X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~mdw/git/yaid/blobdiff_plain/bf4d97617c92530ab67923aaba802333ee258352..900dc48be4fad8e8f3ebcb8f28b57980fc1a405b:/policy.c diff --git a/policy.c b/policy.c index 80e2bfd..9cb9af9 100644 --- a/policy.c +++ b/policy.c @@ -28,18 +28,17 @@ #include "yaid.h" -/*----- Main code ---------------------------------------------------------*/ +/*----- Memory management -------------------------------------------------*/ -/* syntax: addrpat portpat addrpar portpat policy - * - * local address/port first, then remote - * addrpat ::= addr [/ len] - * portpat ::= num | num - num | * - * policy ::= user policy* | token | name | deny | hide | +/* Initialize a policy structure. In this state, it doesn't actually have + * any resources allocated (so can be simply discarded) but it's safe to free + * (using `free_policy'). */ - void init_policy(struct policy *p) { p->act.act = A_LIMIT; } +/* Free an action structure, resetting it to a safe state. This function is + * idempotent. + */ static void free_action(struct action *a) { switch (a->act) { @@ -50,9 +49,14 @@ static void free_action(struct action *a) a->act = A_LIMIT; } +/* Free a policy structure, resetting it to its freshly-initialized state. + * This function is idempotent. + */ void free_policy(struct policy *p) { free_action(&p->act); } +/*----- Diagnostics -------------------------------------------------------*/ + static void print_addrpat(const struct addrops *ao, const struct addrpat *ap) { char buf[ADDRLEN]; @@ -76,6 +80,12 @@ static void print_portpat(const struct portpat *pp) static void print_sockpat(const struct addrops *ao, const struct sockpat *sp) { print_addrpat(ao, &sp->addr); putchar(' '); print_portpat(&sp->port); } +static void print_userpat(const struct userpat *up) +{ + if (up->lo == up->hi) printf("%d", up->lo); + else printf("%u-%u", up->lo, up->hi); +} + static const char *const acttab[] = { #define DEFACT(tag, name) name, ACTIONS(DEFACT) @@ -100,16 +110,22 @@ static void print_action(const struct action *act) } } +/* Print a policy rule to standard output. */ void print_policy(const struct policy *p) { print_sockpat(p->ao, &p->sp[L]); putchar(' '); print_sockpat(p->ao, &p->sp[R]); putchar(' '); + print_userpat(&p->up); putchar(' '); print_action(&p->act); putchar('\n'); } +/*----- Matching ----------------------------------------------------------*/ + +/* Return true if the port matches the pattern. */ static int match_portpat(const struct portpat *pp, unsigned port) { return (pp->lo <= port && port <= pp->hi); } +/* Return true if the socket matches the pattern. */ static int match_sockpat(const struct addrops *ao, const struct sockpat *sp, const struct socket *s) { @@ -117,13 +133,22 @@ static int match_sockpat(const struct addrops *ao, match_portpat(&sp->port, s->port)); } +/* Return true if the uid matches the pattern. */ +static int match_userpat(const struct userpat *up, uid_t u) + { unsigned uu = u; return (up->lo <= uu && uu <= up->hi); } + +/* Return true if the query matches the patterns in the policy rule. */ int match_policy(const struct policy *p, const struct query *q) { return ((!p->ao || p->ao == q->ao) && match_sockpat(q->ao, &p->sp[L], &q->s[L]) && - match_sockpat(q->ao, &p->sp[R], &q->s[R])); + match_sockpat(q->ao, &p->sp[R], &q->s[R]) && + match_userpat(&p->up, q->u.uid)); } +/*----- Parsing -----------------------------------------------------------*/ + +/* Advance FP to the next line. */ static void nextline(FILE *fp) { for (;;) { @@ -132,33 +157,54 @@ static void nextline(FILE *fp) } } +/* Scan a whitespace-separated token from FP, writing it to BUF. The token + * must fit in a buffer of size SZ, including a terminating null. Return + * an appropriate T_* error code. + */ static int scan(FILE *fp, char *buf, size_t sz) { int ch; skip_ws: + /* Before we start grabbing a token proper, find out what's in store. */ ch = getc(fp); switch (ch) { + case '\n': newline: + /* Found a newline. Leave it where it is and report it. */ ungetc(ch, fp); return (T_EOL); + case EOF: eof: + /* Found end-of-file, or an I/O error. Return an appropriate code. */ return (ferror(fp) ? T_ERROR : T_EOF); + case '#': + /* Found a comment. Consume it, and continue appropriately: it must + * be terminated either by a newline or end-of-file. + */ for (;;) { ch = getc(fp); if (ch == '\n') goto newline; else if (ch == EOF) goto eof; } + default: + /* Whitespace means we just continue around. Anything else and we + * start snarfing. + */ if (isspace(ch)) goto skip_ws; break; } for (;;) { + + /* If there's buffer space left, store the character. */ if (sz) { *buf++ = ch; sz--; } + + /* Get a new one, and find out what to do about it. */ ch = getc(fp); switch (ch) { case '\n': @@ -173,14 +219,17 @@ skip_ws: } done: - if (!sz) - return (T_ERROR); - else { - *buf++ = 0; sz--; - return (T_OK); - } + /* If there's no space for a terminating null then report an error. */ + if (!sz) return (T_ERROR); + + /* All done. */ + *buf++ = 0; sz--; + return (T_OK); } +/* Parse an action name, storing the code in *ACT. Return an appropriate T_* + * code. + */ static int parse_actname(FILE *fp, unsigned *act) { char buf[32]; @@ -193,6 +242,7 @@ static int parse_actname(FILE *fp, unsigned *act) return (T_ERROR); } +/* Parse an action, returning a T_* code. */ static int parse_action(FILE *fp, struct action *act) { char buf[32]; @@ -200,40 +250,58 @@ static int parse_action(FILE *fp, struct action *act) unsigned a; unsigned long m; + /* Collect the action name. */ if ((t = parse_actname(fp, &a)) != 0) return (t); + + /* Parse parameters, if there are any. */ switch (a) { + case A_USER: + /* `user ACTION ACTION ...': store permitted actions in a bitmask. */ m = 0; for (;;) { if ((t = parse_actname(fp, &a)) != 0) break; + if (a == A_USER) return (T_ERROR); m |= (1 << a); } if (t != T_EOL && t != T_EOF) return (t); act->act = A_USER; act->u.user = m; break; + case A_TOKEN: case A_NAME: case A_DENY: case A_HIDE: + /* Dull actions which don't accept parameters. */ act->act = a; break; + case A_LIE: + /* `lie NAME': store the string we're to report. */ if ((t = scan(fp, buf, sizeof(buf))) != 0) return (t); act->act = a; act->u.lie = xstrdup(buf); break; } + + /* Make sure we've reached the end of the line. */ t = scan(fp, buf, sizeof(buf)); if (t != T_EOF && t != T_EOL) { free_action(act); return (T_ERROR); } + + /* Done. */ return (0); } -static int parse_sockpat(FILE *fp, const struct addrops **aop, - struct sockpat *sp) +/* Parse an address pattern, writing it to AP. If the pattern has an + * identifiable address family, update *AOP to point to its operations table; + * if *AOP is already set to something different then report an error. + */ +static int parse_addrpat(FILE *fp, const struct addrops **aop, + struct addrpat *ap) { char buf[64]; int t; @@ -241,47 +309,117 @@ static int parse_sockpat(FILE *fp, const struct addrops **aop, long n; char *delim; + /* Scan a token for the address pattern. */ if ((t = scan(fp, buf, sizeof(buf))) != 0) return (t); - if (strcmp(buf, "*") == 0) - sp->addr.len = 0; - else { - if (strchr(buf, ':')) - ao = &addroptab[ADDR_IPV6]; - else - ao = &addroptab[ADDR_IPV4]; - if (!*aop) *aop = ao; - else if (*aop != ao) return (T_ERROR); - delim = strchr(buf, '/'); - if (delim) *delim++ = 0; - if (!inet_pton(ao->af, buf, &sp->addr.addr)) return (T_ERROR); - if (!delim) n = ao->len; - else n = strtol(delim, 0, 10); - if (n < 0 || n > ao->len) return (T_ERROR); - sp->addr.len = n; + + /* If this is a wildcard, then leave everything as it is. */ + if (strcmp(buf, "*") == 0) { + ap->len = 0; + return (T_OK); } + /* Decide what kind of address this must be. A bit grim, sorry. */ + if (strchr(buf, ':')) + ao = &addroptab[ADDR_IPV6]; + else + ao = &addroptab[ADDR_IPV4]; + + /* Update the caller's idea of the address family in use. */ + if (!*aop) *aop = ao; + else if (*aop != ao) return (T_ERROR); + + /* See whether there's a prefix length. If so, clobber it. */ + delim = strchr(buf, '/'); + if (delim) *delim++ = 0; + + /* Parse the address. */ + if (!inet_pton(ao->af, buf, &ap->addr)) return (T_ERROR); + + /* Parse the prefix length, or use the maximum one. */ + if (!delim) n = ao->len; + else n = strtol(delim, 0, 10); + if (n < 0 || n > ao->len) return (T_ERROR); + ap->len = n; + + /* Done. */ + return (T_OK); +} + +static int parse_portpat(FILE *fp, struct portpat *pp) +{ + char buf[64]; + int t; + long n; + char *delim; + + /* Parse a token for the pattern. */ if ((t = scan(fp, buf, sizeof(buf))) != 0) return (T_ERROR); + + /* If this is a wildcard, then we're done. */ if (strcmp(buf, "*") == 0) { - sp->port.lo = 0; - sp->port.hi = 65535; - } else { - delim = strchr(buf, '-'); - if (delim) *delim++ = 0; - n = strtol(buf, 0, 0); - if (n < 0 || n > 65535) return (T_ERROR); - sp->port.lo = n; - if (!delim) - sp->port.hi = n; - else { - n = strtol(delim, 0, 0); - if (n < 0 || n > 65535) return (T_ERROR); - sp->port.hi = n; - } + pp->lo = 0; + pp->hi = 65535; + return (T_OK); + } + + /* Find a range delimiter. */ + delim = strchr(buf, '-'); + if (delim) *delim++ = 0; + + /* Parse the only or low end of the range. */ + n = strtol(buf, 0, 0); + if (n < 0 || n > 65535) return (T_ERROR); + pp->lo = n; + + /* If there's no delimiter, then the high end is equal to the low end; + * otherwise, parse the high end. + */ + if (!delim) + pp->hi = n; + else { + n = strtol(delim, 0, 0); + if (n < pp->lo || n > 65535) return (T_ERROR); + pp->hi = n; + } + + /* Done. */ + return (T_OK); +} + +/* Parse a socket pattern, writing it to SP. */ +static int parse_sockpat(FILE *fp, const struct addrops **aop, + struct sockpat *sp) +{ + int t; + + if ((t = parse_addrpat(fp, aop, &sp->addr)) != 0) return (t); + if ((t = parse_portpat(fp, &sp->port)) != 0) return (T_ERROR); + return (T_OK); +} + +/* Parse a user pattern, writing it to UP. */ +static int parse_userpat(FILE *fp, struct userpat *up) +{ + struct passwd *pw; + char buf[32]; + int t; + char *delim; + + if ((t = scan(fp, buf, sizeof(buf))) != 0) return (t); + if (!strcmp(buf, "*")) { up->lo = 0; up->hi = UINT_MAX; } + else if ((pw = getpwnam(buf)) != 0) up->lo = up->hi = pw->pw_uid; + else { + if ((delim = strchr(buf, '-')) != 0) *delim++ = 0; + up->lo = strtoul(buf, 0, 0); + if (!delim) up->hi = up->lo; + else if (!*delim) up->hi = UINT_MAX; + else up->hi = strtoul(delim, 0, 0); } return (0); } -int parse_policy(FILE *fp, struct policy *p) +/* Parse a policy rule line, writing it to P. */ +static int parse_policy(FILE *fp, struct policy *p) { int t; @@ -290,6 +428,7 @@ int parse_policy(FILE *fp, struct policy *p) if ((t = parse_sockpat(fp, &p->ao, &p->sp[L])) != 0) goto fail; if ((t = parse_sockpat(fp, &p->ao, &p->sp[R])) != 0) goto err; + if ((t = parse_userpat(fp, &p->up)) != 0) goto err; if ((t = parse_action(fp, &p->act)) != 0) goto err; return (0); @@ -300,13 +439,36 @@ fail: return (t); } +/* Open a policy file by NAME. The description WHAT and query Q are used for + * formatting error messages for the log. + * + * This function is somewhat careful only to read from actual regular files, + * though (if the filesystem object identified by NAME is a symlink, say) it + * might open a device node or other exotic thing without reading it. This + * is likely harmless, since we're running as an unprivileged user anyway. + */ int open_policy_file(struct policy_file *pf, const char *name, - const char *what, const struct query *q) + const char *what, const struct query *q, unsigned f) { + struct stat st; + if ((pf->fp = fopen(name, "r")) == 0) { - logmsg(q, LOG_ERR, "failed to open %s `%s': %s", + if (errno != ENOENT || !(f & OPF_NOENTOK)) { + logmsg(q, LOG_ERR, "failed to open %s `%s': %s", + what, name, strerror(errno)); + } + goto err_0; + } + + if (fstat(fileno(pf->fp), &st)) { + logmsg(q, LOG_ERR, "failed to read information about %s `%s': %s", what, name, strerror(errno)); - return (-1); + goto err_1; + } + if (!S_ISREG(st.st_mode)) { + logmsg(q, LOG_ERR, "object `%s', used as %s, is not a regular file", + name, what); + goto err_1; } pf->name = name; @@ -316,8 +478,16 @@ int open_policy_file(struct policy_file *pf, const char *name, pf->lno = 0; init_policy(&pf->p); return (0); + +err_1: + fclose(pf->fp); +err_0: + return (-1); } +/* Read a policy rule from the file, storing it in PF->p. Return one of the + * T_* codes. + */ int read_policy_file(struct policy_file *pf) { int t; @@ -327,44 +497,51 @@ int read_policy_file(struct policy_file *pf) t = parse_policy(pf->fp, &pf->p); switch (t) { case T_OK: + case T_EOL: nextline(pf->fp); - return (0); + return (t); case T_ERROR: logmsg(pf->q, LOG_ERR, "%s:%d: parse error in %s", pf->name, pf->lno, pf->what); pf->err = 1; - break; + return (t); case T_EOF: if (ferror(pf->fp)) { logmsg(pf->q, LOG_ERR, "failed to read %s `%s': %s", pf->what, pf->name, strerror(errno)); } - return (-1); - case T_EOL: - nextline(pf->fp); - break; + return (t); default: abort(); } } } +/* Close a policy file. It doesn't matter whether the file was completely + * read. + */ void close_policy_file(struct policy_file *pf) { fclose(pf->fp); free_policy(&pf->p); } +/* Load a policy file, writing a vector of records into PV. If the policy + * file has errors, then leave PV unchanged and return nonzero. + */ int load_policy_file(const char *file, policy_v *pv) { struct policy_file pf; policy_v v = DA_INIT; + int t = 0; - if (open_policy_file(&pf, file, "policy file", 0)) + if (open_policy_file(&pf, file, "policy file", 0, 0)) return (-1); - while (!read_policy_file(&pf)) { - DA_PUSH(&v, pf.p); - init_policy(&pf.p); + while ((t = read_policy_file(&pf)) < T_EOF) { + if (t == T_OK) { + DA_PUSH(&v, pf.p); + init_policy(&pf.p); + } } close_policy_file(&pf); if (!pf.err) {