif, -1, envp, new_envc); + replace_environment = 1; break; case 1: SB_LOG(SB_LOGLEVEL_DEBUG, - "sb_execve_postprocess: argv&envp were not modified"); + "sb_execve_postprocess: argv was not modified"); + /* always update environment when we are going to exec */ + replace_environment = 1; break; case -1: @@ -212,6 +213,13 @@ int sb_execve_postprocess(char *exec_type, break; } + if (replace_environment) { + int new_envc; + new_envc = lua_tointeger(luaif->lua, -2); + strvec_free(*envp); + lua_string_table_to_strvec(luaif, -1, envp, new_envc); + } + /* remove sb_execve_postprocess return values from the stack. */ lua_pop(luaif->lua, 6); diff --git a/luaif/luaif.c b/luaif/luaif.c index 57536a1..e6f8b25 100644 --- a/luaif/luaif.c +++ b/luaif/luaif.c @@ -629,6 +629,13 @@ static int lua_sb_get_binary_name(lua_State *l) return 1; } +/* "sb.get_active_exec_policy_name", to be called from lua code */ +static int lua_sb_get_active_exec_policy_name(lua_State *l) +{ + lua_pushstring(l, sbox_active_exec_policy_name); + return 1; +} + /* "sb.get_forced_mapmode", to be called from lua code */ static int lua_sb_get_forced_mapmode(lua_State *l) { @@ -773,6 +780,7 @@ static const luaL_reg reg[] = {"debug_messages_enabled", lua_sb_debug_messages_enabled}, {"getcwd", lua_sb_getcwd}, {"get_binary_name", lua_sb_get_binary_name}, + {"get_active_exec_policy_name", lua_sb_get_active_exec_policy_name}, {"get_forced_mapmode", lua_sb_get_forced_mapmode}, {"get_session_perm", lua_sb_get_session_perm}, {"isprefix", lua_sb_isprefix}, diff --git a/preload/libsb2.c b/preload/libsb2.c index 1849a38..12be2eb 100644 --- a/preload/libsb2.c +++ b/preload/libsb2.c @@ -1165,6 +1165,7 @@ char *sbox_orig_ld_library_path = NULL; char *sbox_binary_name = NULL; char *sbox_real_binary_name = NULL; char *sbox_orig_binary_name = NULL; +char *sbox_active_exec_policy_name = NULL; int sb2_global_vars_initialized__ = 0; @@ -1220,6 +1221,10 @@ void sb2_initialize_global_variables(void) cp = getenv("__SB2_ORIG_BINARYNAME"); if (cp) sbox_orig_binary_name = strdup(cp); } + if (!sbox_active_exec_policy_name) { + cp = getenv("__SB2_EXEC_POLICY_NAME"); + if (cp) sbox_active_exec_policy_name = strdup(cp); + } if (sbox_session_dir) { /* seems that we got it.. */ |