static void skit_peg_macros_test()
{
SKIT_USE_FEATURE_EMULATION;
skit_peg_parser *parser = skit_peg_parser_mock_new(sSLICE("a"));
SKIT_PEG_PARSING_INITIAL_VARS(parser);
RULE(success);
sASSERT_EQ(match.successful, 1);
sASSERT_EQ(match.begin, 0);
sASSERT_EQ(match.end, 0);
RULE(failure);
sASSERT_EQ(match.successful, 0);
sASSERT_EQ(match.begin, 0);
sASSERT_EQ(cursor, 0);
sASSERT_EQ(new_cursor, 0);
SEQ( RULE(success), RULE(success) );
sASSERT_EQ(match.successful, 1);
SEQ( RULE(success), RULE(failure) );
sASSERT_EQ(match.successful, 0);
SEQ( RULE(failure), RULE(success) );
sASSERT_EQ(match.successful, 0);
SEQ( RULE(failure), RULE(failure) );
sASSERT_EQ(match.successful, 0);
skit_peg_parser_mock_free(parser);
printf(" skit_peg_macros_test passed.\n");
}
static ret_t
configure (cherokee_rule_not_t *rule,
cherokee_config_node_t *conf,
cherokee_virtual_server_t *vsrv)
{
ret_t ret;
cherokee_config_node_t *subconf = NULL;
/* Get the configuration sub-tree
*/
ret = cherokee_config_node_get (conf, "right", &subconf);
if (ret != ret_ok)
return ret;
/* Instance the sub-rule match
*/
ret = cherokee_virtual_server_new_rule (vsrv, subconf,
RULE(rule)->priority,
&rule->right);
if (ret != ret_ok)
return ret;
if (rule->right == NULL)
return ret_error;
/* Let the child rule know about its parent
*/
rule->right->parent_rule = RULE(rule);
return ret_ok;
}
ret_t
cherokee_rule_extensions_new (cherokee_rule_extensions_t **rule)
{
CHEROKEE_NEW_STRUCT (n, rule_extensions);
/* Parent class constructor
*/
cherokee_rule_init_base (RULE(n), PLUGIN_INFO_PTR(extensions));
/* Virtual methods
*/
RULE(n)->match = (rule_func_match_t) match;
RULE(n)->configure = (rule_func_configure_t) configure;
MODULE(n)->free = (module_func_free_t) _free;
/* Properties
*/
n->check_local_file = false;
n->use_iocache = true;
cherokee_avl_init (&n->extensions);
*rule = n;
return ret_ok;
}
ret_t
cherokee_rule_geoip_new (cherokee_rule_t **rule)
{
CHEROKEE_NEW_STRUCT (n, rule_geoip);
/* Parent class constructor
*/
cherokee_rule_init_base (RULE(n), PLUGIN_INFO_PTR(geoip));
/* Virtual methods
*/
RULE(n)->match = (rule_func_match_t) match;
RULE(n)->configure = (rule_func_configure_t) configure;
MODULE(n)->free = (module_func_free_t) _free;
/* Properties
*/
n->geoip = geoip_get();
if (n->geoip == NULL)
return ret_error;
cherokee_avl_init (&n->countries);
*rule = RULE(n);
return ret_ok;
}
ret_t
cherokee_rule_header_new (cherokee_rule_header_t **rule)
{
CHEROKEE_NEW_STRUCT (n, rule_header);
/* Parent class constructor
*/
cherokee_rule_init_base (RULE(n), PLUGIN_INFO_PTR(header));
/* Virtual methods
*/
RULE(n)->match = (rule_func_match_t) match;
RULE(n)->configure = (rule_func_configure_t) configure;
MODULE(n)->free = (module_func_free_t) _free;
/* Properties
*/
n->pcre = NULL;
n->type = rule_header_type_regex;
cherokee_buffer_init (&n->match);
*rule = n;
return ret_ok;
}
static ret_t
configure (cherokee_rule_header_t *rule,
cherokee_config_node_t *conf,
cherokee_virtual_server_t *vsrv)
{
ret_t ret;
cherokee_buffer_t *type = NULL;
cherokee_buffer_t *header = NULL;
cherokee_regex_table_t *regexs = VSERVER_SRV(vsrv)->regexs;
/* Read the header
*/
ret = cherokee_config_node_read (conf, "header", &header);
if (ret != ret_ok) {
LOG_ERROR (CHEROKEE_ERROR_RULE_NO_PROPERTY,
RULE(rule)->priority, "header");
return ret_error;
}
ret = header_str_to_type (header, &rule->header);
if (ret != ret_ok) {
return ret;
}
/* Type
*/
ret = cherokee_config_node_read (conf, "type", &type);
if (ret == ret_ok) {
ret = type_str_to_type (type, &rule->type);
if (ret != ret_ok) {
return ret;
}
}
/* Read the match
*/
ret = cherokee_config_node_copy (conf, "match", &rule->match);
if (ret != ret_ok) {
if (equal_buf_str (type, "regex")) {
LOG_ERROR (CHEROKEE_ERROR_RULE_NO_PROPERTY,
RULE(rule)->priority, "match");
return ret_error;
}
}
/* Compile the regular expression
*/
if (! cherokee_buffer_is_empty (&rule->match)) {
ret = cherokee_regex_table_add (regexs, rule->match.buf);
if (ret != ret_ok)
return ret;
ret = cherokee_regex_table_get (regexs, rule->match.buf, &rule->pcre);
if (ret != ret_ok)
return ret;
}
return ret_ok;
}
static ret_t
configure (cherokee_rule_fullpath_t *rule,
cherokee_config_node_t *conf,
cherokee_virtual_server_t *vsrv)
{
ret_t ret;
cherokee_config_node_t *subconf;
cherokee_list_t *i;
UNUSED (vsrv);
/* Get the entry
*/
ret = cherokee_config_node_get (conf, "fullpath", &subconf);
if (ret != ret_ok) {
LOG_CRITICAL (CHEROKEE_ERROR_RULE_NO_PROPERTY,
RULE(rule)->priority, "fullpath");
return ret_error;
}
/* Add the paths
*/
cherokee_config_node_foreach (i, subconf) {
cherokee_config_node_t *path = CONFIG_NODE(i);
TRACE(ENTRIES, "Adding fullpath entry (key=%s): '%s'\n",
path->key.buf, path->val.buf);
cherokee_avl_add (&rule->paths, &path->val, NULL);
}
static ret_t
configure (cherokee_rule_request_t *rule,
cherokee_config_node_t *conf,
cherokee_virtual_server_t *vsrv)
{
ret_t ret;
cherokee_regex_table_t *regexs = VSERVER_SRV(vsrv)->regexs;
/* Read the configuration entry
*/
ret = cherokee_config_node_copy (conf, "request", &rule->pattern);
if (ret != ret_ok) {
LOG_CRITICAL (CHEROKEE_ERROR_RULE_NO_PROPERTY,
RULE(rule)->priority, "request");
return ret_error;
}
/* Add it to the regular extension table
*/
ret = cherokee_regex_table_add (regexs, rule->pattern.buf);
if (ret != ret_ok)
return ret;
ret = cherokee_regex_table_get (regexs, rule->pattern.buf, &rule->pcre);
if (ret != ret_ok)
return ret;
return ret_ok;
}
static ret_t
configure_branch (cherokee_rule_and_t *rule,
cherokee_config_node_t *conf,
cherokee_virtual_server_t *vsrv,
const char *branch,
cherokee_rule_t **branch_rule)
{
ret_t ret;
cherokee_config_node_t *subconf = NULL;
/* Get the configuration sub-tree
*/
ret = cherokee_config_node_get (conf, branch, &subconf);
if (ret != ret_ok)
return ret;
/* Instance the sub-rule match
*/
ret = cherokee_virtual_server_new_rule (vsrv, subconf,
RULE(rule)->priority,
branch_rule);
if (ret != ret_ok)
return ret;
return ret_ok;
}
ret_t
cherokee_rule_not_new (cherokee_rule_t **rule)
{
CHEROKEE_NEW_STRUCT (n, rule_not);
/* Parent class constructor
*/
cherokee_rule_init_base (RULE(n), PLUGIN_INFO_PTR(not));
/* Virtual methods
*/
RULE(n)->match = (rule_func_match_t) match;
RULE(n)->configure = (rule_func_configure_t) configure;
MODULE(n)->free = (module_func_free_t) _free;
/* Properties
*/
n->right = NULL;
*rule = RULE(n);
return ret_ok;
}
ret_t
cherokee_rule_directory_new (cherokee_rule_directory_t **rule)
{
CHEROKEE_NEW_STRUCT (n, rule_directory);
/* Parent class constructor
*/
cherokee_rule_init_base (RULE(n), PLUGIN_INFO_PTR(directory));
/* Virtual methods
*/
RULE(n)->match = (rule_func_match_t) match;
RULE(n)->configure = (rule_func_configure_t) configure;
MODULE(n)->free = (module_func_free_t) _free;
/* Properties
*/
cherokee_buffer_init (&n->directory);
*rule = n;
return ret_ok;
}
static ret_t
configure (cherokee_rule_directory_t *rule,
cherokee_config_node_t *conf,
cherokee_virtual_server_t *vsrv)
{
ret_t ret;
UNUSED(vsrv);
ret = cherokee_config_node_copy (conf, "directory", &rule->directory);
if (ret != ret_ok) {
LOG_CRITICAL (CHEROKEE_ERROR_RULE_NO_PROPERTY,
RULE(rule)->priority, "directory");
return ret_error;
}
cherokee_fix_dirpath (&rule->directory);
return ret_ok;
}
static ret_t
configure (cherokee_rule_geoip_t *rule,
cherokee_config_node_t *conf,
cherokee_virtual_server_t *vsrv)
{
ret_t ret;
cherokee_buffer_t *tmp = NULL;
UNUSED(vsrv);
ret = cherokee_config_node_read (conf, "countries", &tmp);
if (ret != ret_ok) {
LOG_CRITICAL (CHEROKEE_ERROR_RULE_NO_PROPERTY,
RULE(rule)->priority, "geoip");
return ret_error;
}
return parse_contry_list (tmp, &rule->countries);
}
static ret_t
configure (cherokee_rule_extensions_t *rule,
cherokee_config_node_t *conf,
cherokee_virtual_server_t *vsrv)
{
ret_t ret;
cherokee_buffer_t *tmp = NULL;
UNUSED(vsrv);
ret = cherokee_config_node_read (conf, "extensions", &tmp);
if (ret != ret_ok) {
LOG_CRITICAL (CHEROKEE_ERROR_RULE_NO_PROPERTY,
RULE(rule)->priority, "extensions");
return ret_error;
}
cherokee_config_node_read_bool (conf, "check_local_file", &rule->check_local_file);
cherokee_config_node_read_bool (conf, "iocache", &rule->use_iocache);
return parse_value (tmp, &rule->extensions);
}
static ret_t
match (cherokee_rule_directory_t *rule,
cherokee_connection_t *conn,
cherokee_config_entry_t *ret_conf)
{
UNUSED(ret_conf);
/* Not the same lenght
*/
if (conn->request.len < rule->directory.len) {
TRACE(ENTRIES, "Match directory: rule=%s req=%s: (shorter) ret_not_found\n",
rule->directory.buf, conn->request.buf);
return ret_not_found;
}
/* Does not match
*/
if (strncmp (rule->directory.buf, conn->request.buf, rule->directory.len) != 0) {
TRACE(ENTRIES, "Match directory: rule=%s req=%s: (str) ret_not_found\n",
rule->directory.buf, conn->request.buf);
return ret_not_found;
}
/* Does not match: same begining, but a longer name
*/
if ((conn->request.len > rule->directory.len) &&
(conn->request.buf[rule->directory.len] != '/'))
{
TRACE(ENTRIES, "Match directory: rule=%s req=%s: (str) ret_not_found\n",
rule->directory.buf, conn->request.buf);
return ret_not_found;
}
/* If the request is exactly the directory entry, and it
* doesn't end with a slash, it must be redirected. Eg:
*
* web_directory = "/blog"
* request = "/blog"
*
* It must be redirected to "/blog/"
*/
if ((conn->request.len > 1) &&
(cherokee_buffer_end_char (&conn->request) != '/') &&
(cherokee_buffer_cmp_buf (&conn->request, &rule->directory) == 0))
{
cherokee_buffer_add_str (&conn->request, "/");
cherokee_connection_set_redirect (conn, &conn->request);
cherokee_buffer_drop_ending (&conn->request, 1);
TRACE(ENTRIES, "Had to redirect to: %s\n", conn->redirect.buf);
conn->error_code = http_moved_permanently;
return ret_error;
}
/* Copy the web directory property
*/
if ((RULE(rule)->config.handler_new_func != NULL) ||
(RULE(rule)->config.document_root != NULL))
{
cherokee_buffer_clean (&conn->web_directory);
cherokee_buffer_add_buffer (&conn->web_directory, &rule->directory);
}
TRACE(ENTRIES, "Match! rule=%s req=%s web_directory=%s: ret_ok\n",
rule->directory.buf, conn->request.buf, conn->web_directory.buf);
return ret_ok;
}
#include <stdexcept>
#include <exception>
#include <iostream>
#include <unistd.h>
#include <utility>
#include <sys/prctl.h>
#include <sys/resource.h>
#ifndef __x86_64__
#error Unsupported platform
#endif
#define RULE(s,a) std::make_pair(SCMP_SYS(s), SCMP_ACT_##a)
auto rules =
{ RULE(read, ALLOW)
, RULE(readv, ALLOW)
, RULE(pread64, ALLOW)
, RULE(write, ALLOW)
, RULE(writev, ALLOW)
, RULE(pwrite64, ALLOW)
, RULE(access, ALLOW)
, RULE(stat, ALLOW)
, RULE(fstat, ALLOW)
, RULE(open, ALLOW)
, RULE(openat, ALLOW)
, RULE(lseek, ALLOW)
, RULE(close, ALLOW)
, RULE(exit_group, ALLOW)
, RULE(execve, ALLOW)
, RULE(brk, ALLOW)
#include "sandbox.h"
struct syscall_rule {
int syscall;
uint32_t action;
};
#define RULE(name, action) { SCMP_SYS(name), SCMP_ACT_##action }
static const struct syscall_rule syscall_rules[] = {
RULE(ptrace, ERRNO(EPERM)),
RULE(prctl, ERRNO(EPERM)),
RULE(execve, ALLOW),
RULE(clone, ALLOW),
RULE(vfork, ALLOW),
RULE(wait4, ALLOW),
RULE(dup, ALLOW),
RULE(dup2, ALLOW),
RULE(capget, ALLOW),
RULE(kill, ALLOW),
RULE(tgkill, ALLOW),
// safe
RULE(futex, ALLOW),
RULE(exit, ALLOW),
RULE(pipe, ALLOW),
RULE(pipe2, ALLOW),
RULE(brk, ALLOW),
RULE(mmap, ALLOW),
RULE(mprotect, ALLOW),
RULE(munmap, ALLOW),
RULE(mremap, ALLOW),
RULE(madvise, ALLOW),
// branch_discard_3 case 7: sASSERT_EQ( cursor_reset_pos, 1 ); break; case 8: sASSERT_EQ( cursor_reset_pos, 0 ); break; // There should be no other discards. default: sASSERT(0); } (*which_discard)++; } DEFINE_RULE(branch_discard_1) auto_consume_whitespace = 0; SEQ( RULE(token, "a"), CHOOSE( RULE(token, "x"), // which_discard == 0 RULE(token, "y"), // which_discard == 1 RULE(token, "z"), // which_discard == 2 RULE(token, "b") ), OPTIONAL(RULE(token,"q")), // which_discard == 3 RULE(token,"c"), NEG_LOOKAHEAD(RULE(token,"1")), // which_discard == 4 RULE(token,"d") ); END_RULE DEFINE_RULE(branch_discard_2) auto_consume_whitespace = 0;
