1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177
|
void yyerror(const char *s);
//Pre: error message as string
//Post: prints the error message returned by yacc
FILE *open_acl_file(const char *filename);
//Pre: filename as string
//Post: existence of file is checked, file is opened for read access
// and returned as a file struct
void get_user_passwd(struct gr_pw_entry *entry, int mode);
//Pre: gr_pw_entry struct (can be empty) and a valid mode (0 or 1)
//Post: the gr_pw_entry struct is filled with values depending on the
// mode chosen. It can be GR_PWONLY or GR_PWANDSUM. In the latter
// case, the password is entered twice for verification, a random
// salt is chosen, and the SHA1 sum is computed.
// This mode is only used for password generation, and is written
// to /etc/grsec/pw. In the other mode, the password is simply
// written to the structure, and is then sent on to the kernel
// for any kernel operations (except init mode) that are initiated
void transmit_to_kernel(void *buf, unsigned long len);
//Pre: pointer to a region of memory, length of memory to send to kernel
//Post: writes len bytes of data from pointer buf to the kernel.
// an error is generated if bytes written != len or if
// /proc/sys/kernel/grsecurity/acl
void generate_salt(struct gr_pw_entry *entry);
//Pre: gr_pw_entry structure (possibly empty)
//Post: GR_SALT_SIZE bytes are read from /dev/random and stored
// in the salt member of gr_pw_entry
void write_user_passwd(struct gr_pw_entry *entry);
//Pre: gr_pw_entry with SHA1 sum and salt filled out
//Post: salt and sum are written to /etc/grsec/pw
void parse_acls(void);
//Pre: none
//Post: initiates parsing of the main acl config, and handles parsing of
// all included acl configs
void analyze_acls(void);
//Pre: none
//Post: checks for common mistakes in acl files. We do this before
// sending the data off to the kernel with transmit_to_kernel()
// currently checks to see if a default acl is not present
void generate_hash(struct gr_pw_entry *entry);
//Pre: gr_pw_entry with password and salt filled out
//Post: salt is prepended to the password, hashed with SHA1 and stored
// in the sum member of gr_pw_entry
void init_variables(void);
//Pre: none
//Post: initializes line number, cap_raise_tmp, cap_drop_tmp,
// and main linked lists
void parse_args(int argc, char *argv[]);
//Pre: array of argument pointers and number of args
//Post: handles options passed to gradm.
__u32 cap_conv(const char *cap);
//Pre: capability name as string
//Post: returns value of capability as determined by capability.h
__u32 file_mode_conv(const char *mode);
//Pre: string (possibly null) of mode characters for file acls
//Post: returns the or'd value of all the modes on success
// prints error message and quits on failure
// fails when character in mode string is not a valid file acl mode
__u32 proc_subject_mode_conv(const char *mode);
//Pre: string (possibly null) of mode characters for proc acl subjects
//Post: returns the or'd value of all the modes on success
// prints error message and quits on failure
// fails when character in mode string is not valid proc acl subject mode
__u32 proc_object_mode_conv(const char *mode);
//Pre: string (possibly null) of mode characters for proc acl objects
//Post: returns the or'd value of all the modes on success
// prints error message and quits on failure
// fails when character in mode string is not valid proc acl object mode
int add_proc_subject_acl(struct acl_tmps **acl_tmp, char *filename, __u32 mode);
//Pre: filename as string, mode as string, type as integer, struct acl_tmps
//Post: adds a new process acl to the current linked list of process acls
// this function is called after all the other functions related
// to adding data to proc acls, namely the two functions below
// after creation of process acl, cap_raise_tmp and cap_drop_tmp
// are zeroed, and gr_file_tmp is set to NULL (so a new linked list is
// created next time) linked list works in such a way that ->next
// points to the previously entered acl
// type determines whether the current acl has the subject checked
// if its on the filesystem. we change the type for the admin
// acl, since it does not belong to a single file.
int add_proc_object_acl(struct file_acl **filp, char *filename,
__u32 mode, int type);
//Pre: filename as string, mode as string, linked list of files
//Post: adds a process acl object to the temporary linked list
// of process acl objects, to be inserted when the process acl
// subject is found. type specifies whether or not the object being
// added was created during learning mode
void add_cap_acl(struct acl_tmps **tmp_acl, const char *cap);
//Pre: capability (including the + or -) as string
//Post: or's the current value of cap_raise and cap_drop for the current
// process acl with that derived from capability.h through
// converting the capability argument to its integer equivalent.
void add_admin_acl(void);
//Pre: none
//Post: adds the acl for admin mode: full inherited capabilities, full
// overriding file access, kill and view access
void add_gradm_acl(void);
//Pre: none
//Post: adds the acl for gradm: very restrictive
void change_current_acl_file(const char *filename);
//Pre: filename as string
//Post: frees current_acl_file and mallocs a new one with size strlen(filename)
struct gr_arg *conv_user_to_kernel(struct gr_pw_entry *entry);
//Pre: filled out gr_pw_entry struct, used to copy passwd to gr_arg
//Post: allocates memory roughly the size of all the process subjects and
// objects, and fills in the gr_arg structure
void add_include(const char *filename);
//Pre: filename to add to include list
//Post: adds filename to include list, to be parsed later
int parent_dir(const char *filename, char *parent_dirent[]);
//Pre: filename to check for /'s, parent_dir to store parent directory in
// parent_dir must contain a copy of filename before being called
//Post: returns 1 if a parent directory was stored, 0 if not. parent_dir
// holds the parent directory
void rem_proc_object_acl(struct proc_acl *proc, struct file_acl *filp);
//Pre: proc acl to operate on, proc object to remove
//Post: removes filp from proc acl proc
void expand_acls(void);
//Pre: process acl to operate on
//Post: handles override and inheritance for the passed proc acl
int test_perm(const char *obj, const char *subj);
void add_res_acl(struct acl_tmps **acl_tmp, const char *name,
const char *soft, const char *hard);
void pass_struct_to_human(FILE * stream, struct acl_tmps *def_acl);
void syslog_lookup_log(char **learnlog);
int is_valid_elf_binary(const char *filename);
void handle_learn_logs(const char *logfile, FILE * stream);
void modify_caps(struct proc_acl **proc, int cap);
void modify_res(struct proc_acl **proc, int res, unsigned long cur,
unsigned long max);
void add_ip_acl(struct ip_acl **ip_acl, __u8 mode, struct ip_acl *tmp);
void add_ip_ip_acl(struct ip_acl *ip_acl, char *ip,
char *netmask, char *low, char *high);
void parse_learn_log(const char *filename);
void add_learn_ip_info(unsigned short subj_dev, ino_t subj_ino,
__u32 ip, __u16 port, __u16 sock, __u16 proto,
__u16 mode);
void add_learn_file_info(unsigned short subj_dev, ino_t subj_ino,
unsigned long res_cur, unsigned long res_max,
char **obj_name, __u32 mode);
void read_saltandpass(char *salt, char *pass);
void add_kernel_acl(void);
|