int sb2_stat64_file(const char *path, struct stat64 *buf, int *result_errno_ptr,
int (*stat64fn_with_ver_ptr)(int ver, const char *filename, struct stat64 *buf),
int ver,
int (*stat64fn_ptr)(const char *filename, struct stat64 *buf))
{
int res;
SB_LOG(SB_LOGLEVEL_NOISE, "sb2_stat64(%s)", path);
if (stat64fn_with_ver_ptr) {
/* glibc; it doesn't have a real stat64() function */
res = (*stat64fn_with_ver_ptr)(ver, path, buf);
} else if (stat64fn_ptr) {
/* probably something else than glibc.
* hope this works (not tested...) */
res = (*stat64fn_ptr)(path, buf);
} else {
*result_errno_ptr = EINVAL;
return(-1);
}
if (res == 0) {
i_virtualize_struct_stat(__func__, NULL, buf);
} else {
*result_errno_ptr = errno;
SB_LOG(SB_LOGLEVEL_NOISE, "sb2_stat64(%s) : failed, errno=%d",
path, errno);
}
SB_LOG(SB_LOGLEVEL_NOISE, "sb2_stat64(%s) returns %d", path, res);
return(res);
}
static int if_exists_in(ruletree_fsrule_t *action,
const char *abs_clean_virtual_path)
{
const char *map_to_target;
char *test_path = NULL;
map_to_target = offset_to_ruletree_string_ptr(action->rtree_fsr_action_offs, NULL);
if (!strcmp(map_to_target, "/")) {
test_path = strdup(abs_clean_virtual_path);
} else {
if (asprintf(&test_path, "%s%s", map_to_target, abs_clean_virtual_path) < 0) {
SB_LOG(SB_LOGLEVEL_ERROR, "asprintf failed");
return(0);
}
}
if (sb_path_exists(test_path)) {
SB_LOG(SB_LOGLEVEL_DEBUG,
"if_exists_in: True '%s' -> proceed to then_actions", test_path);
free(test_path);
return (1);
}
SB_LOG(SB_LOGLEVEL_DEBUG,
"if_exists_in: False '%s'", test_path);
free(test_path);
return(0);
}
/* compare vectors of strings and log if there are any changes.
* TO BE IMPROVED: a more clever algorithm would be nice, something
* that would log only the modified parts... now this displays
* everything if something was changed, which easily creates
* a *lot* of noise if SB_LOGLEVEL_NOISE is enabled.
*/
static void compare_and_log_strvec_changes(const char *vecname,
char *const *orig_strv, char *const *new_strv)
{
char *const *ptr2old = orig_strv;
char *const *ptr2new = new_strv;
int strv_modified = 0;
while (*ptr2old && *ptr2new) {
if (strcmp(*ptr2old, *ptr2new)) {
strv_modified = 1;
break;
}
ptr2old++, ptr2new++;
}
if (!strv_modified && (*ptr2old || *ptr2new)) {
strv_modified = 1;
}
if (strv_modified) {
SB_LOG(SB_LOGLEVEL_DEBUG, "%s[] was modified", vecname);
if (SB_LOG_IS_ACTIVE(SB_LOGLEVEL_NOISE)) {
int i;
for (i = 0, ptr2new = new_strv;
*ptr2new;
i++, ptr2new++) {
SB_LOG(SB_LOGLEVEL_NOISE,
"[%d]='%s'", i,
*ptr2new);
}
}
} else {
SB_LOG(SB_LOGLEVEL_NOISE,
"%s[] was not modified", vecname);
}
}
/* "patch" environment = change environment variables.
* the variable must already exist in the environment;
* this doesn't do anything if the variable has been
* removed from environment.
*
* - "var_perfix" should contain the variable name + '='
*/
static void change_environment_variable(
char **my_envp, const char *var_prefix, const char *new_value)
{
size_t idx;
if (strvec_contains_prefix(my_envp, var_prefix, &idx)) {
char *new_value_buf, *orig_value;
/* release the placeholder */
orig_value = my_envp[idx];
free(orig_value);
if (asprintf(&new_value_buf, "%s%s",
var_prefix, new_value) < 0) {
SB_LOG(SB_LOGLEVEL_ERROR,
"asprintf failed to create new value %s%s",
var_prefix, new_value);
} else {
my_envp[idx] = new_value_buf;
}
SB_LOG(SB_LOGLEVEL_DEBUG, "Changed: %s", new_value_buf);
} else {
SB_LOG(SB_LOGLEVEL_DEBUG, "Failed to change %s%s",
var_prefix, new_value);
}
}
static int if_exists_then_replace_by(
ruletree_fsrule_t *action, ruletree_fsrule_t *rule_selector,
const char *abs_clean_virtual_path, char **resultp)
{
char *test_path;
const char *replacement = NULL;
*resultp = NULL;
replacement = offset_to_ruletree_string_ptr(action->rtree_fsr_action_offs, NULL);
test_path = ruletree_execute_replace_rule(abs_clean_virtual_path,
replacement, rule_selector);
if (!test_path) return(0);
if (sb_path_exists(test_path)) {
SB_LOG(SB_LOGLEVEL_DEBUG,
"if_exists_then_replace_by: True '%s'", test_path);
*resultp = test_path;
return(1);
}
SB_LOG(SB_LOGLEVEL_DEBUG,
"if_exists_then_replace_by: False '%s'", test_path);
free(test_path);
return(0);
}
void *sbox_find_next_symbol(int log_enabled, const char *fn_name)
{
char *msg;
void *fn_ptr;
if(log_enabled)
SB_LOG(SB_LOGLEVEL_DEBUG, "%s: %s", __func__, fn_name);
fn_ptr = dlsym(RTLD_NEXT, fn_name);
if ((msg = dlerror()) != NULL) {
fprintf(stderr, "%s: dlsym(%s): %s\n",
PACKAGE_NAME, fn_name, msg);
if(log_enabled)
SB_LOG(SB_LOGLEVEL_ERROR, "ERROR: %s: dlsym(%s): %s",
PACKAGE_NAME, fn_name, msg);
assert(0);
}
if (log_enabled && SB_LOG_IS_ACTIVE(SB_LOGLEVEL_NOISE)) {
Dl_info dli;
if (dladdr(fn_ptr, &dli)) {
SB_LOG(SB_LOGLEVEL_NOISE, "%s: %s at 0x%p, in file '%s'",
__func__, fn_name, fn_ptr, dli.dli_fname);
} else {
SB_LOG(SB_LOGLEVEL_NOISE, "%s: %s at 0x%p",
__func__, fn_name, fn_ptr);
}
}
return(fn_ptr);
}
int test_if_str_in_colon_separated_list_from_env(
const char *str, const char *env_var_name)
{
int result = 0; /* boolean; default result is "not found" */
char *list;
char *tok = NULL;
char *tok_state = NULL;
list = getenv(env_var_name);
if (!list) {
SB_LOG(SB_LOGLEVEL_DEBUG, "no %s", env_var_name);
return(0);
}
list = strdup(list); /* will be modified by strtok_r */
SB_LOG(SB_LOGLEVEL_DEBUG, "%s is '%s'", env_var_name, list);
tok = strtok_r(list, ":", &tok_state);
while (tok) {
result = !strcmp(str, tok);
if (result) break; /* return if matched */
tok = strtok_r(NULL, ":", &tok_state);
}
free(list);
return(result);
}
/* "sb.path_exists", to be called from lua code
* returns true if file or directory exists at the specified real path,
* false if not.
*/
static int lua_sb_path_exists(lua_State *l)
{
int n;
n = lua_gettop(l);
if (n != 1) {
lua_pushboolean(l, 0);
} else {
char *path = strdup(lua_tostring(l, 1));
int result = 0;
SB_LOG(SB_LOGLEVEL_DEBUG, "lua_sb_path_exists testing '%s'",
path);
if (access_nomap_nolog(path, F_OK) == 0) {
/* target exists */
lua_pushboolean(l, 1);
result=1;
} else {
lua_pushboolean(l, 0);
result=0;
}
SB_LOG(SB_LOGLEVEL_DEBUG, "lua_sb_path_exists got %d",
result);
free(path);
}
return 1;
}
static char *getcwd_common(char *buf, size_t size,
const char *realfnname, char *cwd)
{
char *sbox_path = NULL;
if (*cwd != '\0') {
sbox_path = scratchbox_reverse_path(realfnname, cwd,
SB2_INTERFACE_CLASS_GETCWD);
}
if (sbox_path) {
SB_LOG(SB_LOGLEVEL_DEBUG, "GETCWD: '%s'", sbox_path);
if(buf) {
if (strlen(sbox_path) >= size) {
/* path does not fit to the buffer */
free(sbox_path);
errno = ERANGE;
return(NULL);
}
strncpy(buf, sbox_path, size);
free(sbox_path);
} else {
/* buf==NULL: real getcwd() used malloc() to
* allocate cwd (some implementations) [or the
* behavior may be unspecified (posix definition)]
* Assume memory was allocated, because the real
* getcwd() already returned a pointer to us...
*/
free(cwd);
cwd = sbox_path;
}
}
SB_LOG(SB_LOGLEVEL_DEBUG, "GETCWD: returns '%s'", cwd);
return cwd;
}
/* This stack dump routine is based on an example from the
* book "Programming in Lua"
*
* - This uses logging level DEBUG, but the calls are usually
* enabled only at NOISE3.
*/
void dump_lua_stack(const char *msg, lua_State *L)
{
int i;
int top = lua_gettop(L);
SB_LOG(SB_LOGLEVEL_DEBUG, "Stack dump/%s (gettop=%d):", msg, top);
for (i = 1; i <= top; i++) {
int t = lua_type(L, i);
switch (t) {
case LUA_TSTRING: /* strings */
SB_LOG(SB_LOGLEVEL_DEBUG,
"%d: '%s'", i, lua_tostring(L, i));
break;
case LUA_TBOOLEAN: /* booleans */
SB_LOG(SB_LOGLEVEL_DEBUG,
"%d: %s", i,
(lua_toboolean(L, i) ? "true" : "false"));
break;
case LUA_TNUMBER: /* numbers */
SB_LOG(SB_LOGLEVEL_DEBUG,
"%d: %g", i, lua_tonumber(L, i));
break;
default:
SB_LOG(SB_LOGLEVEL_DEBUG,
"%d: %s", i, lua_typename(L, t));
break;
}
}
}
void sbox_map_path_for_sb2show(
const char *binary_name,
const char *func_name,
const char *virtual_path,
mapping_results_t *res)
{
interface_function_and_classes_t *ifp = interface_functions_and_classes__public;
uint32_t fn_class = 0;
while (ifp && ifp->fn_name) {
if (!strcmp(func_name, ifp->fn_name)) {
fn_class = ifp->fn_classmask;
SB_LOG(SB_LOGLEVEL_DEBUG,
"%s: Found func_class 0x%X (%s)",
__func__, fn_class, func_name);
break;
}
ifp++;
}
if (!fn_class) {
SB_LOG(SB_LOGLEVEL_DEBUG,
"%s: No func_class for %s",
__func__, func_name);
}
fwd_map_path(binary_name, func_name, virtual_path,
0/*dont_resolve_final_symlink*/, 0/*exec_mode*/, fn_class, res);
}
static void compare_results_from_c_and_lua_engines(
const char *name,
const char *fn_name,
const char *c_res,
const char *lua_res)
{
if (c_res && lua_res) {
if (!strcmp(c_res, lua_res)) {
SB_LOG(SB_LOGLEVEL_DEBUG,
"%s: ResultCheck: %s same, OK",
fn_name, name);
} else {
SB_LOG(SB_LOGLEVEL_ERROR,
"%s: ResultCheck: DIFFERENT %s: C='%s', Lua='%s'",
fn_name, name, c_res, lua_res);
}
} else if (!c_res && !lua_res) {
SB_LOG(SB_LOGLEVEL_DEBUG,
"%s: ResultCheck: no %s result from C nor Lua",
fn_name, name);
} else {
if (!c_res) {
SB_LOG(SB_LOGLEVEL_ERROR,
"%s: ResultCheck: no %s result from C (Lua='%s')",
fn_name, name, lua_res);
}
if (!lua_res) {
SB_LOG(SB_LOGLEVEL_ERROR,
"%s: ResultCheck: no %s result from Lua (C='%s')",
fn_name, name, c_res);
}
}
}
/* - returns 1 if ok (then *min_path_lenp is valid)
* - returns 0 if failed to find the rule
* Note: this leaves the rule to the stack!
*/
int call_lua_function_sbox_get_mapping_requirements(
const path_mapping_context_t *ctx,
const struct path_entry_list *abs_virtual_source_path_list,
int *min_path_lenp,
int *call_translate_for_all_p)
{
struct sb2context *sb2ctx = ctx->pmc_sb2ctx;
int rule_found;
int min_path_len;
int flags;
char *abs_virtual_source_path_string;
abs_virtual_source_path_string = path_list_to_string(abs_virtual_source_path_list);
SB_LOG(SB_LOGLEVEL_NOISE,
"calling sbox_get_mapping_requirements for %s(%s)",
ctx->pmc_func_name, abs_virtual_source_path_string);
if (!sb2ctx->lua) sb2context_initialize_lua(sb2ctx);
SB_LOG(SB_LOGLEVEL_NOISE,
"call_lua_function_sbox_get_mapping_requirements: gettop=%d",
lua_gettop(sb2ctx->lua));
lua_getfield(sb2ctx->lua, LUA_GLOBALSINDEX,
"sbox_get_mapping_requirements");
lua_pushstring(sb2ctx->lua, ctx->pmc_binary_name);
lua_pushstring(sb2ctx->lua, ctx->pmc_func_name);
lua_pushstring(sb2ctx->lua, abs_virtual_source_path_string);
lua_pushnumber(sb2ctx->lua, ctx->pmc_fn_class);
/* 4 arguments, returns 4: (rule, rule_found_flag,
* min_path_len, flags) */
lua_call(sb2ctx->lua, 4, 4);
rule_found = lua_toboolean(sb2ctx->lua, -3);
min_path_len = lua_tointeger(sb2ctx->lua, -2);
flags = lua_tointeger(sb2ctx->lua, -1);
check_mapping_flags(flags, "sbox_get_mapping_requirements");
if (min_path_lenp) *min_path_lenp = min_path_len;
if (call_translate_for_all_p)
*call_translate_for_all_p =
(flags & SB2_MAPPING_RULE_FLAGS_CALL_TRANSLATE_FOR_ALL);
/* remove last 3 values; leave "rule" to the stack */
lua_pop(sb2ctx->lua, 3);
SB_LOG(SB_LOGLEVEL_DEBUG, "sbox_get_mapping_requirements -> %d,%d,0%o",
rule_found, min_path_len, flags);
SB_LOG(SB_LOGLEVEL_NOISE,
"call_lua_function_sbox_get_mapping_requirements:"
" at exit, gettop=%d",
lua_gettop(sb2ctx->lua));
free(abs_virtual_source_path_string);
return(rule_found);
}
static void check_pthread_library()
{
if (pthread_detection_done == 0) {
/* these are available only in libpthread: */
pthread_key_create_fnptr = dlsym(RTLD_DEFAULT,
"pthread_key_create");
pthread_getspecific_fnptr = dlsym(RTLD_DEFAULT,
"pthread_getspecific");
pthread_setspecific_fnptr = dlsym(RTLD_DEFAULT,
"pthread_setspecific");
pthread_once_fnptr = dlsym(RTLD_DEFAULT,
"pthread_once");
pthread_mutex_lock_fnptr = dlsym(RTLD_DEFAULT,
"pthread_mutex_lock");
pthread_mutex_unlock_fnptr = dlsym(RTLD_DEFAULT,
"pthread_mutex_unlock");
/* Linux/glibc: pthread_self seems to exist in both
* glibc and libpthread. */
pthread_self_fnptr = dlsym(RTLD_DEFAULT,
"pthread_self");
if (pthread_key_create_fnptr &&
pthread_getspecific_fnptr &&
pthread_setspecific_fnptr &&
pthread_once_fnptr) {
SB_LOG(SB_LOGLEVEL_DEBUG,
"pthread library FOUND");
pthread_detection_done = 1;
pthread_library_is_available = 1;
} else if (!pthread_key_create_fnptr &&
!pthread_getspecific_fnptr &&
!pthread_setspecific_fnptr &&
!pthread_once_fnptr) {
SB_LOG(SB_LOGLEVEL_DEBUG,
"pthread library not found");
pthread_detection_done = -1;
pthread_library_is_available = 0;
} else {
SB_LOG(SB_LOGLEVEL_ERROR,
"pthread library is only partially available"
" - operation may become unstable");
pthread_detection_done = -2;
pthread_library_is_available = 0;
}
} else {
SB_LOG(SB_LOGLEVEL_NOISE,
"pthread detection already done (%d)",
pthread_detection_done);
}
}
/* Exec preprocessor:
* (previously known as "sb_execve_mod")
*/
int sb_execve_preprocess(char **file, char ***argv, char ***envp)
{
struct lua_instance *luaif = get_lua();
int res, new_argc, new_envc;
if (!luaif) return(0);
if (!argv || !envp) {
SB_LOG(SB_LOGLEVEL_ERROR,
"ERROR: sb_argvenvp: (argv || envp) == NULL");
release_lua(luaif);
return -1;
}
if (getenv("SBOX_DISABLE_ARGVENVP")) {
SB_LOG(SB_LOGLEVEL_DEBUG, "sb_argvenvp disabled(E):");
release_lua(luaif);
return 0;
}
SB_LOG(SB_LOGLEVEL_NOISE,
"sb_execve_preprocess: gettop=%d", lua_gettop(luaif->lua));
lua_getfield(luaif->lua, LUA_GLOBALSINDEX, "sbox_execve_preprocess");
lua_pushstring(luaif->lua, *file);
free(*file);
strvec_to_lua_table(luaif, *argv);
strvec_free(*argv);
strvec_to_lua_table(luaif, *envp);
strvec_free(*envp);
/* args: binaryname, argv, envp
* returns: err, file, argc, argv, envc, envp */
lua_call(luaif->lua, 3, 6);
res = lua_tointeger(luaif->lua, -6);
*file = strdup(lua_tostring(luaif->lua, -5));
new_argc = lua_tointeger(luaif->lua, -4);
new_envc = lua_tointeger(luaif->lua, -2);
lua_string_table_to_strvec(luaif, -3, argv, new_argc);
lua_string_table_to_strvec(luaif, -1, envp, new_envc);
/* remove sbox_execve_preprocess' return values from the stack. */
lua_pop(luaif->lua, 6);
SB_LOG(SB_LOGLEVEL_NOISE,
"sb_execve_preprocess: at exit, gettop=%d", lua_gettop(luaif->lua));
release_lua(luaif);
return res;
}
static void dump_environ_to_log(const char *msg)
{
char *buf = strvec_to_string(environ);
if (buf) {
SB_LOG(SB_LOGLEVEL_DEBUG, "%s: '%s'",
msg, buf);
free(buf);
} else {
SB_LOG(SB_LOGLEVEL_DEBUG,
"ENV: (failed to create string)");
}
}
/* Convert a vector of strings to a lua table, leaves that table to
* lua's stack.
*/
static void strvec_to_lua_table(struct lua_instance *luaif, char **args)
{
char **p;
int i;
lua_newtable(luaif->lua);
SB_LOG(SB_LOGLEVEL_NOISE2, "strvec_to_lua_table: ");
for (p = args, i = 1; p && *p; p++, i++) {
SB_LOG(SB_LOGLEVEL_NOISE2, "set element %d to '%s'", i, *p);
lua_pushnumber(luaif->lua, i);
lua_pushstring(luaif->lua, *p);
lua_settable(luaif->lua, -3);
}
}
/*********************************************************************
* @brief South bound plugin init
*
* @retval BVIEW_STATUS_SUCCESS if BST feature is
* initialized successfully.
* @retval BVIEW_STATUS_FAILURE if initialization is failed.
*
* @notes none
*
*
*********************************************************************/
BVIEW_STATUS sbplugin_common_init ()
{
BVIEW_STATUS rv = BVIEW_STATUS_SUCCESS;
unsigned int featureIndex = 0;
sbPlugin.numSupportedFeatures = 0;
/* Init SYSTEM feature*/
rv = sbplugin_common_system_init (&bcmSystem);
if (rv != BVIEW_STATUS_SUCCESS)
{
SB_LOG (BVIEW_LOG_ERROR,"Failed to Register plugin");
return rv;
}
sbPlugin.featureList[featureIndex] = (BVIEW_SB_FEATURE_t *)&bcmSystem;
sbPlugin.numSupportedFeatures++;
featureIndex++;
/* Init BST feature*/
rv = sbplugin_common_bst_init (&bcmBst);
if (rv != BVIEW_STATUS_SUCCESS)
{
SB_LOG (BVIEW_LOG_ERROR,"Failed to Intialize BST feature");
return rv;
}
sbPlugin.featureList[featureIndex] = (BVIEW_SB_FEATURE_t *)&bcmBst;
sbPlugin.numSupportedFeatures++;
bcmSystem.featureMask |= BVIEW_FEATURE_BST;
featureIndex++;
/* Init Packet Trace Feature*/
rv = sbplugin_common_packet_trace_init (&bcmPT);
if (rv != BVIEW_STATUS_SUCCESS)
{
SB_LOG (BVIEW_LOG_ERROR,"Failed to Intialize Packet Trace feature");
return rv;
}
sbPlugin.featureList[featureIndex] = (BVIEW_SB_FEATURE_t *)&bcmPT;
sbPlugin.numSupportedFeatures++;
bcmSystem.featureMask |= BVIEW_FEATURE_PACKET_TRACE;
/* Register plugin to the sb-redirector*/
rv = sb_plugin_register (sbPlugin);
if (rv != BVIEW_STATUS_SUCCESS)
{
SB_LOG (BVIEW_LOG_ERROR,"Failed to Register plugin");
return rv;
}
return rv;
}
/* get access to sb2 context, create the structure
* if it didn't exist; in that case, the structure is only
* cleared (most notably, the Lua system is not initialized
* by this routine!)
*
* Remember to call release_sb2context() after the
* pointer is not needed anymore.
*/
struct sb2context *get_sb2context(void)
{
struct sb2context *ptr = NULL;
if (!sb2_global_vars_initialized__) sb2_initialize_global_variables();
if (!SB_LOG_INITIALIZED()) sblog_init();
SB_LOG(SB_LOGLEVEL_NOISE, "get_sb2context()");
if (pthread_detection_done == 0) check_pthread_library();
if (pthread_library_is_available) {
if (pthread_once_fnptr)
(*pthread_once_fnptr)(&sb2context_key_once, alloc_sb2context_key);
if (pthread_getspecific_fnptr)
ptr = (*pthread_getspecific_fnptr)(sb2context_key);
if (!ptr) ptr = alloc_sb2context();
if (!ptr) {
SB_LOG(SB_LOGLEVEL_ERROR,
"Something's wrong with"
" the pthreads support");
fprintf(stderr, "FATAL: sb2 preload library:"
" Something's wrong with"
" the pthreads support.\n");
exit(1);
}
} else {
/* no pthreads, single-thread application */
ptr = my_sb2context;
if (!ptr) ptr = alloc_sb2context();
if (!ptr) {
SB_LOG(SB_LOGLEVEL_ERROR,
"Failed to get Lua instance"
" (and the pthreads support is "
" disabled!)");
fprintf(stderr, "FATAL: sb2 preload library:"
" Failed to get Lua instance"
" (and the pthreads support is disabled!)\n");
exit(1);
}
}
if (SB_LOG_IS_ACTIVE(SB_LOGLEVEL_DEBUG)) {
increment_sb2if_usage_counter(ptr);
}
return(ptr);
}
/* ruletree.add_exec_preprocessing_rule_to_ruletree(...)
*/
static int lua_sb_add_exec_preprocessing_rule_to_ruletree(lua_State *l)
{
int n = lua_gettop(l);
uint32_t rule_location = 0;
if (n == 8) {
const char *binary_name = lua_tostring(l, 1);
ruletree_object_offset_t path_prefixes_table_offs = lua_tointeger(l, 2);
ruletree_object_offset_t add_head_table_offs = lua_tointeger(l, 3);
ruletree_object_offset_t add_options_table_offs = lua_tointeger(l, 4);
ruletree_object_offset_t add_tail_table_offs = lua_tointeger(l, 5);
ruletree_object_offset_t remove_table_offs = lua_tointeger(l, 6);
const char *new_filename = lua_tostring(l, 7);
int disable_mapping = lua_tointeger(l, 8);
rule_location = add_exec_preprocessing_rule_to_ruletree(
binary_name, path_prefixes_table_offs,
add_head_table_offs, add_options_table_offs,
add_tail_table_offs, remove_table_offs,
new_filename, disable_mapping);
SB_LOG(SB_LOGLEVEL_NOISE,
"lua_sb_add_exec_preprocessing_rule_to_ruletree '%s' => %d",
binary_name, rule_location);
}
lua_pushnumber(l, rule_location);
return 1;
}
static int lua_sb_ruletree_catalog_vset(lua_State *l)
{
int n = lua_gettop(l);
int status = 0;
if (n >= 2) {
char **namev;
int i;
ruletree_object_offset_t value_offset;
namev = calloc(n, sizeof(char*));
for (i = 0; i < n-1; i++) {
namev[i] = strdup(lua_tostring(l, i+1));
}
value_offset = lua_tointeger(l, n);
status = ruletree_catalog_vset((const char**)namev, value_offset);
for (i = 0; i < n-1; i++) {
if(namev[i]) free(namev[i]);
namev[i] = NULL;
}
free(namev);
}
SB_LOG(SB_LOGLEVEL_NOISE, "%s => %d", __func__, status);
lua_pushnumber(l, status);
return 1;
}
/* "sb.add_rule_to_ruletree(...)
*/
static int lua_sb_add_rule_to_ruletree(lua_State *l)
{
int n = lua_gettop(l);
uint32_t rule_location = 0;
if (n == 12) {
const char *rule_name = lua_tostring(l, 1);
int selector_type = lua_tointeger(l, 2);
const char *selector = lua_tostring(l, 3);
int action_type = lua_tointeger(l, 4);
const char *action_str = lua_tostring(l, 5);
int condition_type = lua_tointeger(l, 6);
const char *condition_str = lua_tostring(l, 7);
ruletree_object_offset_t rule_list_link = lua_tointeger(l, 8);
int flags = lua_tointeger(l, 9);
const char *binary_name = lua_tostring(l, 10);
int func_class = lua_tointeger(l, 11);
const char *exec_policy_name = lua_tostring(l, 12);
rule_location = add_rule_to_ruletree(rule_name,
selector_type, selector,
action_type, action_str,
condition_type, condition_str,
rule_list_link,
flags, binary_name, func_class, exec_policy_name);
SB_LOG(SB_LOGLEVEL_NOISE,
"lua_sb_add_rule_to_ruletree '%s' => %d",
rule_name, rule_location);
}
lua_pushnumber(l, rule_location);
return 1;
}
/* ----- EXPORTED from interface.master: ----- */
int sb2show__execve_mods__(
char *file,
char *const *orig_argv, char *const *orig_envp,
char **new_file, char ***new_argv, char ***new_envp)
{
int ret = 0;
char *tmp, *binaryname;
if (!sb2_global_vars_initialized__) sb2_initialize_global_variables();
SB_LOG(SB_LOGLEVEL_DEBUG, "%s '%s'", __func__, orig_argv[0]);
if (!file) return(ret);
tmp = strdup(file);
binaryname = strdup(basename(tmp)); /* basename may modify *tmp */
free(tmp);
*new_envp = prepare_envp_for_do_exec(file, binaryname, orig_envp);
ret = prepare_exec("sb2show_exec", NULL/*exec_policy_name*/,
file, 0, orig_argv, orig_envp,
NULL, new_file, new_argv, new_envp);
if (!*new_file) *new_file = strdup(file);
if (!*new_argv) *new_argv = duplicate_argv(orig_argv);
if (!*new_envp) *new_envp = duplicate_argv(orig_envp);
return(ret);
}
ruletree_object_offset_t ruletree_get_rule_list_offs(
int use_fwd_rules, const char **errormsgp)
{
static ruletree_object_offset_t fwd_rule_list_offs = 0;
static ruletree_object_offset_t rev_rule_list_offs = 0;
if (!fwd_rule_list_offs || !rev_rule_list_offs) {
const char *modename = sbox_session_mode;
if (!modename)
modename = ruletree_catalog_get_string("MODES", "#default");
if (!modename) {
*errormsgp = "No default modename!";
return(0);
}
fwd_rule_list_offs = ruletree_catalog_get("fs_rules", modename);
rev_rule_list_offs = ruletree_catalog_get("rev_rules", modename);
if (!fwd_rule_list_offs) {
*errormsgp = "No rules found from ruletree!";
return(0);
}
SB_LOG(SB_LOGLEVEL_DEBUG,
"%s: rule list locations: fwd @%d, rev @%d",
__func__, fwd_rule_list_offs, rev_rule_list_offs);
}
return(use_fwd_rules ? fwd_rule_list_offs : rev_rule_list_offs);
}
static int lua_sb_ruletree_objectlist_create_list(lua_State *l)
{
int n = lua_gettop(l);
ruletree_object_offset_t list_offs = 0;
SB_LOG(SB_LOGLEVEL_NOISE,
"lua_sb_ruletree_objectlist_create_list n=%d", n);
if (n == 1) {
uint32_t list_size = lua_tointeger(l, 1);
list_offs = ruletree_objectlist_create_list(list_size);
}
SB_LOG(SB_LOGLEVEL_NOISE,
"lua_sb_ruletree_objectlist_create_list => %d", list_offs);
lua_pushnumber(l, list_offs);
return 1;
}
static int lua_sb_ruletree_new_boolean(lua_State *l)
{
int n = lua_gettop(l);
ruletree_object_offset_t ui32_offs = 0;
if (n == 1) {
uint32_t ui = lua_toboolean(l, 1);
ui32_offs = append_boolean_to_ruletree_file(ui);
SB_LOG(SB_LOGLEVEL_NOISE,
"%s(%u) => %d", __func__, ui, ui32_offs);
} else {
SB_LOG(SB_LOGLEVEL_NOISE,
"%s => %d", __func__, ui32_offs);
}
lua_pushnumber(l, ui32_offs);
return 1;
}
static void check_mapping_flags(int flags, const char *fn)
{
if (flags & (~SB2_MAPPING_RULE_ALL_FLAGS)) {
SB_LOG(SB_LOGLEVEL_WARNING,
"%s returned unknown flags (0%o)",
fn, flags & (~SB2_MAPPING_RULE_ALL_FLAGS));
}
}
static char *execute_map_to(const char *abs_clean_virtual_path,
const char *action_name, const char *prefix)
{
char *new_path = NULL;
SB_LOG(SB_LOGLEVEL_DEBUG, "%s: %s", action_name,
prefix ? prefix : "<NULL>");
if (!prefix || !*prefix || !strcmp(prefix, "/")) {
return(strdup(abs_clean_virtual_path));
}
if (asprintf(&new_path, "%s%s", prefix, abs_clean_virtual_path) < 0) {
SB_LOG(SB_LOGLEVEL_ERROR, "asprintf failed");
return(NULL);
}
return(new_path);
}
int sb2_fstat(int fd, struct stat *statbuf)
{
SB_LOG(SB_LOGLEVEL_NOISE, "sb2_fstat(%d)", fd);
if (real_fstat(fd, statbuf) < 0) return(-1);
i_virtualize_struct_stat(__func__, statbuf, NULL);
return(0);
}
/* clean up path resolution environment from lua stack */
void drop_rule_from_lua_stack(struct sb2context *sb2ctx)
{
if (!sb2ctx->lua) sb2context_initialize_lua(sb2ctx);
lua_pop(sb2ctx->lua, 1);
SB_LOG(SB_LOGLEVEL_NOISE,
"drop rule from stack: at exit, gettop=%d",
lua_gettop(sb2ctx->lua));
}
