ugidfw.c (a8879d0d7dc2ecfb99e31b1443a11a02feb49914) ugidfw.c (34d26f04c39740f0c346ce98984615b640a86612)
1/*-
1/*-
2 * Copyright (c) 2002, 2004 Networks Associates Technology, Inc.
2 * Copyright (c) 2002 Networks Associates Technology, Inc.
3 * All rights reserved.
4 *
5 * This software was developed for the FreeBSD Project by NAI Labs, the
6 * Security Research Division of Network Associates, Inc. under
7 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
8 * CHATS research program.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
3 * All rights reserved.
4 *
5 * This software was developed for the FreeBSD Project by NAI Labs, the
6 * Security Research Division of Network Associates, Inc. under
7 * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
8 * CHATS research program.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. The names of the authors may not be used to endorse or promote
19 * products derived from this software without specific prior written
20 * permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * $FreeBSD$
30 */
35 */
31
32#include <sys/cdefs.h>
33__FBSDID("$FreeBSD$");
34
35#include <sys/param.h>
36#include <sys/errno.h>
36#include <sys/param.h>
37#include <sys/errno.h>
37#include <sys/mount.h>
38#include <sys/time.h>
39#include <sys/sysctl.h>
38#include <sys/time.h>
39#include <sys/sysctl.h>
40#include <sys/vnode.h>
40
41#include <security/mac_bsdextended/mac_bsdextended.h>
42
41
42#include <security/mac_bsdextended/mac_bsdextended.h>
43
43#include <err.h>
44#include <stdio.h>
45#include <stdlib.h>
46#include <string.h>
47#include <ugidfw.h>
48
44#include <stdio.h>
45#include <stdlib.h>
46#include <string.h>
47#include <ugidfw.h>
48
49void add_rule(int argc, char *argv[]);
50void list_rules(void);
51void remove_rule(int argc, char *argv[]);
52void set_rule(int argc, char *argv[]);
53void usage(void);
54
55void
56usage(void)
57{
58
49void
50usage(void)
51{
52
59 fprintf(stderr, "usage: ugidfw add [subject [not] [uid uid] [gid gid]]"
60 " [object [not] [uid uid] \\\n");
61 fprintf(stderr, " [gid gid]] mode arswxn\n");
62 fprintf(stderr, " ugidfw list\n");
63 fprintf(stderr, " ugidfw set rulenum [subject [not] [uid uid] [gid gid]]"
53 fprintf(stderr, "ugidfw list\n");
54 fprintf(stderr, "ugidfw set rulenum [subject [not] [uid uid] [gid gid]]"
64 " [object [not] \\\n");
65 fprintf(stderr, " [uid uid] [gid gid]] mode arswxn\n");
55 " [object [not] \\\n");
56 fprintf(stderr, " [uid uid] [gid gid]] mode arswxn\n");
66 fprintf(stderr, " ugidfw remove rulenum\n");
57 fprintf(stderr, "ugidfw remove rulenum\n");
67
58
68 exit(1);
59 exit(-1);
69}
70
71void
60}
61
62void
72add_rule(int argc, char *argv[])
73{
74 char errstr[BUFSIZ], charstr[BUFSIZ];
75 struct mac_bsdextended_rule rule;
76 int error, rulenum;
77
78 error = bsde_parse_rule(argc, argv, &rule, BUFSIZ, errstr);
79 if (error) {
80 warnx("%s", errstr);
81 return;
82 }
83
84 error = bsde_add_rule(&rulenum, &rule, BUFSIZ, errstr);
85 if (error) {
86 warnx("%s", errstr);
87 return;
88 }
89 if (bsde_rule_to_string(&rule, charstr, BUFSIZ) == -1)
90 warnx("Added rule, but unable to print string.");
91 else
92 printf("%d %s\n", rulenum, charstr);
93}
94
95void
96list_rules(void)
97{
98 char errstr[BUFSIZ], charstr[BUFSIZ];
99 struct mac_bsdextended_rule rule;
100 int error, i, rule_count, rule_slots;
101
102 rule_slots = bsde_get_rule_slots(BUFSIZ, errstr);
103 if (rule_slots == -1) {
63list_rules(void)
64{
65 char errstr[BUFSIZ], charstr[BUFSIZ];
66 struct mac_bsdextended_rule rule;
67 int error, i, rule_count, rule_slots;
68
69 rule_slots = bsde_get_rule_slots(BUFSIZ, errstr);
70 if (rule_slots == -1) {
104 warnx("unable to get rule slots; mac_bsdextended.ko "
105 "may not be loaded");
106 errx(1, "bsde_get_rule_slots: %s", errstr);
71 fprintf(stderr, "Unable to get rule slots; mac_bsdextended.ko "
72 "may not be loaded.\n");
73 fprintf(stderr, "bsde_get_rule_slots: %s\n", errstr);
74 exit (-1);
107 }
108
109 rule_count = bsde_get_rule_count(BUFSIZ, errstr);
75 }
76
77 rule_count = bsde_get_rule_count(BUFSIZ, errstr);
110 if (rule_count == -1)
111 errx(1, "bsde_get_rule_count: %s", errstr);
78 if (rule_count == -1) {
79 fprintf(stderr, "bsde_get_rule_count: %s\n", errstr);
80 exit (-1);
81 }
112
113 printf("%d slots, %d rules\n", rule_slots, rule_count);
114
82
83 printf("%d slots, %d rules\n", rule_slots, rule_count);
84
115 for (i = 0; i < rule_slots; i++) {
85 for (i = 0; i <= rule_slots; i++) {
116 error = bsde_get_rule(i, &rule, BUFSIZ, errstr);
117 switch (error) {
118 case -2:
119 continue;
120 case -1:
86 error = bsde_get_rule(i, &rule, BUFSIZ, errstr);
87 switch (error) {
88 case -2:
89 continue;
90 case -1:
121 warnx("rule %d: %s", i, errstr);
91 fprintf(stderr, "rule %d: %s\n", i, errstr);
122 continue;
123 case 0:
124 break;
125 }
126
127 if (bsde_rule_to_string(&rule, charstr, BUFSIZ) == -1)
92 continue;
93 case 0:
94 break;
95 }
96
97 if (bsde_rule_to_string(&rule, charstr, BUFSIZ) == -1)
128 warnx("unable to translate rule %d to string", i);
98 fprintf(stderr,
99 "Unable to translate rule %d to string\n", i);
129 else
130 printf("%d %s\n", i, charstr);
131 }
132}
133
134void
135set_rule(int argc, char *argv[])
136{

--- 12 unchanged lines hidden (view full) ---

149
150 if ((long) value != (int) value || value < 0)
151 usage();
152
153 rulenum = value;
154
155 error = bsde_parse_rule(argc - 1, argv + 1, &rule, BUFSIZ, errstr);
156 if (error) {
100 else
101 printf("%d %s\n", i, charstr);
102 }
103}
104
105void
106set_rule(int argc, char *argv[])
107{

--- 12 unchanged lines hidden (view full) ---

120
121 if ((long) value != (int) value || value < 0)
122 usage();
123
124 rulenum = value;
125
126 error = bsde_parse_rule(argc - 1, argv + 1, &rule, BUFSIZ, errstr);
127 if (error) {
157 warnx("%s", errstr);
128 fprintf(stderr, "%s\n", errstr);
158 return;
159 }
160
161 error = bsde_set_rule(rulenum, &rule, BUFSIZ, errstr);
162 if (error) {
129 return;
130 }
131
132 error = bsde_set_rule(rulenum, &rule, BUFSIZ, errstr);
133 if (error) {
163 warnx("%s", errstr);
134 fprintf(stderr, "%s\n", errstr);
164 return;
165 }
166}
167
168void
169remove_rule(int argc, char *argv[])
170{
171 char errstr[BUFSIZ];

--- 10 unchanged lines hidden (view full) ---

182
183 if ((long) value != (int) value || value < 0)
184 usage();
185
186 rulenum = value;
187
188 error = bsde_delete_rule(rulenum, BUFSIZ, errstr);
189 if (error)
135 return;
136 }
137}
138
139void
140remove_rule(int argc, char *argv[])
141{
142 char errstr[BUFSIZ];

--- 10 unchanged lines hidden (view full) ---

153
154 if ((long) value != (int) value || value < 0)
155 usage();
156
157 rulenum = value;
158
159 error = bsde_delete_rule(rulenum, BUFSIZ, errstr);
160 if (error)
190 warnx("%s", errstr);
161 fprintf(stderr, "%s\n", errstr);
191}
192
193int
194main(int argc, char *argv[])
195{
196
197 if (argc < 2)
198 usage();
199
162}
163
164int
165main(int argc, char *argv[])
166{
167
168 if (argc < 2)
169 usage();
170
200 if (strcmp("add", argv[1]) == 0) {
201 add_rule(argc-2, argv+2);
202 } else if (strcmp("list", argv[1]) == 0) {
171 if (strcmp("list", argv[1]) == 0) {
203 if (argc != 2)
204 usage();
205 list_rules();
206 } else if (strcmp("set", argv[1]) == 0) {
207 set_rule(argc-2, argv+2);
208 } else if (strcmp("remove", argv[1]) == 0) {
209 remove_rule(argc-2, argv+2);
210 } else
211 usage();
212
213 return (0);
214}
172 if (argc != 2)
173 usage();
174 list_rules();
175 } else if (strcmp("set", argv[1]) == 0) {
176 set_rule(argc-2, argv+2);
177 } else if (strcmp("remove", argv[1]) == 0) {
178 remove_rule(argc-2, argv+2);
179 } else
180 usage();
181
182 return (0);
183}