#define NONRET __attribute__((noreturn))
#define UNUSED __attribute__((unused))
+#define ARRAY_SIZE(a) (int)(sizeof(a)/sizeof(a[0]))
static int filter_syscalls; /* 0=off, 1=liberal, 2=totalitarian */
static int timeout; /* milliseconds */
va_end(args);
}
-static const char * const syscall_tab[] = {
+static void *
+xmalloc(size_t size)
+{
+ void *p = malloc(size);
+ if (!p)
+ die("Out of memory");
+ return p;
+}
+
+static const char * const syscall_names[] = {
#include "syscall-table.h"
};
-#define NUM_SYSCALLS (sizeof(syscall_tab)/sizeof(syscall_tab[0]))
+#define NUM_SYSCALLS ARRAY_SIZE(syscall_names)
#define NUM_ACTIONS (NUM_SYSCALLS+64)
-enum syscall_action {
+enum action {
SC_DEFAULT, // Use the default action
SC_NO, // Always forbid
SC_YES, // Always permit
static const char *
syscall_name(unsigned int id, char *buf)
{
- if (id < NUM_SYSCALLS && syscall_tab[id])
- return syscall_tab[id];
+ if (id < NUM_SYSCALLS && syscall_names[id])
+ return syscall_names[id];
else
{
sprintf(buf, "#%d", id);
static int
syscall_by_name(char *name)
{
- for (unsigned int i=0; i<sizeof(syscall_tab)/sizeof(syscall_tab[0]); i++)
- if (syscall_tab[i] && !strcmp(syscall_tab[i], name))
+ for (unsigned int i=0; i<NUM_SYSCALLS; i++)
+ if (syscall_names[i] && !strcmp(syscall_names[i], name))
return i;
if (name[0] == '#')
name++;
}
static int
-set_action(char *a)
+set_syscall_action(char *a)
{
char *sep = strchr(a, '=');
- enum syscall_action act = SC_YES;
+ enum action act = SC_YES;
if (sep)
{
*sep++ = 0;
int sys = syscall_by_name(a);
if (sys < 0)
die("Unknown syscall `%s'", a);
- if (sys >= (int)NUM_ACTIONS)
+ if (sys >= NUM_ACTIONS)
die("Syscall `%s' out of range", a);
syscall_action[sys] = act;
return 1;
}
+struct path_rule {
+ char *path;
+ enum action action;
+ struct path_rule *next;
+};
+
+static struct path_rule default_path_rules[] = {
+ { "/etc/", SC_YES },
+ { "/lib/", SC_YES },
+ { "/usr/lib/", SC_YES },
+ { "/opt/lib/", SC_YES },
+ { "/usr/share/zoneinfo/", SC_YES },
+ { "/usr/share/locale/", SC_YES },
+ { "/dev/null", SC_YES },
+ { "/dev/zero", SC_YES },
+ { "/proc/meminfo", SC_YES },
+ { "/proc/self/stat", SC_YES },
+ { "/proc/self/exe", SC_YES }, // Needed by FPC 2.0.x runtime
+};
+
+static struct path_rule *user_path_rules;
+static struct path_rule **last_path_rule = &user_path_rules;
+
+static int
+set_path_action(char *a)
+{
+ char *sep = strchr(a, '=');
+ enum action act = SC_YES;
+ if (sep)
+ {
+ *sep++ = 0;
+ if (!strcmp(sep, "yes"))
+ act = SC_YES;
+ else if (!strcmp(sep, "no"))
+ act = SC_NO;
+ else
+ return 0;
+ }
+
+ struct path_rule *r = xmalloc(sizeof(*r) + strlen(a));
+ r->path = (char *)(r+1);
+ strcpy(r->path, a);
+ r->action = act;
+ r->next = NULL;
+ *last_path_rule = r;
+ last_path_rule = &r->next;
+ return 1;
+}
+
+static enum action
+match_path_rule(struct path_rule *r, char *path)
+{
+ char *rr = r->path;
+ while (*rr)
+ if (*rr++ != *path++)
+ {
+ if (rr[-1] == '/' && !path[-1])
+ break;
+ return SC_DEFAULT;
+ }
+ if (rr > r->path && rr[-1] != '/' && *path)
+ return SC_DEFAULT;
+ return r->action;
+}
+
static void
valid_filename(unsigned long addr)
{
msg("[%s] ", namebuf);
if (file_access >= 3)
return;
+
+ // Everything in current directory is permitted
if (!strchr(namebuf, '/') && strcmp(namebuf, ".."))
return;
+
+ // ".." anywhere in the path is forbidden
+ enum action act = SC_DEFAULT;
+ if (strstr(namebuf, ".."))
+ act = SC_NO;
+
+ // Scan user rules
+ for (struct path_rule *r = user_path_rules; r && !act; r=r->next)
+ act = match_path_rule(r, namebuf);
+
+ // Scan built-in rules
if (file_access >= 2)
- {
- if ((!strncmp(namebuf, "/etc/", 5) ||
- !strncmp(namebuf, "/lib/", 5) ||
- !strncmp(namebuf, "/usr/lib/", 9) ||
- !strncmp(namebuf, "/opt/lib/", 9))
- && !strstr(namebuf, ".."))
- return;
- if (!strcmp(namebuf, "/dev/null") ||
- !strcmp(namebuf, "/dev/zero") ||
- !strcmp(namebuf, "/proc/meminfo") ||
- !strcmp(namebuf, "/proc/self/stat") ||
- !strcmp(namebuf, "/proc/self/exe") || /* Needed by FPC 2.0.x runtime */
- !strncmp(namebuf, "/usr/share/zoneinfo/", 20))
- return;
- }
- die("Forbidden access to file `%s'", namebuf);
+ for (int i=0; i<ARRAY_SIZE(default_path_rules) && !act; i++)
+ act = match_path_rule(&default_path_rules[i], namebuf);
+
+ if (act != SC_YES)
+ die("Forbidden access to file `%s'", namebuf);
}
static int
valid_syscall(struct user *u)
{
unsigned int sys = u->regs.orig_eax;
- enum syscall_action act = (sys < NUM_ACTIONS) ? syscall_action[sys] : SC_DEFAULT;
+ enum action act = (sys < NUM_ACTIONS) ? syscall_action[sys] : SC_DEFAULT;
if (act & SC_LIBERAL)
{
-i <file>\tRedirect stdin from <file>\n\
-m <size>\tLimit address space to <size> KB\n\
-o <file>\tRedirect stdout to <file>\n\
+-p <path>\tPermit access to the specified path (or subtree if it ends with a `/')\n\
+-p <path>=<act>\tDefine action for the specified path (<act>=yes/no)\n\
-s <sys>\tPermit the specified syscall (be careful)\n\
-s <sys>=<act>\tDefine action for the specified syscall (<act>=yes/no/file)\n\
-t <time>\tSet run time limit (seconds, fractions allowed)\n\
int c;
uid_t uid;
- while ((c = getopt(argc, argv, "a:c:efi:m:o:s:t:Tvw:")) >= 0)
+ while ((c = getopt(argc, argv, "a:c:efi:m:o:p:s:t:Tvw:")) >= 0)
switch (c)
{
case 'a':
case 'o':
redir_stdout = optarg;
break;
+ case 'p':
+ if (!set_path_action(optarg))
+ usage();
+ break;
case 's':
- if (!set_action(optarg))
+ if (!set_syscall_action(optarg))
usage();
break;
case 't':