Compare commits
2 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
6fd6907121
|
|||
|
1bc25af6f1
|
4
Makefile
4
Makefile
@ -21,14 +21,14 @@ endif
|
||||
|
||||
# set up cflags and libs
|
||||
|
||||
CFLAGS := -D_FILE_OFFSET_BITS=64
|
||||
CFLAGS := -D_FILE_OFFSET_BITS=64 -g
|
||||
LDFLAGS :=
|
||||
|
||||
CFLAGS += $(shell pkg-config --cflags $(PACKAGE_NAMES))
|
||||
LDFLAGS += $(shell pkg-config --libs $(PACKAGE_NAMES))
|
||||
|
||||
ifeq ($(DEBUG),1)
|
||||
CFLAGS += -O0 -pedantic -g -Wall -Wextra -Wcast-align \
|
||||
CFLAGS += -O0 -pedantic -Wall -Wextra -Wcast-align \
|
||||
-Wcast-qual -Wdisabled-optimization -Wformat=2 \
|
||||
-Winit-self -Wlogical-op -Wmissing-declarations \
|
||||
-Wmissing-include-dirs -Wredundant-decls -Wshadow \
|
||||
|
||||
@ -27,6 +27,7 @@ const int column_count = 2;
|
||||
const char *const schema[] = {"executable", "filename"};
|
||||
const char *const types[] = {"TEXT", "TEXT"};
|
||||
uid_t ruid, euid, current_pid;
|
||||
sqlite3_stmt *perm_check_statement = NULL;
|
||||
pthread_mutex_t uid_switch = PTHREAD_MUTEX_INITIALIZER;
|
||||
|
||||
void set_db_fsuid() {
|
||||
@ -141,6 +142,45 @@ int ensure_database_schema() {
|
||||
return 0;
|
||||
}
|
||||
|
||||
int prepare_sql_queries() {
|
||||
const char *query_template =
|
||||
"SELECT * FROM %s WHERE executable = ? AND filename = ?;";
|
||||
char *query_string = NULL;
|
||||
int query_len = snprintf(NULL, 0, query_template, table_name) + 1;
|
||||
|
||||
if (query_len < 0) {
|
||||
fprintf(stderr, "Failed to prepare statement");
|
||||
perror("");
|
||||
return 1;
|
||||
}
|
||||
|
||||
query_string = malloc(query_len);
|
||||
if (query_string == NULL) {
|
||||
fprintf(stderr, "Failed to allocate memory for the query");
|
||||
perror("");
|
||||
return 1;
|
||||
}
|
||||
|
||||
int ret = snprintf(query_string, query_len, query_template, table_name);
|
||||
if (ret < 0) {
|
||||
fprintf(stderr, "Failed to prepare statement");
|
||||
perror("");
|
||||
free(query_string);
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (sqlite3_prepare_v2(perm_database, query_string, -1, &perm_check_statement,
|
||||
NULL) != SQLITE_OK) {
|
||||
fprintf(stderr, "Failed to prepare statement: %s\n",
|
||||
sqlite3_errmsg(perm_database));
|
||||
free(query_string);
|
||||
return 1;
|
||||
}
|
||||
free(query_string);
|
||||
return 0;
|
||||
}
|
||||
|
||||
void free_sql_queries(void) { sqlite3_finalize(perm_check_statement); }
|
||||
/**
|
||||
* Initializes the permanent permissions table.
|
||||
*
|
||||
@ -169,17 +209,24 @@ int init_perm_permissions_table(const char *db_filename) {
|
||||
|
||||
int status = seteuid(ruid);
|
||||
if (status < 0) {
|
||||
fprintf(stderr, "Couldn't set euid to ruid during database setup.\n");
|
||||
fprintf(stderr, "Couldn't set euid to ruid.\n");
|
||||
exit(status);
|
||||
}
|
||||
|
||||
if (prepare_sql_queries()) {
|
||||
fprintf(stderr, "Couldn't prepare sql queries.\n");
|
||||
exit(status);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Destroys the permanent permissions table.
|
||||
*/
|
||||
void destroy_perm_permissions_table() { sqlite3_close(perm_database); }
|
||||
void destroy_perm_permissions_table(void) {
|
||||
free_sql_queries();
|
||||
sqlite3_close(perm_database);
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if the process has a permanent access to the file.
|
||||
|
||||
@ -12,10 +12,17 @@ else
|
||||
if [[ $FAKE_ZENITY_RESPONSE == "yes_tmp" ]]; then
|
||||
printf "Allow this time\n"
|
||||
exit 1
|
||||
elif [[ $FAKE_ZENITY_RESPONSE == "yes_tmp_alt" ]]; then
|
||||
printf "Allow this time\n"
|
||||
echo "yes_alt" >~/.fake_zenity_response
|
||||
exit 1
|
||||
elif [[ $FAKE_ZENITY_RESPONSE == "no" ]]; then
|
||||
exit 1
|
||||
elif [[ $FAKE_ZENITY_RESPONSE == "yes" ]]; then
|
||||
exit 0
|
||||
elif [[ $FAKE_ZENITY_RESPONSE == "yes_alt" ]]; then
|
||||
echo "yes_tmp_alt" >~/.fake_zenity_response
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -25,10 +25,18 @@ if [[ $1 == "--setuid" ]]; then
|
||||
echo "Valgrind will not be used due to setuid compatibility issues."
|
||||
../build/icfs -o default_permissions ./protected ./.pt.db &
|
||||
sleep 1
|
||||
elif [[ $1 == "--perf" ]]; then
|
||||
echo "Profiling with perf..."
|
||||
../build/icfs -o default_permissions ./protected ./.pt.db &
|
||||
echo "Profiling will require root privilieges."
|
||||
sleep 3
|
||||
echo "Attaching to $(pgrep icfs)"
|
||||
sudo perf record -g -e cycles:u --call-graph dwarf -p $(pgrep icfs) &
|
||||
sleep 10
|
||||
else
|
||||
echo "Database protection will not be tested due to the lack of setuid capabilites."
|
||||
echo "To test it, run this script with '--setuid'."
|
||||
valgrind -s ../build/icfs -o default_permissions ./protected ./.pt.db &
|
||||
valgrind --leak-check=full -s ../build/icfs -o default_permissions ./protected ./.pt.db &
|
||||
sleep 5
|
||||
fi
|
||||
|
||||
@ -126,9 +134,29 @@ else
|
||||
echo "[ICFS-TEST]: OK"
|
||||
fi
|
||||
|
||||
if [[ $1 == "--perf" ]]; then
|
||||
zenity --set-fake-response yes_tmp
|
||||
rm -rf ./protected/*
|
||||
zenity --set-fake-response yes_alt
|
||||
bonnie++ -p 4
|
||||
bonnie++ -d ./protected -c 4 -r 256 -y s >/dev/null &
|
||||
bonnie++ -d ./protected -c 4 -r 256 -y s >/dev/null &
|
||||
bonnie++ -d ./protected -c 4 -r 256 -y s >/dev/null &
|
||||
bonnie++ -d ./protected -c 4 -r 256 -y s >/dev/null
|
||||
bonnie++ -p -1
|
||||
fi
|
||||
|
||||
# unmount
|
||||
|
||||
sleep 0.5
|
||||
#lsof +f -- $(realpath ./protected)
|
||||
umount $(realpath ./protected)
|
||||
sleep 0.5
|
||||
|
||||
if [[ $1 == "--perf" ]]; then
|
||||
mv ./callgraph.png ./callgraph_old.png
|
||||
real_user=$USER
|
||||
sudo chown "$real_user" ./perf.data
|
||||
perf script --dsos=icfs | gprof2dot -f perf | dot -Tpng -o callgraph.png
|
||||
echo "Profile graph was written to \"callgraph.png\""
|
||||
fi
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user