Compare commits

...

2 Commits

4 changed files with 87 additions and 5 deletions

View File

@ -21,14 +21,14 @@ endif
# set up cflags and libs # set up cflags and libs
CFLAGS := -D_FILE_OFFSET_BITS=64 CFLAGS := -D_FILE_OFFSET_BITS=64 -g
LDFLAGS := LDFLAGS :=
CFLAGS += $(shell pkg-config --cflags $(PACKAGE_NAMES)) CFLAGS += $(shell pkg-config --cflags $(PACKAGE_NAMES))
LDFLAGS += $(shell pkg-config --libs $(PACKAGE_NAMES)) LDFLAGS += $(shell pkg-config --libs $(PACKAGE_NAMES))
ifeq ($(DEBUG),1) ifeq ($(DEBUG),1)
CFLAGS += -O0 -pedantic -g -Wall -Wextra -Wcast-align \ CFLAGS += -O0 -pedantic -Wall -Wextra -Wcast-align \
-Wcast-qual -Wdisabled-optimization -Wformat=2 \ -Wcast-qual -Wdisabled-optimization -Wformat=2 \
-Winit-self -Wlogical-op -Wmissing-declarations \ -Winit-self -Wlogical-op -Wmissing-declarations \
-Wmissing-include-dirs -Wredundant-decls -Wshadow \ -Wmissing-include-dirs -Wredundant-decls -Wshadow \

View File

@ -27,6 +27,7 @@ const int column_count = 2;
const char *const schema[] = {"executable", "filename"}; const char *const schema[] = {"executable", "filename"};
const char *const types[] = {"TEXT", "TEXT"}; const char *const types[] = {"TEXT", "TEXT"};
uid_t ruid, euid, current_pid; uid_t ruid, euid, current_pid;
sqlite3_stmt *perm_check_statement = NULL;
pthread_mutex_t uid_switch = PTHREAD_MUTEX_INITIALIZER; pthread_mutex_t uid_switch = PTHREAD_MUTEX_INITIALIZER;
void set_db_fsuid() { void set_db_fsuid() {
@ -141,6 +142,45 @@ int ensure_database_schema() {
return 0; return 0;
} }
int prepare_sql_queries() {
const char *query_template =
"SELECT * FROM %s WHERE executable = ? AND filename = ?;";
char *query_string = NULL;
int query_len = snprintf(NULL, 0, query_template, table_name) + 1;
if (query_len < 0) {
fprintf(stderr, "Failed to prepare statement");
perror("");
return 1;
}
query_string = malloc(query_len);
if (query_string == NULL) {
fprintf(stderr, "Failed to allocate memory for the query");
perror("");
return 1;
}
int ret = snprintf(query_string, query_len, query_template, table_name);
if (ret < 0) {
fprintf(stderr, "Failed to prepare statement");
perror("");
free(query_string);
return 1;
}
if (sqlite3_prepare_v2(perm_database, query_string, -1, &perm_check_statement,
NULL) != SQLITE_OK) {
fprintf(stderr, "Failed to prepare statement: %s\n",
sqlite3_errmsg(perm_database));
free(query_string);
return 1;
}
free(query_string);
return 0;
}
void free_sql_queries(void) { sqlite3_finalize(perm_check_statement); }
/** /**
* Initializes the permanent permissions table. * Initializes the permanent permissions table.
* *
@ -169,17 +209,24 @@ int init_perm_permissions_table(const char *db_filename) {
int status = seteuid(ruid); int status = seteuid(ruid);
if (status < 0) { if (status < 0) {
fprintf(stderr, "Couldn't set euid to ruid during database setup.\n"); fprintf(stderr, "Couldn't set euid to ruid.\n");
exit(status); exit(status);
} }
if (prepare_sql_queries()) {
fprintf(stderr, "Couldn't prepare sql queries.\n");
exit(status);
}
return 0; return 0;
} }
/** /**
* Destroys the permanent permissions table. * Destroys the permanent permissions table.
*/ */
void destroy_perm_permissions_table() { sqlite3_close(perm_database); } void destroy_perm_permissions_table(void) {
free_sql_queries();
sqlite3_close(perm_database);
}
/** /**
* Checks if the process has a permanent access to the file. * Checks if the process has a permanent access to the file.

View File

@ -12,10 +12,17 @@ else
if [[ $FAKE_ZENITY_RESPONSE == "yes_tmp" ]]; then if [[ $FAKE_ZENITY_RESPONSE == "yes_tmp" ]]; then
printf "Allow this time\n" printf "Allow this time\n"
exit 1 exit 1
elif [[ $FAKE_ZENITY_RESPONSE == "yes_tmp_alt" ]]; then
printf "Allow this time\n"
echo "yes_alt" >~/.fake_zenity_response
exit 1
elif [[ $FAKE_ZENITY_RESPONSE == "no" ]]; then elif [[ $FAKE_ZENITY_RESPONSE == "no" ]]; then
exit 1 exit 1
elif [[ $FAKE_ZENITY_RESPONSE == "yes" ]]; then elif [[ $FAKE_ZENITY_RESPONSE == "yes" ]]; then
exit 0 exit 0
elif [[ $FAKE_ZENITY_RESPONSE == "yes_alt" ]]; then
echo "yes_tmp_alt" >~/.fake_zenity_response
exit 0
fi fi
fi fi
fi fi

View File

@ -25,10 +25,18 @@ if [[ $1 == "--setuid" ]]; then
echo "Valgrind will not be used due to setuid compatibility issues." echo "Valgrind will not be used due to setuid compatibility issues."
../build/icfs -o default_permissions ./protected ./.pt.db & ../build/icfs -o default_permissions ./protected ./.pt.db &
sleep 1 sleep 1
elif [[ $1 == "--perf" ]]; then
echo "Profiling with perf..."
../build/icfs -o default_permissions ./protected ./.pt.db &
echo "Profiling will require root privilieges."
sleep 3
echo "Attaching to $(pgrep icfs)"
sudo perf record -g -e cycles:u --call-graph dwarf -p $(pgrep icfs) &
sleep 10
else else
echo "Database protection will not be tested due to the lack of setuid capabilites." echo "Database protection will not be tested due to the lack of setuid capabilites."
echo "To test it, run this script with '--setuid'." echo "To test it, run this script with '--setuid'."
valgrind -s ../build/icfs -o default_permissions ./protected ./.pt.db & valgrind --leak-check=full -s ../build/icfs -o default_permissions ./protected ./.pt.db &
sleep 5 sleep 5
fi fi
@ -126,9 +134,29 @@ else
echo "[ICFS-TEST]: OK" echo "[ICFS-TEST]: OK"
fi fi
if [[ $1 == "--perf" ]]; then
zenity --set-fake-response yes_tmp
rm -rf ./protected/*
zenity --set-fake-response yes_alt
bonnie++ -p 4
bonnie++ -d ./protected -c 4 -r 256 -y s >/dev/null &
bonnie++ -d ./protected -c 4 -r 256 -y s >/dev/null &
bonnie++ -d ./protected -c 4 -r 256 -y s >/dev/null &
bonnie++ -d ./protected -c 4 -r 256 -y s >/dev/null
bonnie++ -p -1
fi
# unmount # unmount
sleep 0.5 sleep 0.5
#lsof +f -- $(realpath ./protected) #lsof +f -- $(realpath ./protected)
umount $(realpath ./protected) umount $(realpath ./protected)
sleep 0.5 sleep 0.5
if [[ $1 == "--perf" ]]; then
mv ./callgraph.png ./callgraph_old.png
real_user=$USER
sudo chown "$real_user" ./perf.data
perf script --dsos=icfs | gprof2dot -f perf | dot -Tpng -o callgraph.png
echo "Profile graph was written to \"callgraph.png\""
fi