Implement /dev/sydbox/{un,}ban_exec

src/children.c

@@ -44,6 +44,7 @@ void tchild_new(GSList **children, pid_t pid, pid_t ppid) {
     child->sandbox->on = 1;
     child->sandbox->lock = LOCK_UNSET;
     child->sandbox->net = 1;
+    child->sandbox->exec_banned = 0;
     child->sandbox->write_prefixes = NULL;
     child->sandbox->predict_prefixes = NULL;
 
@@ -62,6 +63,7 @@ void tchild_new(GSList **children, pid_t pid, pid_t ppid) {
             child->sandbox->on = parent->sandbox->on;
             child->sandbox->lock = parent->sandbox->lock;
             child->sandbox->net = parent->sandbox->net;
+            child->sandbox->exec_banned = parent->sandbox->exec_banned;
             // Copy path lists
             walk = parent->sandbox->write_prefixes;
             while (NULL != walk) {

src/children.h

@@ -44,6 +44,7 @@ struct tdata
    int on;                             /* whether sydbox is on for the child */
    int lock;                           /* whether magic commands are locked for the child */
    int net;                            /* whether child is allowed to access network */
+   int exec_banned;                    /* whether execve() calls are banned for child */
    GSList *write_prefixes;
    GSList *predict_prefixes;
 };

src/path.c

@@ -102,6 +102,16 @@ inline bool path_magic_rmpredict(const char *path) {
     return (0 == strncmp(path, CMD_RMPREDICT, CMD_RMPREDICT_LEN)) ? true : false;
 }
 
+inline bool path_magic_ban_exec(const char *path)
+{
+    return (0 == strncmp(path, CMD_BAN_EXEC, CMD_BAN_EXEC_LEN)) ? true : false;
+}
+
+inline bool path_magic_unban_exec(const char *path)
+{
+    return (0 == strncmp(path, CMD_UNBAN_EXEC, CMD_UNBAN_EXEC_LEN)) ? true : false;
+}
+
 int pathnode_new(GSList **pathlist, const char *path, int sanitize) {
     char *data;
 

src/path.h

@@ -1,12 +1,25 @@
-/* vim: set sw=4 sts=4 fdm=syntax et : */
-
-/**
- * Copyright 2009 Saleem Abdulrasool <compnerd@compnerd.org>
- * Copyright 2009 Ali Polatel <polatel@gmail.com>
- **/
-
-#ifndef __PATH_H__
-#define __PATH_H__
+/* vim: set sw=4 sts=4 et foldmethod=syntax : */
+
+/*
+ * Copyright (c) 2009 Saleem Abdulrasool <compnerd@compnerd.org>
+ * Copyright (c) 2009 Ali Polatel <polatel@gmail.com>
+ *
+ * This file is part of the sydbox sandbox tool. sydbox is free software;
+ * you can redistribute it and/or modify it under the terms of the GNU General
+ * Public License version 2, as published by the Free Software Foundation.
+ *
+ * sydbox is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#ifndef SYDBOX_GUARD_PATH_H
+#define SYDBOX_GUARD_PATH_H 1
 
 #include <stdbool.h>
 
@@ -34,6 +47,10 @@
 #define CMD_RMWRITE_LEN         (CMD_PATH_LEN + 8)
 #define CMD_RMPREDICT           CMD_PATH"unpredict/"
 #define CMD_RMPREDICT_LEN       (CMD_PATH_LEN + 10)
+#define CMD_BAN_EXEC            CMD_PATH"ban_exec"
+#define CMD_BAN_EXEC_LEN        (CMD_PATH_LEN + 9)
+#define CMD_UNBAN_EXEC          CMD_PATH"unban_exec"
+#define CMD_UNBAN_EXEC_LEN      (CMD_PATH_LEN + 11)
 
 bool
 path_magic_dir (const char *path);
@@ -68,6 +85,12 @@ path_magic_rmwrite (const char *path);
 bool
 path_magic_rmpredict (const char *path);
 
+bool
+path_magic_ban_exec (const char *path);
+
+bool
+path_magic_unban_exec (const char *path);
+
 int
 pathnode_new (GSList **pathlist, const char *path, int sanitize);
 
@@ -86,5 +109,5 @@ pathlist_init (GSList **pathlist, const char *pathlist_env);
 int
 pathlist_check (GSList *pathlist, const char *path_sanitized);
 
-#endif
+#endif // SYDBOX_GUARD_PATH_H
 

src/syscall.c

@@ -72,6 +72,7 @@
 #define MAGIC_OPEN              (1 << 24) // Check if the open() call is magic
 #define MAGIC_STAT              (1 << 25) // Check if the stat() call is magic
 #define NET_CALL                (1 << 26) // Allowing the system call depends on the net flag
+#define EXEC_CALL               (1 << 27) // Allowing the system call depends on the exec_banned flag
 
 // System call dispatch table
 static const struct syscall_def {
@@ -126,6 +127,7 @@ static const struct syscall_def {
 #elif defined(__NR_socket)
     {__NR_socket,       NET_CALL},
 #endif
+    {__NR_execve,       EXEC_CALL},
     {-1,                -1},
 };
 
@@ -436,6 +438,16 @@ static void systemcall_magic_open(struct tchild *child, struct checkdata *data)
         g_info ("approved rmpredict(\"%s\") for child %i", rpath_sanitized, child->pid);
         g_free (rpath_sanitized);
     }
+    else if (G_UNLIKELY(path_magic_ban_exec(path))) {
+        data->result = RS_MAGIC;
+        child->sandbox->exec_banned = 1;
+        g_info("exec() calls are now banned for child %i", child->pid);
+    }
+    else if (G_UNLIKELY(path_magic_unban_exec(path))) {
+        data->result = RS_MAGIC;
+        child->sandbox->exec_banned = 0;
+        g_info("exec() calls are now unbanned for child %i", child->pid);
+    }
 
     if (G_UNLIKELY(RS_MAGIC == data->result)) {
         g_debug("changing path to /dev/null");
@@ -872,6 +884,11 @@ static void systemcall_check(SystemCall *self, gpointer ctx_ptr,
         data->result = RS_DENY;
         child->retval = -EACCES;
     }
+    if (self->flags & EXEC_CALL && child->sandbox->exec_banned) {
+        sydbox_access_violation(child->pid, "execve()");
+        data->result = RS_DENY;
+        child->retval = -EACCES;
+    }
 }
 
 static void systemcall_end_check(SystemCall *self, gpointer ctx_ptr G_GNUC_UNUSED,