Annotation of sys/dev/systrace.h, Revision 1.1.1.1
1.1 nbrk 1: /* $OpenBSD: systrace.h,v 1.20 2006/10/06 05:47:27 djm Exp $ */
2: /*
3: * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4: * All rights reserved.
5: *
6: * Redistribution and use in source and binary forms, with or without
7: * modification, are permitted provided that the following conditions
8: * are met:
9: * 1. Redistributions of source code must retain the above copyright
10: * notice, this list of conditions and the following disclaimer.
11: * 2. Redistributions in binary form must reproduce the above copyright
12: * notice, this list of conditions and the following disclaimer in the
13: * documentation and/or other materials provided with the distribution.
14: * 3. All advertising materials mentioning features or use of this software
15: * must display the following acknowledgement:
16: * This product includes software developed by Niels Provos.
17: * 4. The name of the author may not be used to endorse or promote products
18: * derived from this software without specific prior written permission.
19: *
20: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30: */
31:
32: #ifndef _SYSTRACE_H_
33: #define _SYSTRACE_H_
34:
35: #include <sys/ioccom.h>
36: #include <sys/rwlock.h>
37:
38: #define SYSTR_EMULEN 8 /* sync with sys proc */
39:
40: struct str_msg_emul {
41: char emul[SYSTR_EMULEN];
42: };
43:
44: struct str_msg_ugid {
45: uid_t uid;
46: gid_t gid;
47: };
48:
49: struct str_msg_execve {
50: char path[MAXPATHLEN];
51: };
52:
53: #define SYSTR_MAX_POLICIES 64
54: #define SYSTR_MAXARGS 64
55: #define SYSTR_MAXFNAME 8
56: #define SYSTR_MAXINJECTS 8
57: #define SYSTR_MAXREPLEN 2048
58:
59: struct str_msg_ask {
60: int code;
61: int argsize;
62: register_t args[SYSTR_MAXARGS];
63: register_t rval[2];
64: int result;
65: };
66:
67: /* Queued on fork or exit of a process */
68:
69: struct str_msg_child {
70: pid_t new_pid;
71: };
72:
73: #define SYSTR_MSG_ASK 1
74: #define SYSTR_MSG_RES 2
75: #define SYSTR_MSG_EMUL 3
76: #define SYSTR_MSG_CHILD 4
77: #define SYSTR_MSG_UGID 5
78: #define SYSTR_MSG_POLICYFREE 6
79: #define SYSTR_MSG_EXECVE 7
80:
81: #define SYSTR_MSG_NOPROCESS(x) \
82: ((x)->msg.msg_type == SYSTR_MSG_CHILD || \
83: (x)->msg.msg_type == SYSTR_MSG_POLICYFREE)
84:
85: struct str_message {
86: int msg_type;
87: pid_t msg_pid;
88: u_int16_t msg_seqnr; /* answer has to match seqnr */
89: short msg_policy;
90: union {
91: struct str_msg_emul msg_emul;
92: struct str_msg_ugid msg_ugid;
93: struct str_msg_ask msg_ask;
94: struct str_msg_child msg_child;
95: struct str_msg_execve msg_execve;
96: } msg_data;
97: };
98:
99: struct systrace_answer {
100: pid_t stra_pid;
101: u_int16_t stra_seqnr;
102: short reserved;
103: uid_t stra_seteuid; /* elevated privileges for system call */
104: uid_t stra_setegid;
105: int stra_policy;
106: int stra_error;
107: int stra_flags;
108: };
109:
110: struct systrace_scriptname {
111: pid_t sn_pid;
112: char sn_scriptname[MAXPATHLEN];
113: };
114:
115: #define SYSTR_READ 1
116: #define SYSTR_WRITE 2
117:
118: struct systrace_io {
119: pid_t strio_pid;
120: int strio_op;
121: void *strio_offs;
122: void *strio_addr;
123: size_t strio_len;
124: };
125:
126: #define SYSTR_POLICY_NEW 1
127: #define SYSTR_POLICY_ASSIGN 2
128: #define SYSTR_POLICY_MODIFY 3
129:
130: struct systrace_policy {
131: int strp_op;
132: int strp_num;
133: union {
134: struct {
135: short code;
136: short policy;
137: } assign;
138: pid_t pid;
139: int maxents;
140: } strp_data;
141: };
142:
143: #define strp_pid strp_data.pid
144: #define strp_maxents strp_data.maxents
145: #define strp_code strp_data.assign.code
146: #define strp_policy strp_data.assign.policy
147:
148: #define SYSTR_NOLINKS 1
149:
150: struct systrace_replace {
151: pid_t strr_pid;
152: u_int16_t strr_seqnr;
153: int16_t reserved;
154: int strr_nrepl;
155: caddr_t strr_base; /* Base memory */
156: size_t strr_len; /* Length of memory */
157: int strr_argind[SYSTR_MAXARGS];
158: size_t strr_off[SYSTR_MAXARGS];
159: size_t strr_offlen[SYSTR_MAXARGS];
160: int32_t strr_flags[SYSTR_MAXARGS];
161: };
162:
163: struct systrace_inject {
164: /* On return, this contains the stackgap address. */
165: caddr_t stri_addr;
166: size_t stri_len;
167: pid_t stri_pid;
168: };
169:
170: #define STRIOCCLONE _IOR('s', 100, int)
171: #define SYSTR_CLONE STRIOCCLONE
172: #define STRIOCATTACH _IOW('s', 101, pid_t)
173: #define STRIOCDETACH _IOW('s', 102, pid_t)
174: #define STRIOCANSWER _IOW('s', 103, struct systrace_answer)
175: #define STRIOCIO _IOWR('s', 104, struct systrace_io)
176: #define STRIOCPOLICY _IOWR('s', 105, struct systrace_policy)
177: #define STRIOCGETCWD _IOW('s', 106, pid_t)
178: #define STRIOCRESCWD _IO('s', 107)
179: #define STRIOCREPORT _IOW('s', 108, pid_t)
180: #define STRIOCREPLACE _IOW('s', 109, struct systrace_replace)
181: #define STRIOCSCRIPTNAME _IOW('s', 110, struct systrace_scriptname)
182: #define STRIOCINJECT _IOWR('s', 111, struct systrace_inject)
183:
184: #define SYSTR_POLICY_ASK 0
185: #define SYSTR_POLICY_PERMIT 1
186: #define SYSTR_POLICY_NEVER 2
187:
188: #define SYSTR_FLAGS_RESULT 0x001
189: #define SYSTR_FLAGS_SETEUID 0x002
190: #define SYSTR_FLAGS_SETEGID 0x004
191:
192: #ifdef _KERNEL
193: #include <sys/namei.h>
194:
195: struct str_process;
196: struct fsystrace {
197: struct rwlock lock;
198: struct selinfo si;
199:
200: TAILQ_HEAD(strprocessq, str_process) processes;
201: int nprocesses;
202:
203: TAILQ_HEAD(strpolicyq, str_policy) policies;
204:
205: struct strprocessq messages;
206:
207: int npolicynr;
208: int npolicies;
209:
210: int issuser;
211: uid_t p_ruid;
212: gid_t p_rgid;
213:
214: /* cwd magic */
215: pid_t fd_pid;
216: struct vnode *fd_cdir;
217: struct vnode *fd_rdir;
218: };
219:
220: /* Internal prototypes */
221:
222: void systrace_namei(struct nameidata *);
223: int systrace_redirect(int, struct proc *, void *, register_t *);
224: void systrace_exit(struct proc *);
225: void systrace_fork(struct proc *, struct proc *);
226: void systrace_execve0(struct proc *);
227: void systrace_execve1(char *, struct proc *);
228: int systrace_scriptname(struct proc *, char *);
229:
230: #endif /* _KERNEL */
231: #endif /* _SYSTRACE_H_ */
CVSweb