summaryrefslogtreecommitdiff
path: root/lua_scripts/argvenvp.lua
blob: a5480f92ba35b8b11f89fb5ff62ef4fa1a0d5342 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
-- Copyright (C) 2007 Lauri Leukkunen <lle@rahina.org>
-- Portion Copyright (c) 2008 Nokia Corporation.
-- (exec postprocessing code written by Lauri T. Aarnio at Nokia)
--
-- Licensed under MIT license

argvmods = {}

-- only map gcc & friends if a cross compiler has been defined,
-- and it has not been disabled by the mapping rules:
if (enable_cross_gcc_toolchain == true) then
	local gcc_rule_file_path = session_dir .. "/gcc-conf.lua"
	
	if (sb.path_exists(gcc_rule_file_path)) then
		-- this generates gcc related argv/envp manglings
		do_file(session_dir .. "/lua_scripts/argvenvp_gcc.lua")
	end
end

-- regular mangling rules go here
-- syntax is of the form:
--
-- rule = {
-- 	name = "binary-name",
--	path_prefixes = {"/list/of", "/possible/path/prefixes"},
-- 	add_head = {"list", "of", "args", "to", "prepend"},
-- 	add_tail = {"these", "are", "appended"},
-- 	remove = {"args", "to", "remove"},
-- 	new_filename = "exec-this-binary-instead",
-- 	disable_mapping = 1 -- set this to disable mappings
-- }
-- argvmods[rule.name] = rule
--
-- Environment modifications are not supported yet, except for disabling
-- mappings.
--
-- TODO:
--
-- * new_filename should probably be replaced by integrating argv/envp
--   mangling with the path mapping machinery.

dpkg_architecture = {
	name = "dpkg-architecture",
	path_prefixes = {"/usr/bin/"},
	remove = {"-f"}
}
argvmods[dpkg_architecture.name] = dpkg_architecture

-- ------------------------------------
-- Exec preprocessing.
-- function sb_execve_preprocess is called to decide WHAT FILE
-- should be started (see description of the algorithm in sb_exec.c)
-- (this also typically adds, deletes, or modifies arguments whenever needed)
-- 
-- returns: err, file, argc, argv, envc, envp
-- (zero as "err" means "OK")
function sbox_execve_preprocess(filename, argv, envp)
	local new_argv = {}
	local new_envp = {}
	local binaryname = string.match(filename, "[^/]+$")
	local new_filename = filename

	if (debug_messages_enabled) then
		sb.log("debug", string.format(
			"sbox_execve_preprocess(): %s\n", filename))
	end
	
	new_envp = envp

	local am = argvmods[binaryname]
	if (am ~= nil) then
		local prefix_match_found = false
		for i = 1, table.maxn(am.path_prefixes) do
			if isprefix(am.path_prefixes[i], filename) then
				prefix_match_found = true
				break
			end
		end
		if (not prefix_match_found) then
			am = nil
		end
	end

	if (am ~= nil) then
		if (not am.remove) then am.remove = {} end
		if (not am.add_head) then am.add_head = {} end
		if (not am.add_tail) then am.add_tail = {} end

		if (debug_messages_enabled) then
			sb.log("debug", string.format(
				"argvmods[%s] found\n", filename))
		end

		-- head additions
		for i = 1, table.maxn(am.add_head) do
			table.insert(new_argv, am.add_head[i])
		end
	
		-- populate new_argv, skip those that are to be removed
		for i = 1, table.maxn(argv) do
			local match = 0
			for j = 1, table.maxn(am.remove) do
				if (argv[i] == am.remove[j]) then
					match = 1
				end
			end
			if (match == 0) then
				table.insert(new_argv, argv[i])
			end
		end
		
		-- tail additions
		for i = 1, table.maxn(am.add_tail) do
			table.insert(new_argv, am.add_tail[i])
		end

		if (am.new_filename) then
			-- print(string.format("changing to: %s\n", am.new_filename))
			new_filename = am.new_filename
			new_argv[1] = am.new_filename
		end
		if (am.disable_mapping) then
			table.insert(new_envp, "SBOX_DISABLE_MAPPING=1")
			table.insert(new_envp, "SBOX_DISABLE_ARGVENVP=1")
		end
	else
		new_argv = argv
	end
	return 0, new_filename, #new_argv, new_argv, #new_envp, new_envp
end

-- ------------------------------------

function locate_ld_library_path(envp)
	local k
	for k = 1, table.maxn(envp) do
		if (string.match(envp[k], "^LD_LIBRARY_PATH=")) then
			return k
		end
	end
	return -1
end

-- Return path to be used as LD_LIBRARY_PATH for native applications
--
function get_native_app_ld_library_path(exec_policy, envp)

	-- attribute "native_app_ld_library_path" overrides everything else:
	if (exec_policy.native_app_ld_library_path ~= nil) then
		return exec_policy.native_app_ld_library_path
	end

	-- attributes "native_app_ld_library_path_prefix" and
	-- "native_app_ld_library_path_suffix" extend the old value:
	if ((exec_policy.native_app_ld_library_path_prefix ~= nil) or
	    (exec_policy.native_app_ld_library_path_suffix ~= nil)) then
		local ld_library_path_index = locate_ld_library_path(envp)
		local libpath = nil
		if ld_library_path_index > 0 then
			libpath = string.gsub(envp[ld_library_path_index],
				"^LD_LIBRARY_PATH=", "", 1)
		end
		if (exec_policy.native_app_ld_library_path_prefix ~= nil) then
			if libpath ~= nil then
				libpath = exec_policy.native_app_ld_library_path_prefix ..
					":" .. libpath
			else
				libpath = exec_policy.native_app_ld_library_path_prefix
			end
		end
		if (exec_policy.native_app_ld_library_path_suffix ~= nil) then
			if libpath ~= nil then
				libpath = libpath .. ":" ..
					 exec_policy.native_app_ld_library_path_suffix
			else
				libpath = exec_policy.native_app_ld_library_path_suffix
			end
		end
		return libpath
	end

	return nil
end

-- Set LD_LIBRARY_PATH: modifies "envp"
--
function setenv_native_app_ld_library_path(exec_policy, envp)

	local ld_library_path_index = locate_ld_library_path(envp)
	local new_path = get_native_app_ld_library_path(exec_policy, envp)

	-- Set the value:
	if (new_path ~= nil) then
		if (ld_library_path_index > 0) then
			envp[ld_library_path_index] =
				"LD_LIBRARY_PATH=" .. new_path
			sb.log("debug", "Replaced LD_LIBRARY_PATH")
		else
			table.insert(envp, "LD_LIBRARY_PATH=" .. new_path)
			sb.log("debug", "Added LD_LIBRARY_PATH")
		end
	else
		sb.log("debug", "No value for LD_LIBRARY_PATH")
	end
end

-- ------------------------------------
-- returns args_ok, rule, exec_policy 
function check_rule_and_policy(rule, exec_policy, filename, mapped_file)

	-- First, if either rule or the exec policy is a string, something
	-- has failed during the previous steps or mapping has been disabled;
	-- => fail
	if ((type(rule) == "string") or (type(exec_policy) == "string")) then
		local rs = ""
		local eps = ""
		if (type(rule) == "string") then
			rs = rule
		end
		if (type(exec_policy) == "string") then
			eps = exec_policy
		end

		sb.log("debug", "check_rule_and_policy: "..rs..";"..eps);
		return false, rule, exec_policy
	end

	-- if exec_policy was not provided by the caller (i.e. not
	-- provided by the mapping rule), look up the policy from
	-- exec_policy_chains array.
	if (exec_policy == nil) then
		local res

		sb.log("debug", "trying exec_policy_chains..")
		res, exec_policy = sb_find_exec_policy(binaryname, mapped_file)
		if res == 0 then
			-- there is no default policy for this mode
			sb.log("notice",
				"sb_execve_postprocess: No exec_policy for "..filename)
			return false, rule, exec_policy
		end
	end

	-- Exec policy is OK.
	
	return true, rule, exec_policy
end

-- ------------------------------------
-- Script interpreter mapping.

-- This is called from C:
-- returns: rule, policy, result, mapped_interpreter, #argv, argv, #envp, envp
-- "result" is one of:
--  0: argv / envp were modified; mapped_interpreter was set
--  1: argv / envp were not modified; mapped_interpreter was set
--  2: argv / envp were not modified; caller should call ordinary path 
--	mapping to find the interpreter
-- -1: deny exec.
function sb_execve_map_script_interpreter(rule, exec_policy, interpreter,
	interp_arg, mapped_script_filename, orig_script_filename, argv, envp)

	local args_ok
	args_ok, rule, exec_policy = check_rule_and_policy(rule,
		exec_policy, orig_script_filename, mapped_script_filename) 

	if args_ok == false then
		-- no exec policy. Deny exec, we can't find the interpreter
		sb.log("error", "Unable to map script interpreter.");
		return rule, exec_policy, -1, interpreter, #argv, argv, #envp, envp
	end

	-- exec policy is OK.

	if (exec_policy.script_log_level ~= nil) then
		sb.log(exec_policy.script_log_level,
			exec_policy.script_log_message)
	end

	if (exec_policy.script_deny_exec == true) then
		return rule, exec_policy, -1, interpreter, #argv, argv, #envp, envp
	end

	if (exec_policy.name == nil) then
		sb.log("debug", "Applying nameless exec_policy to script")
	else
		sb.log("debug", string.format(
			"Applying exec_policy '%s' to script",
			exec_policy.name))
	end

	if (exec_policy.script_interpreter_rule ~= nil) then
		local exec_pol_2, mapped_interpreter, ro_flag

		exec_pol_2, mapped_interpreter, ro_flag = sbox_execute_rule(
			interpreter, "map_script_interpreter",
			interpreter, interpreter,
			exec_policy.script_interpreter_rule)
	
		if exec_policy.script_set_argv0_to_mapped_interpreter then
			argv[1] = mapped_interpreter
			return rule, exec_policy, 0, 
				mapped_interpreter, #argv, argv, #envp, envp
		else
			return rule, exec_policy, 1, 
				mapped_interpreter, #argv, argv, #envp, envp
		end
	end

	-- The default case:
	-- exec policy says nothing about the script interpreters.
	-- use ordinary path mapping to find it
	return rule, exec_policy, 2, interpreter, #argv, argv, #envp, envp
end

-- ------------------------------------
-- Exec postprocessing.
-- function sb_execve_postprocess is called to decide HOW the executable
-- should be started (see description of the algorithm in sb_exec.c)
-- 
-- returns: status, mapped_file, file, argc, argv, envc, envp
-- "status":
--    -1 = do not execute.
--    0 = argc&argv were updated, OK to execute with the new params
--    1 = ok to exec directly with orig.arguments

function sb_execve_postprocess_native_executable(rule, exec_policy,
	exec_type, mapped_file, filename, argv, envp)

	-- Native binary. See what we need to do with it...
	sb.log("debug", string.format("sb_execve_postprocess: Native binary"))
	
	sb.log("debug", "Rule: apply exec_policy")

	if (rule.prefix ~= nil) then
		sb.log("debug", string.format("rule.prefix=%s", rule.prefix))
	end
	if (rule.path ~= nil) then
		sb.log("debug", string.format("rule.path=%s", rule.path))
	end

	local new_argv = {}
	local new_envp = envp
	local new_filename = filename
	local new_mapped_file = mapped_file
	-- by default, copy argv from index 1 (refers to argv[0])
	local first_argv_element_to_copy = 1
	local updated_args = 0

	if (exec_policy.native_app_ld_so ~= nil) then
		-- we need to use ld.so for starting the binary, 
		-- instead of starting it directly:
		new_mapped_file = exec_policy.native_app_ld_so
		table.insert(new_argv, exec_policy.native_app_ld_so)

		local ld_lib_path = get_native_app_ld_library_path(
			exec_policy, new_envp)
		if (ld_lib_path ~= nil) then
			table.insert(new_argv, "--library-path")
			table.insert(new_argv, ld_lib_path)
		end

		-- NOTE/WARNING: The default ld.so (ld-linux.so) will loose
		-- argv[0], when the binary is executed by ld.so's
		-- command line (which we will be doing). It will always copy 
		-- the filename to argv[0].
		--
		-- We now have a patch for ld.so which introduces a new
		-- option, "--argv0 argument", and a flag is used to tell
		-- if a patched ld.so is available (the "sb2" script finds 
		-- that out during startup phase).
		--
		if (exec_policy.native_app_ld_so_supports_argv0) then
			table.insert(new_argv, "--argv0")
			-- C's argv[0] is in argv[1] here!
			table.insert(new_argv, argv[1])
			table.insert(new_argv, mapped_file)
		else
			-- Replace argv[0] by pathname:
			table.insert(new_argv, mapped_file)
		end
		first_argv_element_to_copy = 2

		updated_args = 1
	elseif ((exec_policy.native_app_ld_library_path ~= nil) or
	        (exec_policy.native_app_ld_library_path_prefix ~= nil) or
	        (exec_policy.native_app_ld_library_path_suffix ~= nil)) then
		-- Start the binary with a nonstandard LD_LIBRARY_PATH
		setenv_native_app_ld_library_path(exec_policy, new_envp)
		updated_args = 1
	end

	--
	-- When exec_policy contains field 'native_app_locale_path' we
	-- need to set environment variables $LOCPATH (and $NLSPATH) to
	-- point there.  Localization functions (e.g isalpha(), etc.)
	-- gets their locale specific information from $LOCPATH when
	-- it is set.
	--
	if exec_policy.native_app_locale_path ~= nil then
		sb.log("debug", string.format("setting LOCPATH=%s",
		    exec_policy.native_app_locale_path))
		table.insert(new_envp, "LOCPATH=" ..
		    exec_policy.native_app_locale_path)
		table.insert(new_envp, "NLSPATH=" ..
		    exec_policy.native_app_locale_path)
		updated_args = 1
	end
	
	if (updated_args == 1) then
		-- Add components from original argv[]
		local i
		for i = first_argv_element_to_copy, table.maxn(argv) do
			table.insert(new_argv, argv[i])
		end

		return 0, new_mapped_file, new_filename, #new_argv, new_argv, #new_envp, new_envp
	end

	-- else args not modified.
	return 1, mapped_file, filename, #argv, argv, #envp, envp
end

if string.match(sbox_cputransparency_method, "qemu") then
	cputransparency_method_is_qemu = true
end
if string.match(sbox_cputransparency_method, "sbrsh") then
	cputransparency_method_is_sbrsh = true
end

function split_to_tokens(text,delim)
	local results = {}
	local c
	for c in string.gmatch(text, delim) do
		table.insert(results, c)
	end
	return results
end

-- Remove selected elements from a table of strings.
-- Returns a new table containing the selected elements, or nil if none 
-- was found. Original table may be modified!
function pick_and_remove_elems_from_string_table(tbl,pattern)
	local res = nil

	if tbl ~= nil then
		local i = #tbl
		while (i > 0) do
			if string.match(tbl[i], pattern) then
				local elem = table.remove(tbl, i)
				if res == nil then
					res = {}
				end
				table.insert(res, elem)
			end
			i = i - 1
		end
	end
	return(res)
end

function sb_execve_postprocess_sbrsh(rule, exec_policy,
	exec_type, mapped_file, filename, argv, envp)

	local new_argv = split_to_tokens(sbox_cputransparency_method,"[^%s]+")

	if #new_argv < 1 then
		sb.log("error", "Invalid sbox_cputransparency_method set");
		-- deny
		return -1, mapped_file, filename, #argv, argv, #envp, envp
	end
	if (sbox_target_root == nil) or (sbox_target_root == "") then
		sb.log("error", 
			"sbox_target_root not set, "..
			"unable to execute the target binary");
		return -1, mapped_file, filename, #argv, argv, #envp, envp
	end

	sb.log("info", string.format("Exec:sbrsh (%s,%s,%s)",
		new_argv[1], sbox_target_root, mapped_file));

	local target_root = sbox_target_root
	if not string.match(target_root, "/$") then
		-- Add a trailing /
		target_root = target_root.."/"
	end

	local file_in_device = mapped_file;

	-- Check the file to execute; fail if the file can
	-- not be located on the device
	if isprefix(target_root, mapped_file) then
		local trlen = string.len(target_root)
		file_in_device = string.sub(file_in_device, trlen)
	elseif isprefix(sbox_user_home_dir, mapped_file) then
		-- no change
	else
		sb.log("error", string.format(
			"Binary must be under target (%s) or"..
			" home when using sbrsh", target_root))
		return -1, mapped_file, filename, #argv, argv, #envp, envp
	end

	-- Check directory
	local dir_in_device = sb.getcwd()

	if isprefix(target_root, dir_in_device) then
		local trlen = string.len(target_root)
		dir_in_device = string.sub(dir_in_device, trlen)
	elseif isprefix(sbox_user_home_dir, dir_in_device) then
		-- no change
	else
		sb.log("warning", string.format(
			"Executing binary with bogus working"..
			" directory (/tmp) because sbrsh can only"..
			" see %s and %s\n",
			target_root, sbox_user_home_dir))
		dir_in_device = "/tmp"
	end

	local new_envp = envp
	local new_filename = new_argv[1] -- first component of method
	
	if (sbox_sbrsh_config ~= nil) and (sbox_sbrsh_config ~= "") then
		table.insert(new_argv, "--config")
		table.insert(new_argv, sbox_sbrsh_config)
	end
	table.insert(new_argv, "--directory")
	table.insert(new_argv, dir_in_device)
	table.insert(new_argv, file_in_device)

	-- Append arguments for target process (skip argv[0],
	-- there isn't currently any way to give that over sbrsh)
	for i = 2, #argv do
		table.insert(new_argv, argv[i])
	end

	-- remove libsb2 from LD_PRELOAD
	local ld_preload_tbl = pick_and_remove_elems_from_string_table(
		new_envp, "^LD_PRELOAD=")
	if ld_preload_tbl == nil then
		sb.log("debug", "LD_PRELOAD not found")
	else
		sb.log("debug", string.format("LD_PRELOAD was %s",
			ld_preload_tbl[1]))
		local ld_preload_path = string.gsub(ld_preload_tbl[1],
			"^LD_PRELOAD=", "", 1)
		local ld_preload_components = split_to_tokens(ld_preload_path,
			"[^:]+")
		-- pick & throw away libsb2.so
		pick_and_remove_elems_from_string_table(ld_preload_components,
			sbox_libsb2)
		if #ld_preload_components > 0 then
			local new_ld_preload = table.concat(
				ld_preload_components, ":")
			table.insert(new_envp, "LD_PRELOAD="..new_ld_preload)
			sb.log("debug", "set LD_PRELOAD to "..new_ld_preload)
		else
			sb.log("debug", "nothing left, run without LD_PRELOAD")
		end
	end

	-- environment&args were changed
	return 0, new_filename, filename, #new_argv, new_argv,
		#new_envp, new_envp
end

function sb_execve_postprocess_cpu_transparency_executable(rule, exec_policy,
    exec_type, mapped_file, filename, argv, envp)

	sb.log("debug", "postprocessing cpu_transparency for " .. filename)

	if cputransparency_method_is_qemu then
		local new_envp = {}
		local new_argv = {}
		local new_filename = sbox_cputransparency_method

		new_argv[1] = sbox_cputransparency_method
		-- drop LD_PRELOAD env.var.
		new_argv[2] = "-drop-ld-preload"
		-- target runtime linker comes from /
		new_argv[3] = "-L"
		new_argv[4] = "/"

		if conf_cputransparency_has_argv0_flag then
			-- set target argv[0]
			new_argv[5] = "-0"
			new_argv[6] = argv[1] 
		end

		if conf_cputransparency_qemu_has_libattr_hack_flag then
			-- For ARM emulation:
			-- a nasty bug exists in some older libattr library
			-- version (e.g. it causes "ls -l" to crash), this
			-- flag enables a hack in Qemu which makes
			-- libattr to work correctly even if it uses incorrect
			-- system call format.
			table.insert(new_argv, "-libattr-hack")
		end

		if conf_cputransparency_qemu_has_env_control_flags then
			for i = 1, #envp do
				-- drop LD_TRACE_ from target environment
				if not string.match(envp[i], "^LD_TRACE_.*") then
					table.insert(new_envp, envp[i])
				else                    
					-- .. and move it to qemu command line 
					table.insert(new_argv, "-E")
					table.insert(new_argv, envp[i])
				end
			end
		else
			-- copy environment. Some things will be broken with
			-- this qemu (for example, prelinking won't work)
			new_envp = envp
		end

		-- unmapped file is exec'd
		table.insert(new_argv, filename)
		--
		-- Append arguments for target process (skip argv[0]
		-- as this is done using -0 switch).
		--
		for i = 2, #argv do
			table.insert(new_argv, argv[i])
		end

		-- environment&args were changed
		return 0, new_filename, filename, #new_argv, new_argv,
			#new_envp, new_envp
	elseif cputransparency_method_is_sbrsh then
		return sb_execve_postprocess_sbrsh(rule, exec_policy,
    			exec_type, mapped_file, filename, argv, envp)
	end

	-- no changes
	return 1, mapped_file, filename, #argv, argv, #envp, envp
end


-- This is called from C:
function sb_execve_postprocess(rule, exec_policy, exec_type,
	mapped_file, filename, binaryname, argv, envp)

	local args_ok
	args_ok, rule, exec_policy = check_rule_and_policy(rule,
		exec_policy, filename, mapped_file) 

	if args_ok == false then
		-- postprocessing is not needed / can't be done, but
		-- exec must be allowed.
		return 1, mapped_file, filename, #argv, argv, #envp, envp
	end

	-- Exec policy found.

	if (exec_policy.log_level ~= nil) then
		sb.log(exec_policy.log_level, exec_policy.log_message)
	end

	if (exec_policy.deny_exec == true) then
		return -1, mapped_file, filename, #argv, argv, #envp, envp
	end

	if (exec_policy.name == nil) then
		sb.log("debug", "Applying nameless exec_policy")
	else
		sb.log("debug", string.format("Applying exec_policy '%s'",
			exec_policy.name))
	end

	sb.log("debug", string.format("sb_execve_postprocess:type=%s",
		exec_type))

	if (exec_policy.name) then
		table.insert(envp, "__SB2_EXEC_POLICY_NAME="..exec_policy.name)
	end

	-- End of generic part. Rest of postprocessing depends on type of
	-- the executable.

	if (exec_type == "native") then
		return sb_execve_postprocess_native_executable(rule,
			exec_policy, exec_type, mapped_file,
			filename, argv, envp)
	elseif (exec_type == "cpu_transparency") then
		return sb_execve_postprocess_cpu_transparency_executable(rule,
			exec_policy, exec_type, mapped_file,
			filename, argv, envp)
	else
		-- all other exec_types: allow exec with orig.args
		return 1, mapped_file, filename, #argv, argv, #envp, envp
	end
end