Compare commits
2 Commits
e4dbc5becc
...
90d94c7615
| Author | SHA1 | Date | |
|---|---|---|---|
90d94c7615
|
|||
|
a1ba96bf67
|
@ -207,42 +207,29 @@ void destroy_perm_permissions_table(void) { sqlite3_close(perm_database); }
|
||||
*/
|
||||
access_t check_perm_access_noparent(const char *filename,
|
||||
struct process_info pi) {
|
||||
access_t ret = NDEF;
|
||||
sqlite3_stmt *stmt = NULL;
|
||||
const char *sql = "SELECT mode FROM permissions WHERE executable = ?1 "
|
||||
"AND (( ?2 LIKE CONCAT(filename, \'%\') AND filename "
|
||||
"GLOB \'*/\') OR filename = ?2 );";
|
||||
sqlite3_prepare_v2(perm_database, sql, -1, &stmt, NULL);
|
||||
sqlite3_bind_text(stmt, 1, pi.name, -1, SQLITE_STATIC);
|
||||
sqlite3_bind_text(stmt, 2, filename, -1, SQLITE_STATIC);
|
||||
|
||||
char *query = NULL;
|
||||
int ret = asprintf(&query,
|
||||
"SELECT * FROM %s WHERE executable = \'%s\' "
|
||||
"AND ((\'%s\' LIKE CONCAT(filename, \'%%\') AND filename "
|
||||
"GLOB \'*/\') OR filename = \'%s\');",
|
||||
table_name, pi.name, filename, filename);
|
||||
fprintf(stderr, "query: %s\n", query);
|
||||
int step_ret = sqlite3_step(stmt);
|
||||
if (step_ret == SQLITE_ROW) {
|
||||
int mode_col = sqlite3_column_int(stmt, 0);
|
||||
if (mode_col) {
|
||||
ret = ALLOW;
|
||||
} else {
|
||||
ret = DENY;
|
||||
}
|
||||
} else {
|
||||
fprintf(stderr, "SQLite error: %s\n", sqlite3_errstr(step_ret));
|
||||
}
|
||||
sqlite3_finalize(stmt);
|
||||
|
||||
if (ret < 0) {
|
||||
// If asprintf fails, the contents of query are undefined (see man
|
||||
// asprintf). That does not explicitly rule out that query will be a valid
|
||||
// pointer. But the risk of freeing a non-allocated pointer is too much to
|
||||
// justify preparing for this.
|
||||
fprintf(stderr, "Could not create query on access check");
|
||||
perror("");
|
||||
return NDEF;
|
||||
}
|
||||
|
||||
char *sqlite_error = NULL;
|
||||
int flag = 0;
|
||||
ret = sqlite3_exec(perm_database, query, set_flag, &flag, &sqlite_error);
|
||||
free((void *)query);
|
||||
if (ret != SQLITE_OK) {
|
||||
fprintf(stderr, "SQLite returned an error: %s\n", sqlite_error);
|
||||
sqlite3_free(sqlite_error);
|
||||
return NDEF;
|
||||
}
|
||||
|
||||
if (flag == 1) {
|
||||
return ALLOW;
|
||||
}
|
||||
if (flag == -1) {
|
||||
return DENY;
|
||||
}
|
||||
return NDEF;
|
||||
return ret;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -310,7 +297,7 @@ int set_perm_access(const char *filename, struct process_info pi,
|
||||
// asprintf). That does not explicitly rule out that query will be a valid
|
||||
// pointer. But the risk of freeing a non-allocated pointer is too much to
|
||||
// justify preparing for this.
|
||||
fprintf(stderr, "Could not create query on rule insertion");
|
||||
fprintf(stderr, "Could not create query on rule insertion\n");
|
||||
perror("");
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -46,7 +46,7 @@ if [[ $1 == "--setuid" ]]; then
|
||||
else
|
||||
echo "Database protection will not be tested due to the lack of setuid capabilites."
|
||||
echo "To test it, run this script with '--setuid'."
|
||||
#valgrind --leak-check=full -s ../build/icfs -o default_permissions -o debug ./protected ./.pt.db 2>&1 | grep "==\|zenity\|Permission\|column\|callback" &
|
||||
#valgrind --leak-check=full -s ../build/icfs -o default_permissions -o debug ./protected ./.pt.db 2>&1 | grep "==\|zenity\|Permission\|column\|callback\|SQLite" &
|
||||
valgrind --leak-check=full --show-leak-kinds=all -s ../build/icfs -o default_permissions ./protected ./.pt.db &
|
||||
sleep 5
|
||||
fi
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user