ugidfw.c revision 140343
1101209Srwatson/*- 2126218Srwatson * Copyright (c) 2002, 2004 Networks Associates Technology, Inc. 3101209Srwatson * All rights reserved. 4101209Srwatson * 5101209Srwatson * This software was developed for the FreeBSD Project by NAI Labs, the 6101209Srwatson * Security Research Division of Network Associates, Inc. under 7101209Srwatson * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA 8101209Srwatson * CHATS research program. 9101209Srwatson * 10101209Srwatson * Redistribution and use in source and binary forms, with or without 11101209Srwatson * modification, are permitted provided that the following conditions 12101209Srwatson * are met: 13101209Srwatson * 1. Redistributions of source code must retain the above copyright 14101209Srwatson * notice, this list of conditions and the following disclaimer. 15101209Srwatson * 2. Redistributions in binary form must reproduce the above copyright 16101209Srwatson * notice, this list of conditions and the following disclaimer in the 17101209Srwatson * documentation and/or other materials provided with the distribution. 18101209Srwatson * 19101209Srwatson * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 20101209Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21101209Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22101209Srwatson * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 23101209Srwatson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24101209Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25101209Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26101209Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27101209Srwatson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28101209Srwatson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29101209Srwatson * SUCH DAMAGE. 30101209Srwatson */ 31140343Scharnier 32140343Scharnier#include <sys/cdefs.h> 33140343Scharnier__FBSDID("$FreeBSD: head/usr.sbin/ugidfw/ugidfw.c 140343 2005-01-16 10:49:48Z charnier $"); 34140343Scharnier 35101209Srwatson#include <sys/param.h> 36101209Srwatson#include <sys/errno.h> 37101209Srwatson#include <sys/time.h> 38101209Srwatson#include <sys/sysctl.h> 39101209Srwatson 40101209Srwatson#include <security/mac_bsdextended/mac_bsdextended.h> 41101209Srwatson 42140343Scharnier#include <err.h> 43101209Srwatson#include <stdio.h> 44101209Srwatson#include <stdlib.h> 45101209Srwatson#include <string.h> 46101209Srwatson#include <ugidfw.h> 47101209Srwatson 48140343Scharniervoid add_rule(int argc, char *argv[]); 49140343Scharniervoid list_rules(void); 50140343Scharniervoid remove_rule(int argc, char *argv[]); 51140343Scharniervoid set_rule(int argc, char *argv[]); 52140343Scharniervoid usage(void); 53140343Scharnier 54101209Srwatsonvoid 55101209Srwatsonusage(void) 56101209Srwatson{ 57101209Srwatson 58140343Scharnier fprintf(stderr, "usage: ugidfw add [subject [not] [uid uid] [gid gid]]" 59126218Srwatson " [object [not] [uid uid] \\\n"); 60126218Srwatson fprintf(stderr, " [gid gid]] mode arswxn\n"); 61140343Scharnier fprintf(stderr, " ugidfw list\n"); 62140343Scharnier fprintf(stderr, " ugidfw set rulenum [subject [not] [uid uid] [gid gid]]" 63101209Srwatson " [object [not] \\\n"); 64101209Srwatson fprintf(stderr, " [uid uid] [gid gid]] mode arswxn\n"); 65140343Scharnier fprintf(stderr, " ugidfw remove rulenum\n"); 66101209Srwatson 67140343Scharnier exit(1); 68101209Srwatson} 69101209Srwatson 70101209Srwatsonvoid 71126218Srwatsonadd_rule(int argc, char *argv[]) 72126218Srwatson{ 73126218Srwatson char errstr[BUFSIZ]; 74126218Srwatson struct mac_bsdextended_rule rule; 75126218Srwatson int error, rulenum; 76126218Srwatson 77126218Srwatson error = bsde_parse_rule(argc, argv, &rule, BUFSIZ, errstr); 78126218Srwatson if (error) { 79140343Scharnier warnx("%s", errstr); 80126218Srwatson return; 81126218Srwatson } 82126218Srwatson 83126218Srwatson error = bsde_add_rule(&rulenum, &rule, BUFSIZ, errstr); 84126218Srwatson if (error) { 85140343Scharnier warnx("%s", errstr); 86126218Srwatson return; 87126218Srwatson } 88126218Srwatson printf("Added rule %d\n", rulenum); 89126218Srwatson} 90126218Srwatson 91126218Srwatsonvoid 92101209Srwatsonlist_rules(void) 93101209Srwatson{ 94101209Srwatson char errstr[BUFSIZ], charstr[BUFSIZ]; 95101209Srwatson struct mac_bsdextended_rule rule; 96101209Srwatson int error, i, rule_count, rule_slots; 97101209Srwatson 98101209Srwatson rule_slots = bsde_get_rule_slots(BUFSIZ, errstr); 99101209Srwatson if (rule_slots == -1) { 100140343Scharnier warnx("unable to get rule slots; mac_bsdextended.ko " 101140343Scharnier "may not be loaded"); 102140343Scharnier errx(1, "bsde_get_rule_slots: %s", errstr); 103101209Srwatson } 104101209Srwatson 105101209Srwatson rule_count = bsde_get_rule_count(BUFSIZ, errstr); 106140343Scharnier if (rule_count == -1) 107140343Scharnier errx(1, "bsde_get_rule_count: %s", errstr); 108101209Srwatson 109101209Srwatson printf("%d slots, %d rules\n", rule_slots, rule_count); 110101209Srwatson 111101209Srwatson for (i = 0; i <= rule_slots; i++) { 112101209Srwatson error = bsde_get_rule(i, &rule, BUFSIZ, errstr); 113101209Srwatson switch (error) { 114101209Srwatson case -2: 115101209Srwatson continue; 116101209Srwatson case -1: 117140343Scharnier warnx("rule %d: %s", i, errstr); 118101209Srwatson continue; 119101209Srwatson case 0: 120101209Srwatson break; 121101209Srwatson } 122101209Srwatson 123101209Srwatson if (bsde_rule_to_string(&rule, charstr, BUFSIZ) == -1) 124140343Scharnier warnx("unable to translate rule %d to string", i); 125101209Srwatson else 126101209Srwatson printf("%d %s\n", i, charstr); 127101209Srwatson } 128101209Srwatson} 129101209Srwatson 130101209Srwatsonvoid 131101209Srwatsonset_rule(int argc, char *argv[]) 132101209Srwatson{ 133101209Srwatson char errstr[BUFSIZ]; 134101209Srwatson struct mac_bsdextended_rule rule; 135101209Srwatson long value; 136101209Srwatson int error, rulenum; 137101209Srwatson char *endp; 138101209Srwatson 139101209Srwatson if (argc < 1) 140101209Srwatson usage(); 141101209Srwatson 142101209Srwatson value = strtol(argv[0], &endp, 10); 143101209Srwatson if (*endp != '\0') 144101209Srwatson usage(); 145101209Srwatson 146101209Srwatson if ((long) value != (int) value || value < 0) 147101209Srwatson usage(); 148101209Srwatson 149101209Srwatson rulenum = value; 150101209Srwatson 151101209Srwatson error = bsde_parse_rule(argc - 1, argv + 1, &rule, BUFSIZ, errstr); 152101209Srwatson if (error) { 153140343Scharnier warnx("%s", errstr); 154101209Srwatson return; 155101209Srwatson } 156101209Srwatson 157101209Srwatson error = bsde_set_rule(rulenum, &rule, BUFSIZ, errstr); 158101209Srwatson if (error) { 159140343Scharnier warnx("%s", errstr); 160101209Srwatson return; 161101209Srwatson } 162101209Srwatson} 163101209Srwatson 164101209Srwatsonvoid 165101209Srwatsonremove_rule(int argc, char *argv[]) 166101209Srwatson{ 167101209Srwatson char errstr[BUFSIZ]; 168101209Srwatson long value; 169101209Srwatson int error, rulenum; 170101209Srwatson char *endp; 171101209Srwatson 172101209Srwatson if (argc != 1) 173101209Srwatson usage(); 174101209Srwatson 175101209Srwatson value = strtol(argv[0], &endp, 10); 176101209Srwatson if (*endp != '\0') 177101209Srwatson usage(); 178101209Srwatson 179101209Srwatson if ((long) value != (int) value || value < 0) 180101209Srwatson usage(); 181101209Srwatson 182101209Srwatson rulenum = value; 183101209Srwatson 184101209Srwatson error = bsde_delete_rule(rulenum, BUFSIZ, errstr); 185101209Srwatson if (error) 186140343Scharnier warnx("%s", errstr); 187101209Srwatson} 188101209Srwatson 189101209Srwatsonint 190101209Srwatsonmain(int argc, char *argv[]) 191101209Srwatson{ 192101209Srwatson 193101209Srwatson if (argc < 2) 194101209Srwatson usage(); 195101209Srwatson 196126218Srwatson if (strcmp("add", argv[1]) == 0) { 197126218Srwatson add_rule(argc-2, argv+2); 198126218Srwatson } else if (strcmp("list", argv[1]) == 0) { 199101209Srwatson if (argc != 2) 200101209Srwatson usage(); 201101209Srwatson list_rules(); 202101209Srwatson } else if (strcmp("set", argv[1]) == 0) { 203101209Srwatson set_rule(argc-2, argv+2); 204101209Srwatson } else if (strcmp("remove", argv[1]) == 0) { 205101209Srwatson remove_rule(argc-2, argv+2); 206101209Srwatson } else 207101209Srwatson usage(); 208101209Srwatson 209101209Srwatson return (0); 210101209Srwatson} 211