From owner-p4-projects Mon Jul 29 21:21: 7 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id ED4C337B406; Mon, 29 Jul 2002 21:20:09 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7263D37B405 for ; Mon, 29 Jul 2002 21:20:09 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A041E43E42 for ; Mon, 29 Jul 2002 21:20:08 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6U4K8JU077290 for ; Mon, 29 Jul 2002 21:20:08 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6U4K8qO077287 for perforce@freebsd.org; Mon, 29 Jul 2002 21:20:08 -0700 (PDT) Date: Mon, 29 Jul 2002 21:20:08 -0700 (PDT) Message-Id: <200207300420.g6U4K8qO077287@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 15164 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15164 Change 15164 by rwatson@rwatson_paprika on 2002/07/29 21:19:36 Make the ugidfw command link against the new libugidfw rather than implementing the various sysctl-frobbing/parsing/... calls itself. Affected files ... .. //depot/projects/trustedbsd/mac/usr.sbin/ugidfw/Makefile#2 edit .. //depot/projects/trustedbsd/mac/usr.sbin/ugidfw/ugidfw.c#7 edit Differences ... ==== //depot/projects/trustedbsd/mac/usr.sbin/ugidfw/Makefile#2 (text+ko) ==== @@ -2,5 +2,6 @@ PROG= ugidfw NOMAN= yes +LDADD= -lugidfw .include ==== //depot/projects/trustedbsd/mac/usr.sbin/ugidfw/ugidfw.c#7 (text+ko) ==== @@ -41,21 +41,10 @@ #include -#include -#include #include #include #include - -/* - * Text format for rules: rules contain subjectand object elements, mode. - * Each element takes the form "[not] [uid number] [gid number]". - * The total form is "subject [element] object [element] mode [mode]". - * At least * one of a uid or gid entry must be present; both may also be - * present. - */ - -#define MIB "security.mac.bsdextended" +#include void usage(void) @@ -63,432 +52,60 @@ fprintf(stderr, "ugidfw list\n"); fprintf(stderr, "ugidfw set rulenum [subject [not] [uid uid] [gid gid]]" - " [object [not] [uid uid] [gid gid]] mode arswxn\n"); + " [object [not] \\\n"); + fprintf(stderr, " [uid uid] [gid gid]] mode arswxn\n"); fprintf(stderr, "ugidfw remove rulenum\n"); - exit (-1); -} -void -print_rule(int rulenum, struct mac_bsdextended_rule *rule) -{ - struct group *grp; - struct passwd *pwd; - int anymode, unknownmode; - - printf("%d ", rulenum); - if (rule->mbr_subject.mbi_flags & (MBI_UID_DEFINED | - MBI_GID_DEFINED)) { - printf("subject "); - if (rule->mbr_subject.mbi_flags & MBI_NEGATED) - printf("not "); - if (rule->mbr_subject.mbi_flags & MBI_UID_DEFINED) { - pwd = getpwuid(rule->mbr_subject.mbi_uid); - if (pwd != NULL) - printf("uid %s ", pwd->pw_name); - else - printf("uid %u ", rule->mbr_subject.mbi_uid); - } - if (rule->mbr_subject.mbi_flags & MBI_GID_DEFINED) { - grp = getgrgid(rule->mbr_subject.mbi_gid); - if (grp != NULL) - printf("gid %s ", grp->gr_name); - else - printf("gid %u ", rule->mbr_subject.mbi_gid); - } - } - if (rule->mbr_object.mbi_flags & (MBI_UID_DEFINED | - MBI_GID_DEFINED)) { - printf("object "); - if (rule->mbr_object.mbi_flags & MBI_NEGATED) - printf("not "); - if (rule->mbr_object.mbi_flags & MBI_UID_DEFINED) { - pwd = getpwuid(rule->mbr_object.mbi_uid); - if (pwd != NULL) - printf("uid %s ", pwd->pw_name); - else - printf("uid %u ", rule->mbr_object.mbi_uid); - } - if (rule->mbr_object.mbi_flags & MBI_GID_DEFINED) { - grp = getgrgid(rule->mbr_object.mbi_gid); - if (grp != NULL) - printf("gid %s ", grp->gr_name); - else - printf("gid %u ", rule->mbr_object.mbi_gid); - } - } - - printf("mode "); - anymode = (rule->mbr_mode & VALLPERM); - unknownmode = (rule->mbr_mode & ~VALLPERM); - - if (rule->mbr_mode & VADMIN) - printf("a"); - if (rule->mbr_mode & VREAD) - printf("r"); - if (rule->mbr_mode & VSTAT) - printf("s"); - if (rule->mbr_mode & VWRITE) - printf("w"); - if (rule->mbr_mode & VEXEC) - printf("x"); - if (!anymode) - printf("n"); - if (unknownmode) - printf("?"); - - printf("\n"); -} - -int -parse_identity(int argc, char *argv[], - struct mac_bsdextended_identity *identity) -{ - struct group *grp; - struct passwd *pwd; - int uid_seen, gid_seen, not_seen; - int current; - char *endp; - long value; - uid_t uid; - gid_t gid; - - if (argc == 0) { - fprintf(stderr, "Identity must not be empty\n"); - return (-1); - } - - current = 0; - - /* First element might be "not". */ - if (strcmp("not", argv[0]) == 0) { - not_seen = 1; - current++; - } else - not_seen = 0; - - if (current >= argc) { - fprintf(stderr, "Identity short.\n"); - return (-1); - } - - uid_seen = 0; - gid_seen = 0; - - /* First phrase: uid [uid] or gid[gid]. */ - if (strcmp("uid", argv[current]) == 0) { - if (current + 2 > argc) { - fprintf(stderr, "uid short.\n"); - return (-1); - } - pwd = getpwnam(argv[current+1]); - if (pwd != NULL) - uid = pwd->pw_uid; - else { - value = strtol(argv[current+1], &endp, 10); - if (*endp != '\0') { - fprintf(stderr, "invalid uid: '%s'\n", - argv[current+1]); - return (-1); - } - uid = value; - } - uid_seen = 1; - current += 2; - } else if (strcmp("gid", argv[current]) == 0) { - if (current + 2 > argc) { - fprintf(stderr, "gid short.\n"); - return (-1); - } - grp = getgrnam(argv[current+1]); - if (grp != NULL) - gid = grp->gr_gid; - else { - value = strtol(argv[current+1], &endp, 10); - if (*endp != '\0') { - fprintf(stderr, "invalid gid: '%s'\n", - argv[current+1]); - return (-1); - } - gid = value; - } - gid_seen = 1; - current += 2; - } else { - fprintf(stderr, "'%s' not expected.\n", argv[current]); - return (-1); - } - - /* Onto optional second phrase. */ - if (current + 1 < argc) { - /* Second phrase: uid [uid] or gid [gid], but not a repeat. */ - if (strcmp("uid", argv[current]) == 0) { - if (uid_seen) { - fprintf(stderr, "Only one uid permitted per " - "identity clause.\n"); - return (-1); - } - if (current + 2 > argc) { - fprintf(stderr, "uid short.\n"); - return (-1); - } - value = strtol(argv[current+1], &endp, 10); - if (*endp != '\0') { - fprintf(stderr, "invalid uid: '%s'\n", - argv[current+1]); - return (-1); - } - uid = value; - uid_seen = 1; - current += 2; - } else if (strcmp("gid", argv[current]) == 0) { - if (gid_seen) { - fprintf(stderr, "Only one gid permitted per " - "identity clause.\n"); - return (-1); - } - if (current + 2 > argc) { - fprintf(stderr, "gid short.\n"); - return (-1); - } - value = strtol(argv[current+1], &endp, 10); - if (*endp != '\0') { - fprintf(stderr, "invalid gid: '%s'\n", - argv[current+1]); - return (-1); - } - gid = value; - gid_seen = 1; - current += 2; - } else { - fprintf(stderr, "'%s' not expected.\n", argv[current]); - return (-1); - } - } - - if (current +1 < argc) { - fprintf(stderr, "'%s' not expected.\n", argv[current]); - return (-1); - } - - /* Fill out the identity. */ - identity->mbi_flags = 0; - - if (not_seen) - identity->mbi_flags |= MBI_NEGATED; - - if (uid_seen) { - identity->mbi_flags |= MBI_UID_DEFINED; - identity->mbi_uid = uid; - } else - identity->mbi_uid = 0; - - if (gid_seen) { - identity->mbi_flags |= MBI_GID_DEFINED; - identity->mbi_gid = gid; - } else - identity->mbi_gid = 0; - - return (0); -} - -int -parse_mode(int argc, char *argv[], mode_t *mode) -{ - int i; - - if (argc == 0) { - fprintf(stderr, "mode expects mode value.\n"); - return (-1); - } - - if (argc != 1) { - fprintf(stderr, "'%s' unexpected.\n", argv[1]); - return (-1); - } - - *mode = 0; - for (i = 0; i < strlen(argv[0]); i++) { - char c; - - switch (argv[0][i]) { - case 'a': - *mode |= VADMIN; - break; - case 'r': - *mode |= VREAD; - break; - case 's': - *mode |= VSTAT; - break; - case 'w': - *mode |= VWRITE; - break; - case 'x': - *mode |= VEXEC; - break; - case 'n': - /* ignore */ - break; - default: - fprintf(stderr, "Unknown mode letter: %c\n", - argv[0][i]); - return (-1); - } - } - - return (0); + exit(-1); } -int -parse_rule(int argc, char *argv[], struct mac_bsdextended_rule *rule) -{ - int subject, subject_elements, subject_elements_length; - int object, object_elements, object_elements_length; - int mode, mode_elements, mode_elements_length; - int error, i; - - bzero(rule, sizeof(*rule)); - - if (argc < 1) { - fprintf(stderr, "Rule must begin with subject.\n"); - return (-1); - } - - if (strcmp(argv[0], "subject") != 0) { - fprintf(stderr, "Rule must begin with subject.\n"); - return (-1); - } - subject = 0; - subject_elements = 1; - - /* Search forward for object. */ - - object = -1; - for (i = 1; i < argc; i++) - if (strcmp(argv[i], "object") == 0) - object = i; - - if (object == -1) { - fprintf(stderr, "Rule must contain an object.\n"); - return (-1); - } - - /* Search forward for mode. */ - mode = -1; - for (i = object; i < argc; i++) - if (strcmp(argv[i], "mode") == 0) - mode = i; - - if (mode == -1) { - fprintf(stderr, "Rule must contain mode.\n"); - return (-1); - } - - subject_elements_length = object - subject - 1; - object_elements = object + 1; - object_elements_length = mode - object_elements; - mode_elements = mode + 1; - mode_elements_length = argc - mode_elements; - - error = parse_identity(subject_elements_length, - argv + subject_elements, &rule->mbr_subject); - if (error) - return (-1); - - error = parse_identity(object_elements_length, argv + object_elements, - &rule->mbr_object); - if (error) - return (-1); - - error = parse_mode(mode_elements_length, argv + mode_elements, - &rule->mbr_mode); - if (error) - return (-1); - - return (0); -} - -int -get_mib(const char *string, int *name, int *namelen) -{ - int error, len; - - len = *namelen; - error = sysctlnametomib(string, name, &len); - if (error) - return (error); - - *namelen = len; - return (0); -} - void list_rules(void) { + char errstr[BUFSIZ], charstr[BUFSIZ]; struct mac_bsdextended_rule rule; - size_t size; - int name[10]; - int error, i, len, rule_count, rule_slots; + int error, i, rule_count, rule_slots; - len = sizeof(rule_slots); - error = sysctlbyname(MIB ".rule_slots", &rule_slots, &len, NULL, NULL); - if (error) { - perror(MIB ".rule_slots"); - return; + rule_slots = bsde_get_rule_slots(BUFSIZ, errstr); + if (rule_slots == -1) { + fprintf(stderr, errstr); + exit (-1); } - if (len != sizeof(rule_slots)) { - fprintf(stderr, "rule_slots wrong size\n"); - return; - } - len = sizeof(rule_count); - error = sysctlbyname(MIB ".rule_count", &rule_count, &len, NULL, NULL); - if (error) { - perror(MIB ".rule_count"); - return; + rule_count = bsde_get_rule_count(BUFSIZ, errstr); + if (rule_count == -1) { + fprintf(stderr, errstr); + exit (-1); } - if (len != sizeof(rule_count)) { - fprintf(stderr, "rule_count wrong size\n"); - return; - } -/* - if (rule_count == 1) - printf("%d rule\n", rule_count); - else - printf("%d rules\n", rule_count); -*/ + printf("%d slots, %d rules\n", rule_slots, rule_count); - len = 10; - error = get_mib(MIB ".rules", name, &len); - if (error) { - perror(MIB ".rules"); - return; - } + for (i = 0; i <= rule_slots; i++) { + error = bsde_get_rule(i, &rule, BUFSIZ, errstr); + switch (error) { + case -2: + continue; + case -1: + fprintf(stderr, "rule %d: %s\n", i, errstr); + continue; + case 0: + break; + } - len++; - for (i = 0; i <= rule_slots; i++) { - name[len-1] = i; - size = sizeof(rule); - error = sysctl(name, len, &rule, &size, NULL, 0); - if (error) { - if (errno != ENOENT) - perror(MIB); - } else if (size != sizeof(rule)) - fprintf(stderr, "rule size mismatch\n"); + if (bsde_rule_to_string(&rule, charstr, BUFSIZ) == -1) + printf("oops!\n"); else - print_rule(i, &rule); + printf("%d %s\n", i, charstr); } } void set_rule(int argc, char *argv[]) { + char errstr[BUFSIZ]; struct mac_bsdextended_rule rule; long value; - size_t size; - int name[10]; - int error, len, rulenum; + int error, rulenum; char *endp; if (argc < 1) @@ -503,33 +120,25 @@ rulenum = value; - error = parse_rule(argc - 1, argv + 1, &rule); - if (error) + error = bsde_parse_rule(argc - 1, argv + 1, &rule, BUFSIZ, errstr); + if (error) { + fprintf(stderr, "%s\n", errstr); return; + } - len = 10; - error = get_mib(MIB ".rules", name, &len); + error = bsde_set_rule(rulenum, &rule, BUFSIZ, errstr); if (error) { - perror(MIB ".rules"); + fprintf(stderr, "%s\n", errstr); return; } - - name[len] = rulenum; - len++; - - size = sizeof(rule); - error = sysctl(name, len, NULL, NULL, &rule, size); - if (error) - perror(MIB ".rules"); } void remove_rule(int argc, char *argv[]) { - struct mac_bsdextended_rule rule; + char errstr[BUFSIZ]; long value; - int name[10]; - int error, len, rulenum; + int error, rulenum; char *endp; if (argc != 1) @@ -544,18 +153,9 @@ rulenum = value; - len = 10; - error = get_mib(MIB ".rules", name, &len); - if (error) { - perror(MIB ".rules"); - return; - } - - name[len] = rulenum; - len++; - error = sysctl(name, len, NULL, NULL, &rule, 0); + error = bsde_delete_rule(rulenum, BUFSIZ, errstr); if (error) - perror("sysctl"); + fprintf(stderr, "%s\n", errstr); } int To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message