Compare commits
11 Commits
setuid
...
c4ef955ff1
| Author | SHA1 | Date | |
|---|---|---|---|
c4ef955ff1
|
|||
|
3157940c0b
|
|||
|
92378c1cde
|
|||
|
13fd0db8a8
|
||
|
|
55fb5c54c6
|
||
|
|
402a5d109f
|
||
|
|
beec6f4a4c | ||
|
|
16b8d77fb9 | ||
|
|
aea6e94ad7 | ||
|
|
52fcb4d4e3 | ||
| badbf2ff98 |
2
.gitignore
vendored
2
.gitignore
vendored
@@ -4,3 +4,5 @@ build/*
|
||||
test/protected/*
|
||||
test/.pt.db
|
||||
compile_commands.json
|
||||
test/perf*
|
||||
test/callgraph*
|
||||
|
||||
6
src/access_t.h
Normal file
6
src/access_t.h
Normal file
@@ -0,0 +1,6 @@
|
||||
#ifndef ACCESS_T_H
|
||||
#define ACCESS_T_H
|
||||
|
||||
typedef enum { DENY, ALLOW, ALLOW_TEMP, NDEF } access_t;
|
||||
|
||||
#endif // !ACCESS_T_H
|
||||
@@ -11,6 +11,7 @@
|
||||
See the file LICENSE.
|
||||
*/
|
||||
|
||||
#include <stddef.h>
|
||||
#define FUSE_USE_VERSION 31
|
||||
|
||||
#define _GNU_SOURCE
|
||||
@@ -39,23 +40,58 @@
|
||||
#include "sourcefs.h"
|
||||
#include "ui-socket.h"
|
||||
|
||||
// TODO: move this to other file
|
||||
const char *get_process_name_by_pid(const int pid) {
|
||||
char *name = (char *)calloc(1024, sizeof(char));
|
||||
if (name) {
|
||||
sprintf(name, "/proc/%d/cmdline", pid);
|
||||
FILE *f = fopen(name, "r");
|
||||
if (f) {
|
||||
size_t size;
|
||||
size = fread(name, sizeof(char), 1024, f);
|
||||
if (size > 0) {
|
||||
if ('\n' == name[size - 1])
|
||||
name[size - 1] = '\0';
|
||||
char path[1024];
|
||||
sprintf(path, "/proc/%d/exe", pid);
|
||||
|
||||
char *name = realpath(path, NULL);
|
||||
if (name == NULL) {
|
||||
fprintf(stderr, "Could not get process name by pid %d", pid);
|
||||
perror("");
|
||||
}
|
||||
fclose(f);
|
||||
|
||||
/*
|
||||
size_t namelen = 32;
|
||||
ssize_t readret = 0;
|
||||
char *name = NULL;
|
||||
while (namelen >= (size_t)readret && readret > 0) {
|
||||
namelen *= 2;
|
||||
name = calloc(namelen, sizeof(char));
|
||||
if (name == NULL) {
|
||||
free(path);
|
||||
fprintf(stderr, "Could not get get process name by pid %d", pid);
|
||||
perror("");
|
||||
return NULL;
|
||||
}
|
||||
readret = readlink(path, name, namelen);
|
||||
if (readret < 0) {
|
||||
free(name);
|
||||
free(path);
|
||||
fprintf(stderr, "Couldn't get process name by pid %d", pid);
|
||||
perror("");
|
||||
return NULL;
|
||||
}
|
||||
if (namelen >= (size_t)readret) {
|
||||
free(name);
|
||||
}
|
||||
}
|
||||
*/
|
||||
|
||||
return name;
|
||||
|
||||
/*
|
||||
FILE *file = fopen(path, "r");
|
||||
if (file) {
|
||||
size_t size = 0;
|
||||
size = fread(path, sizeof(char), 1024, file);
|
||||
if (size > 0) {
|
||||
if ('\n' == path[size - 1]) {
|
||||
path[size - 1] = '\0';
|
||||
}
|
||||
}
|
||||
fclose(file);
|
||||
}
|
||||
*/
|
||||
}
|
||||
|
||||
// TODO: move this somewhere else
|
||||
@@ -70,8 +106,8 @@ static void *xmp_init(struct fuse_conn_info *conn, struct fuse_config *cfg) {
|
||||
To make parallel_direct_writes valid, need either set cfg->direct_io
|
||||
in current function (recommended in high level API) or set fi->direct_io
|
||||
in xmp_create() or xmp_open(). */
|
||||
// cfg->direct_io = 1;
|
||||
// cfg->parallel_direct_writes = 1;
|
||||
cfg->direct_io = 1;
|
||||
cfg->parallel_direct_writes = 1;
|
||||
|
||||
/* Pick up changes from lower filesystem right away. This is
|
||||
also necessary for better hardlink support. When the kernel
|
||||
@@ -83,18 +119,19 @@ static void *xmp_init(struct fuse_conn_info *conn, struct fuse_config *cfg) {
|
||||
cfg->entry_timeout = 0;
|
||||
cfg->attr_timeout = 0;
|
||||
cfg->negative_timeout = 0;
|
||||
fprintf(stderr, "%d\n", getpid());
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static int xmp_getattr(const char *path, struct stat *stbuf,
|
||||
struct fuse_file_info *fi) {
|
||||
struct fuse_file_info *file_info) {
|
||||
int res;
|
||||
|
||||
(void)path;
|
||||
|
||||
if (fi)
|
||||
res = fstat(fi->fh, stbuf);
|
||||
if (file_info)
|
||||
res = fstat(file_info->fh, stbuf);
|
||||
else
|
||||
res = source_stat(path, stbuf);
|
||||
if (res == -1) {
|
||||
@@ -106,38 +143,39 @@ static int xmp_getattr(const char *path, struct stat *stbuf,
|
||||
}
|
||||
|
||||
static int xmp_access(const char *path, int mask) {
|
||||
int res;
|
||||
int res = -1;
|
||||
|
||||
// if mask is F_OK, then we don't need to check the permissions
|
||||
// (is that possible?)
|
||||
|
||||
if (mask != F_OK) {
|
||||
struct process_info pi;
|
||||
struct fuse_context *fc = fuse_get_context();
|
||||
struct process_info proc_info;
|
||||
struct fuse_context *context = fuse_get_context();
|
||||
|
||||
pi.PID = fc->pid;
|
||||
pi.name = get_process_name_by_pid(pi.PID);
|
||||
proc_info.PID = context->pid;
|
||||
proc_info.name = get_process_name_by_pid(proc_info.PID);
|
||||
|
||||
// fprintf(stderr, "%s, %d\n", path, ask_access(path, pi));
|
||||
|
||||
if (!interactive_access(real_filename(path), pi, 0)) {
|
||||
free(pi.name);
|
||||
if (!interactive_access(real_filename(path), proc_info, 0)) {
|
||||
free((void *)proc_info.name);
|
||||
return -EACCES;
|
||||
}
|
||||
|
||||
free(pi.name);
|
||||
free((void *)proc_info.name);
|
||||
}
|
||||
|
||||
res = source_access(path, mask);
|
||||
|
||||
if (res == -1)
|
||||
if (res == -1) {
|
||||
return -errno;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int xmp_readlink(const char *path, char *buf, size_t size) {
|
||||
int res;
|
||||
int res = -1;
|
||||
|
||||
res = readlink(path, buf, size - 1);
|
||||
if (res == -1)
|
||||
@@ -264,17 +302,18 @@ static int xmp_mknod(const char *path, mode_t mode, dev_t rdev) {
|
||||
*/
|
||||
|
||||
static int xmp_mkdir(const char *path, mode_t mode) {
|
||||
int res;
|
||||
int res = -1;
|
||||
|
||||
res = source_mkdir(path, mode);
|
||||
if (res == -1)
|
||||
if (res == -1) {
|
||||
return -errno;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int xmp_unlink(const char *path) {
|
||||
int res;
|
||||
int res = -1;
|
||||
struct process_info pi;
|
||||
struct fuse_context *fc = fuse_get_context();
|
||||
|
||||
|
||||
23
src/main.c
23
src/main.c
@@ -10,16 +10,15 @@
|
||||
See the file LICENSE.
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <unistd.h>
|
||||
#define FUSE_USE_VERSION 31
|
||||
|
||||
#define _GNU_SOURCE
|
||||
|
||||
#include <fuse3/fuse.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/types.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "fuse_operations.h"
|
||||
#include "sourcefs.h"
|
||||
@@ -28,15 +27,25 @@
|
||||
const char *mountpoint = NULL;
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
if (argc < 3) {
|
||||
fprintf(stderr, "Usage: icfs <FUSE arguments> [target directory] [path to "
|
||||
"the permanent permissions database\n");
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
// if umask != 0, the filesystem will create files with more restrictive
|
||||
// permissions than it's caller reqested
|
||||
umask(0);
|
||||
|
||||
int ret = init_ui_socket();
|
||||
// ui socket should always be initialized before anything else, since it
|
||||
// handles the setuid bits!
|
||||
int ret = init_ui_socket(argv[argc - 1]);
|
||||
if (ret != 0) {
|
||||
fprintf(stderr, "Could not initalize ui-socket.\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
mountpoint = realpath(argv[argc - 1], NULL);
|
||||
mountpoint = realpath(argv[argc - 2], NULL);
|
||||
|
||||
ret = source_init(mountpoint);
|
||||
if (ret != 0) {
|
||||
@@ -44,9 +53,9 @@ int main(int argc, char *argv[]) {
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
ret = fuse_main(argc, argv, get_fuse_operations(), NULL);
|
||||
ret = fuse_main(argc - 1, argv, get_fuse_operations(), NULL);
|
||||
|
||||
free(mountpoint);
|
||||
free((void *)mountpoint);
|
||||
destroy_ui_socket();
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
*/
|
||||
|
||||
#include "perm_permissions_table.h"
|
||||
#include "access_t.h"
|
||||
#include "process_info.h"
|
||||
#include <fcntl.h>
|
||||
#include <pthread.h>
|
||||
@@ -23,9 +24,9 @@
|
||||
sqlite3 *perm_database = NULL;
|
||||
const char *const table_name = "permissions";
|
||||
// one row corresponds to a permission to access one file for one executable
|
||||
const int column_count = 2;
|
||||
const char *const schema[] = {"executable", "filename"};
|
||||
const char *const types[] = {"TEXT", "TEXT"};
|
||||
const int column_count = 3;
|
||||
const char *const schema[] = {"executable", "filename", "mode"};
|
||||
const char *const types[] = {"TEXT", "TEXT", "INTEGER"};
|
||||
uid_t ruid, euid, current_pid;
|
||||
pthread_mutex_t uid_switch = PTHREAD_MUTEX_INITIALIZER;
|
||||
|
||||
@@ -69,9 +70,10 @@ static int check_table_col_schema(void *notused, int argc, char **argv,
|
||||
}
|
||||
int column_num = atoi(argv[0]);
|
||||
if (column_num >= column_count) {
|
||||
fprintf(stderr, "Table contains more columns than expected.\n");
|
||||
fprintf(stderr, "Table contains unexpected amount of columns.\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (strcmp(schema[column_num], argv[1]) == 0 &&
|
||||
strcmp(types[column_num], argv[2]) == 0) {
|
||||
return 0;
|
||||
@@ -90,8 +92,9 @@ static int set_flag(void *flag, int argc, char **argv, char **colname) {
|
||||
|
||||
int create_database_schema() {
|
||||
fprintf(stderr, "Creating table 'permissions'.\n");
|
||||
const char *create_query = "CREATE TABLE permissions(executable TEXT NOT "
|
||||
"NULL, filename TEXT NOT NULL);";
|
||||
const char *create_query =
|
||||
"CREATE TABLE permissions(executable TEXT NOT "
|
||||
"NULL, filename TEXT NOT NULL, mode INTEGER NOT NULL);";
|
||||
char *err = NULL;
|
||||
int ret = sqlite3_exec(perm_database, create_query, NULL, NULL, &err);
|
||||
|
||||
@@ -154,8 +157,11 @@ int init_perm_permissions_table(const char *db_filename) {
|
||||
euid = geteuid();
|
||||
fprintf(stderr, "Running with uid: %d, gid: %d\n", euid, getegid());
|
||||
|
||||
if (sqlite3_open(db_filename, &perm_database)) {
|
||||
perror("Can't open permanent permissions database:");
|
||||
if (sqlite3_open_v2(db_filename, &perm_database,
|
||||
SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE |
|
||||
SQLITE_OPEN_FULLMUTEX,
|
||||
NULL)) {
|
||||
perror("Can't open permanent permissions database");
|
||||
return -1;
|
||||
}
|
||||
umask(0);
|
||||
@@ -183,37 +189,41 @@ void destroy_perm_permissions_table() { sqlite3_close(perm_database); }
|
||||
*
|
||||
* @param filename: The file that the process is trying to access
|
||||
* @pram pi: The process information
|
||||
* @return: 0 if access is denied, 1 if access is allowed
|
||||
* @return: access status - ALLOW, DENY or NDEF in case if no information was
|
||||
* found
|
||||
*/
|
||||
int check_perm_access(const char *filename, struct process_info pi) {
|
||||
size_t query_len =
|
||||
56 + strlen(table_name) + strlen(filename) + strlen(pi.name);
|
||||
const char *query = malloc(query_len);
|
||||
size_t should_be_written = snprintf(
|
||||
query, query_len,
|
||||
"SELECT * FROM %s WHERE executable = \'%s\' AND filename = \'%s\';",
|
||||
access_t check_perm_access(const char *filename, struct process_info pi) {
|
||||
|
||||
char *query = NULL;
|
||||
int ret = asprintf(&query,
|
||||
"SELECT * FROM %s WHERE executable = \'%s\' "
|
||||
"AND filename = \'%s\' AND mode = TRUE;",
|
||||
table_name, pi.name, filename);
|
||||
// -1 for the \0
|
||||
if (should_be_written != query_len - 1) {
|
||||
fprintf(stderr,
|
||||
"Unexpected query size while permanent access rule check: "
|
||||
"Expected %lu, but snprintf returned %lu. The query: %s\n",
|
||||
query_len, should_be_written, query);
|
||||
return 0;
|
||||
|
||||
if (ret < 0) {
|
||||
// If asprintf fails, the contents of query are undefined (see man
|
||||
// asprintf). That does not explicitly rule out that query will be a valid
|
||||
// pointer. But the risk of freeing a non-allocated pointer is too much to
|
||||
// justify preparing for this.
|
||||
fprintf(stderr, "Could not create query on access check");
|
||||
perror("");
|
||||
return NDEF;
|
||||
}
|
||||
|
||||
char *sqlite_error = NULL;
|
||||
int flag = 0;
|
||||
int ret = sqlite3_exec(perm_database, query, set_flag, &flag, &sqlite_error);
|
||||
ret = sqlite3_exec(perm_database, query, set_flag, &flag, &sqlite_error);
|
||||
free((void *)query);
|
||||
if (ret != SQLITE_OK) {
|
||||
fprintf(stderr, "SQLite returned an error: %s\n", sqlite_error);
|
||||
sqlite3_free(sqlite_error);
|
||||
free(query);
|
||||
return 0;
|
||||
return NDEF;
|
||||
}
|
||||
|
||||
free(query);
|
||||
return flag;
|
||||
if (flag) {
|
||||
return ALLOW;
|
||||
}
|
||||
return NDEF;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -224,23 +234,23 @@ int check_perm_access(const char *filename, struct process_info pi) {
|
||||
* @return: 0 on success, 1 on failure
|
||||
*/
|
||||
int give_perm_access(const char *filename, struct process_info pi) {
|
||||
size_t query_len =
|
||||
30 + strlen(table_name) + strlen(filename) + strlen(pi.name);
|
||||
const char *query = malloc(query_len);
|
||||
size_t should_be_written =
|
||||
snprintf(query, query_len, "INSERT INTO %s VALUES (\'%s\', \'%s\');",
|
||||
char *query = NULL;
|
||||
int ret = asprintf(&query, "INSERT INTO %s VALUES (\'%s\', \'%s\', TRUE);",
|
||||
table_name, pi.name, filename);
|
||||
// -1 for the \0
|
||||
if (should_be_written != query_len - 1) {
|
||||
fprintf(stderr,
|
||||
"Unexpected query size while permanent access rule insertion: "
|
||||
"Expected %lu, but snprintf returned %lu\n",
|
||||
query_len, should_be_written);
|
||||
|
||||
if (ret < 0) {
|
||||
// If asprintf fails, the contents of query are undefined (see man
|
||||
// asprintf). That does not explicitly rule out that query will be a valid
|
||||
// pointer. But the risk of freeing a non-allocated pointer is too much to
|
||||
// justify preparing for this.
|
||||
fprintf(stderr, "Could not create query on rule insertion");
|
||||
perror("");
|
||||
return 1;
|
||||
}
|
||||
|
||||
char *sqlite_error = NULL;
|
||||
int ret = sqlite3_exec(perm_database, query, NULL, NULL, &sqlite_error);
|
||||
ret = sqlite3_exec(perm_database, query, NULL, NULL, &sqlite_error);
|
||||
free(query);
|
||||
if (ret != SQLITE_OK) {
|
||||
fprintf(stderr, "SQLite returned an error: %s\n", sqlite_error);
|
||||
sqlite3_free(sqlite_error);
|
||||
@@ -248,6 +258,5 @@ int give_perm_access(const char *filename, struct process_info pi) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
free(query);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -9,6 +9,7 @@
|
||||
#ifndef PERM_PERMISSION_TABLE_H
|
||||
#define PERM_PERMISSION_TABLE_H
|
||||
|
||||
#include "access_t.h"
|
||||
#include "process_info.h"
|
||||
|
||||
/**
|
||||
@@ -29,9 +30,10 @@ void destroy_perm_permissions_table();
|
||||
*
|
||||
* @param filename: The file that the process is trying to access
|
||||
* @pram pi: The process information
|
||||
* @return: 0 if access is denied, 1 if access is allowed
|
||||
* @return: access status - ALLOW, DENY or NDEF in case if no information was
|
||||
* found
|
||||
*/
|
||||
int check_perm_access(const char *filename, struct process_info pi);
|
||||
access_t check_perm_access(const char *filename, struct process_info pi);
|
||||
|
||||
/**
|
||||
* Gives permanent access to the process to the file.
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
*/
|
||||
|
||||
#include "temp_permissions_table.h"
|
||||
#include "access_t.h"
|
||||
#include "cc.h"
|
||||
#include "process_info.h"
|
||||
#include <pthread.h>
|
||||
@@ -18,6 +19,7 @@ struct temp_process_permissions {
|
||||
// proc_pid_stat(5))
|
||||
unsigned long long creation_time;
|
||||
vec(char *) allowed_files;
|
||||
vec(char *) denied_files;
|
||||
};
|
||||
|
||||
map(pid_t, struct temp_process_permissions) temp_permissions_table;
|
||||
@@ -33,8 +35,8 @@ pthread_mutex_t temp_permissions_table_lock;
|
||||
* never really equal to 0, it exceptionally unlikely.
|
||||
*/
|
||||
unsigned long long get_process_creation_time(pid_t pid) {
|
||||
char path[32];
|
||||
FILE *fp;
|
||||
char path[256];
|
||||
FILE *fp = NULL;
|
||||
unsigned long long creation_time = 0;
|
||||
|
||||
// Construct the path to the process's status file
|
||||
@@ -72,22 +74,30 @@ unsigned long long get_process_creation_time(pid_t pid) {
|
||||
*
|
||||
* @return: 0 on success, -1 on failure (e.g. ENOMEM)
|
||||
*/
|
||||
int init_temp_permissions_table() {
|
||||
int init_temp_permissions_table(void) {
|
||||
pthread_mutex_init(&temp_permissions_table_lock, PTHREAD_MUTEX_DEFAULT);
|
||||
init(&temp_permissions_table);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Destroys the temporary permissions table.
|
||||
*
|
||||
* @note: the table is guranteed to be destroyed if it is already initialized
|
||||
* @note: the table is guranteed to be destroyed if it is already initialized.
|
||||
* It does not indicate any errors whatsoever. If something goes wrong - you are
|
||||
* screwed.
|
||||
*/
|
||||
void destroy_temp_permissions_table() {
|
||||
void destroy_temp_permissions_table(void) {
|
||||
// free the memory allocated for the table
|
||||
for_each(&temp_permissions_table, entry) {
|
||||
for_each(&entry->allowed_files, allowed_file) { free(*allowed_file); }
|
||||
cleanup(&entry->allowed_files);
|
||||
}
|
||||
for_each(&temp_permissions_table, entry) {
|
||||
for_each(&entry->denied_files, denied_file) { free(*denied_file); }
|
||||
cleanup(&entry->denied_files);
|
||||
}
|
||||
|
||||
cleanup(&temp_permissions_table);
|
||||
pthread_mutex_destroy(&temp_permissions_table_lock);
|
||||
}
|
||||
@@ -97,10 +107,10 @@ void destroy_temp_permissions_table() {
|
||||
*
|
||||
* @param filename: The file that the process is trying to access
|
||||
* @pram pid: PID of the process
|
||||
* @return: 0 if access is denied, 1 if access is allowed
|
||||
* @return: access status - ALLOW, DENY or NDEF in case if no information was
|
||||
* found is avaliable
|
||||
*/
|
||||
|
||||
int check_temp_access_noparent(const char *filename, pid_t pid) {
|
||||
access_t check_temp_access_noparent(const char *filename, pid_t pid) {
|
||||
// TODO: more efficient locking
|
||||
pthread_mutex_lock(&temp_permissions_table_lock);
|
||||
struct temp_process_permissions *permission_entry =
|
||||
@@ -110,22 +120,28 @@ int check_temp_access_noparent(const char *filename, pid_t pid) {
|
||||
if (process_creation_time == 0) {
|
||||
perror("Could not retrieve process creation time");
|
||||
pthread_mutex_unlock(&temp_permissions_table_lock);
|
||||
return 0;
|
||||
return NDEF;
|
||||
}
|
||||
|
||||
if (process_creation_time == permission_entry->creation_time) {
|
||||
// the process is the same as the one that was granted temporary access
|
||||
// to the file
|
||||
for_each(&permission_entry->denied_files, denied_file) {
|
||||
if (strncmp(*denied_file, filename, strlen(filename)) == 0) {
|
||||
pthread_mutex_unlock(&temp_permissions_table_lock);
|
||||
return DENY;
|
||||
}
|
||||
}
|
||||
for_each(&permission_entry->allowed_files, allowed_file) {
|
||||
if (strncmp(*allowed_file, filename, strlen(filename)) == 0) {
|
||||
pthread_mutex_unlock(&temp_permissions_table_lock);
|
||||
return 1;
|
||||
return ALLOW;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
pthread_mutex_unlock(&temp_permissions_table_lock);
|
||||
return 0;
|
||||
return NDEF;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -164,31 +180,36 @@ pid_t get_parent_pid(pid_t pid) {
|
||||
*
|
||||
* @param filename: The file that the process is trying to access
|
||||
* @pram pi: The process information
|
||||
* @return: 0 if access is denied, 1 if access is allowed
|
||||
* @return: access status - ALLOW, DENY or NDEF in case if no information was
|
||||
* found. Does not return ALLOW_TEMP.
|
||||
* @note: In case one of the parent processes is killed while this function
|
||||
* execution the result is not guranteed to be correct. It should only lead to
|
||||
* false negatives, though.
|
||||
*/
|
||||
int check_temp_access(const char *filename, struct process_info pi) {
|
||||
access_t check_temp_access(const char *filename, struct process_info pi) {
|
||||
pid_t current_pid = pi.PID;
|
||||
while (current_pid != 0) {
|
||||
if (check_temp_access_noparent(filename, current_pid)) {
|
||||
return 1;
|
||||
access_t access = check_temp_access_noparent(filename, current_pid);
|
||||
if (access != NDEF) {
|
||||
return access;
|
||||
}
|
||||
current_pid = get_parent_pid(current_pid);
|
||||
}
|
||||
|
||||
return 0;
|
||||
return NDEF;
|
||||
}
|
||||
|
||||
/**
|
||||
* Gives temporary access to the process to the file.
|
||||
* Sets temporary access mode of the process to the file.
|
||||
*
|
||||
* @param filename: The file that the process is trying to access
|
||||
* @param pi: The process information
|
||||
* @return: 0 on success, -1 on failure (e.g. ENOMEM)
|
||||
* @param mode: Kind of access rule to be set - SET_DENY to deny access, and
|
||||
* SET_ALLOW to allow access.
|
||||
* @return: 0 on success, -1 on failure.
|
||||
*/
|
||||
int give_temp_access(const char *filename, struct process_info pi) {
|
||||
int set_temp_access(const char *filename, struct process_info pi,
|
||||
set_mode_t mode) {
|
||||
pthread_mutex_lock(&temp_permissions_table_lock);
|
||||
struct temp_process_permissions *permission_entry =
|
||||
get(&temp_permissions_table, pi.PID);
|
||||
@@ -206,7 +227,13 @@ int give_temp_access(const char *filename, struct process_info pi) {
|
||||
if (process_creation_time == permission_entry->creation_time) {
|
||||
// the process is the same as the one that was granted temporary access
|
||||
// to the file
|
||||
if (mode == SET_ALLOW) {
|
||||
push(&permission_entry->allowed_files, strdup(filename));
|
||||
}
|
||||
if (mode == SET_DENY) {
|
||||
push(&permission_entry->denied_files, strdup(filename));
|
||||
}
|
||||
|
||||
pthread_mutex_unlock(&temp_permissions_table_lock);
|
||||
return 0;
|
||||
}
|
||||
@@ -222,10 +249,15 @@ int give_temp_access(const char *filename, struct process_info pi) {
|
||||
|
||||
new_permission_entry.creation_time = get_process_creation_time(pi.PID);
|
||||
init(&new_permission_entry.allowed_files);
|
||||
init(&new_permission_entry.denied_files);
|
||||
if (mode == SET_ALLOW) {
|
||||
push(&new_permission_entry.allowed_files, strdup(filename));
|
||||
}
|
||||
if (mode == SET_DENY) {
|
||||
push(&new_permission_entry.denied_files, strdup(filename));
|
||||
}
|
||||
|
||||
insert(&temp_permissions_table, pi.PID, new_permission_entry);
|
||||
printf("temp_permissions_table size: %ld\n", size(&temp_permissions_table));
|
||||
|
||||
pthread_mutex_unlock(&temp_permissions_table_lock);
|
||||
return 0;
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
#ifndef TEMP_PERMISSIONS_TABLE_H
|
||||
#define TEMP_PERMISSIONS_TABLE_H
|
||||
|
||||
#include "access_t.h"
|
||||
#include "process_info.h"
|
||||
|
||||
/**
|
||||
@@ -9,31 +10,43 @@
|
||||
*
|
||||
* @return: 0 on success, -1 on failure (e.g. ENOMEM)
|
||||
*/
|
||||
int init_temp_permissions_table();
|
||||
int init_temp_permissions_table(void);
|
||||
|
||||
/**
|
||||
* Destroys the temporary permissions table.
|
||||
*
|
||||
* @note: the table is guranteed to be destroyed if it is already initialized
|
||||
* @note: the table is guranteed to be destroyed if it is already initialized.
|
||||
* It does not indicate any errors whatsoever. If something goes wrong - you are
|
||||
* screwed.
|
||||
*/
|
||||
void destroy_temp_permissions_table();
|
||||
void destroy_temp_permissions_table(void);
|
||||
|
||||
/**
|
||||
* Checks if the process has a temporary access to the file.
|
||||
* Checks if the process or any of it's parents have temporary access to the
|
||||
* file.
|
||||
*
|
||||
* @param filename: The file that the process is trying to access
|
||||
* @pram pi: The process information
|
||||
* @return: access status - ALLOW, DENY or NDEF in case if no information was
|
||||
* found. Does not return ALLOW_TEMP.
|
||||
* @note: In case one of the parent processes is killed while this function
|
||||
* execution the result is not guranteed to be correct. It should only lead to
|
||||
* false negatives, though.
|
||||
*/
|
||||
access_t check_temp_access(const char *filename, struct process_info pi);
|
||||
|
||||
typedef enum { SET_DENY, SET_ALLOW } set_mode_t;
|
||||
|
||||
/**
|
||||
* Sets temporary access mode of the process to the file.
|
||||
*
|
||||
* @param filename: The file that the process is trying to access
|
||||
* @param pi: The process information
|
||||
* @return: 0 if access is denied, 1 if access is allowed
|
||||
* @param mode: Kind of access rule to be set - SET_DENY to deny access, and
|
||||
* SET_ALLOW to allow access.
|
||||
* @return: 0 on success, -1 on failure.
|
||||
*/
|
||||
int check_temp_access(const char *filename, struct process_info pi);
|
||||
|
||||
/**
|
||||
* Gives temporary access to the process to the file.
|
||||
*
|
||||
* @param filename: The file that the process is trying to access
|
||||
* @param pi: The process information
|
||||
* @return: 0 on success, -1 on failure (e.g. ENOMEM)
|
||||
*/
|
||||
int give_temp_access(const char *filename, struct process_info pi);
|
||||
int set_temp_access(const char *filename, struct process_info pi,
|
||||
set_mode_t mode);
|
||||
|
||||
#endif // !TEMP_PERMISSIONS_TABLE_H
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
See the file LICENSE.
|
||||
*/
|
||||
|
||||
#include "access_t.h"
|
||||
#include <stddef.h>
|
||||
#include <sys/types.h>
|
||||
#include <time.h>
|
||||
@@ -13,7 +14,6 @@
|
||||
#include "perm_permissions_table.h"
|
||||
#include "temp_permissions_table.h"
|
||||
#include "ui-socket.h"
|
||||
#include <errno.h>
|
||||
#include <pthread.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
@@ -22,17 +22,17 @@
|
||||
#include <sys/un.h>
|
||||
#include <unistd.h>
|
||||
|
||||
int init_ui_socket() {
|
||||
char line[256];
|
||||
FILE *fp;
|
||||
#define ZENITY_TEMP_ALLOW_MESSAGE "Allow this time\n"
|
||||
|
||||
int init_ui_socket(const char *perm_permissions_db_filename) {
|
||||
FILE *fp = NULL;
|
||||
|
||||
if (init_temp_permissions_table()) {
|
||||
fprintf(stderr, "Could not initialize temporary permissions table.\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (init_perm_permissions_table(
|
||||
"/home/fedir/Developement/uni/ICFS/test/.pt.db")) {
|
||||
if (init_perm_permissions_table(perm_permissions_db_filename)) {
|
||||
fprintf(stderr, "Could not initialize permanent permissions table.\n");
|
||||
return 1;
|
||||
}
|
||||
@@ -44,13 +44,11 @@ int init_ui_socket() {
|
||||
return 1;
|
||||
}
|
||||
|
||||
while (fgets(line, sizeof(line), fp))
|
||||
printf("%s", line);
|
||||
pclose(fp);
|
||||
return 0;
|
||||
}
|
||||
|
||||
void destroy_ui_socket() {
|
||||
void destroy_ui_socket(void) {
|
||||
destroy_temp_permissions_table();
|
||||
destroy_perm_permissions_table();
|
||||
}
|
||||
@@ -61,19 +59,28 @@ void destroy_ui_socket() {
|
||||
*
|
||||
* @param filename: The file that the process is trying to access
|
||||
* @param pi: The process information
|
||||
* @return: 0 if access is denied, 1 if access is allowed, 2 if access is
|
||||
* @return: access status - ALLOW, DENY or ALLOW_TEMP
|
||||
* allowed for the runtime of the process
|
||||
*/
|
||||
int ask_access(const char *filename, struct process_info pi) {
|
||||
FILE *fp;
|
||||
size_t command_len =
|
||||
139 + sizeof(pid_t) * 8 + strlen(pi.name) + strlen(filename);
|
||||
char *command = (char *)malloc(command_len);
|
||||
snprintf(command, command_len,
|
||||
access_t ask_access(const char *filename, struct process_info proc_info) {
|
||||
FILE *fp = NULL;
|
||||
char *command = NULL;
|
||||
int ret =
|
||||
asprintf(&command,
|
||||
"zenity --question --extra-button \"Allow this time\" --title "
|
||||
"\"Allow Access?\" --text \"Allow process "
|
||||
"<tt>%s</tt> with PID <tt>%d</tt> to access <tt>%s</tt>\"",
|
||||
pi.name, pi.PID, filename);
|
||||
proc_info.name, proc_info.PID, filename);
|
||||
|
||||
if (ret < 0) {
|
||||
// If asprintf fails, the contents of command are undefined (see man
|
||||
// asprintf). That does not explicitly rule out that command will be a valid
|
||||
// pointer. But the risk of freeing a non-allocated pointer is too much to
|
||||
// justify preparing for this.
|
||||
fprintf(stderr, "Could not create query on rule insertion");
|
||||
perror("");
|
||||
return 1;
|
||||
}
|
||||
|
||||
// Zenity Question Message Popup
|
||||
fp = popen(command, "r");
|
||||
@@ -81,18 +88,18 @@ int ask_access(const char *filename, struct process_info pi) {
|
||||
|
||||
if (fp == NULL) {
|
||||
perror("Pipe returned a error");
|
||||
return -1;
|
||||
return DENY;
|
||||
}
|
||||
|
||||
// if the user clicks the "Allow this time" button, `zenity` will only
|
||||
// write it to `stdout`, but the exit code will still be `1`. So, we need
|
||||
// to manually check the output.
|
||||
char buffer[1024];
|
||||
char buffer[sizeof(ZENITY_TEMP_ALLOW_MESSAGE) + 1];
|
||||
while (fgets(buffer, sizeof(buffer), fp)) {
|
||||
printf("%s", buffer);
|
||||
if (strcmp(buffer, "Allow this time\n") == 0) {
|
||||
if (strcmp(buffer, ZENITY_TEMP_ALLOW_MESSAGE) == 0) {
|
||||
pclose(fp);
|
||||
return 2;
|
||||
return ALLOW_TEMP;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -100,10 +107,10 @@ int ask_access(const char *filename, struct process_info pi) {
|
||||
fprintf(stderr, "zenity returned %d\n", zenity_exit_code);
|
||||
// zenity returns 1 on "No" >:(
|
||||
if (zenity_exit_code == 0) {
|
||||
return 1;
|
||||
return ALLOW;
|
||||
}
|
||||
|
||||
return 0;
|
||||
return DENY;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -117,36 +124,53 @@ int ask_access(const char *filename, struct process_info pi) {
|
||||
* @param opts: options (GRANT_TEMP, GRANT_PERM)
|
||||
* @return: 0 if access is denied, 1 if access is allowed
|
||||
*/
|
||||
int interactive_access(const char *filename, struct process_info pi, int opts) {
|
||||
int interactive_access(const char *filename, struct process_info proc_info,
|
||||
int opts) {
|
||||
|
||||
if (check_temp_access(filename, pi) || check_perm_access(filename, pi)) {
|
||||
// access was already granted before
|
||||
access_t access = check_temp_access(filename, proc_info);
|
||||
if (access == ALLOW) {
|
||||
return 1;
|
||||
}
|
||||
if (access == DENY) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
access = check_perm_access(filename, proc_info);
|
||||
if (access == ALLOW) {
|
||||
return 1;
|
||||
}
|
||||
if (access == DENY) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
// if noth GRANT_TEMP and GRANT_PERM are selected, then only permanent
|
||||
// permissions are granted
|
||||
|
||||
if (opts & GRANT_PERM) {
|
||||
give_perm_access(filename, pi);
|
||||
give_perm_access(filename, proc_info);
|
||||
return 1;
|
||||
}
|
||||
if (opts & GRANT_TEMP) {
|
||||
give_temp_access(filename, pi);
|
||||
set_temp_access(filename, proc_info, SET_ALLOW);
|
||||
return 1;
|
||||
}
|
||||
|
||||
int user_response = ask_access(filename, pi);
|
||||
if (user_response == 1) {
|
||||
// user said "yes"
|
||||
give_perm_access(filename, pi);
|
||||
return 1;
|
||||
} else if (user_response == 2) {
|
||||
// user said "yes, but only this time"
|
||||
give_temp_access(filename, pi);
|
||||
access_t user_response = ask_access(filename, proc_info);
|
||||
if (user_response == ALLOW) {
|
||||
give_perm_access(filename, proc_info);
|
||||
return 1;
|
||||
}
|
||||
|
||||
// otherwise "no"
|
||||
if (user_response == ALLOW_TEMP) {
|
||||
set_temp_access(filename, proc_info, SET_ALLOW);
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (user_response == DENY) {
|
||||
set_temp_access(filename, proc_info, SET_DENY);
|
||||
return 0;
|
||||
}
|
||||
|
||||
// deny on unknown options.
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -21,7 +21,7 @@
|
||||
*
|
||||
* @return: 0 on success, -1 on faliure.
|
||||
*/
|
||||
int init_ui_socket(void);
|
||||
int init_ui_socket(const char *perm_permissions_db_filename);
|
||||
|
||||
/**
|
||||
* Close the GUI communication.
|
||||
|
||||
@@ -23,12 +23,12 @@ if [[ $1 == "--setuid" ]]; then
|
||||
sudo chown icfs: ../build/icfs && sudo chmod 4777 ../build/icfs
|
||||
chmod g+w . # needed for icfs to be able to create the database
|
||||
echo "Valgrind will not be used due to setuid compatibility issues."
|
||||
../build/icfs -o default_permissions ./protected &
|
||||
../build/icfs -o default_permissions ./protected ./.pt.db &
|
||||
sleep 1
|
||||
else
|
||||
echo "Database protection will not be tested due to the lack of setuid capabilites."
|
||||
echo "To test it, run this script with '--setuid'."
|
||||
valgrind -s ../build/icfs -o default_permissions ./protected &
|
||||
valgrind -s ../build/icfs -o default_permissions ./protected ./.pt.db &
|
||||
sleep 5
|
||||
fi
|
||||
|
||||
|
||||
Reference in New Issue
Block a user