Add intercept_verify sudoers option to control execve(2) argument checking.

2022-07-29 15:22:27 -06:00
parent b80b012de0
commit 3ce19efca9
10 changed files with 99 additions and 32 deletions
--- a/src/exec_ptrace.c
+++ b/src/exec_ptrace.c
@@ -1532,10 +1532,12 @@ ptrace_intercept_execve(pid_t pid, struct intercept_closure *closure)
 	    }
 	}
 	if (closure->state == POLICY_ACCEPT) {
-	    /* Verify execve(2) args post-exec. */
-	    if (!ptrace_verify_post_exec(pid, &regs, closure)) {
-		if (errno != ESRCH)
-		    kill(pid, SIGKILL);
+	    if (ISSET(closure->details->flags, CD_INTERCEPT_VERIFY)) {
+		/* Verify execve(2) args post-exec. */
+		if (!ptrace_verify_post_exec(pid, &regs, closure)) {
+		    if (errno != ESRCH)
+			kill(pid, SIGKILL);
+		}
 	    }
 	}
 	break;
--- a/src/sudo.c
+++ b/src/sudo.c
@@ -734,6 +734,7 @@ command_info_to_details(char * const info[], struct command_details *details)
 		break;
 	    case 'i':
 		SET_FLAG("intercept=", CD_INTERCEPT)
+		SET_FLAG("intercept_verify=", CD_INTERCEPT_VERIFY)
 		break;
 	    case 'l':
 		SET_STRING("login_class=", login_class)
--- a/src/sudo.h
+++ b/src/sudo.h
@@ -149,30 +149,31 @@ struct user_details {
    int ts_cols;
 };

-#define CD_SET_UID		0x000001
-#define CD_SET_EUID		0x000002
-#define CD_SET_GID		0x000004
-#define CD_SET_EGID		0x000008
-#define CD_PRESERVE_GROUPS	0x000010
-#define CD_INTERCEPT		0x000020
-#define CD_NOEXEC		0x000040
-#define CD_SET_PRIORITY		0x000080
-#define CD_SET_UMASK		0x000100
-#define CD_SET_TIMEOUT		0x000200
-#define CD_SUDOEDIT		0x000400
-#define CD_BACKGROUND		0x000800
-#define CD_RBAC_ENABLED		0x001000
-#define CD_USE_PTY		0x002000
-#define CD_SET_UTMP		0x004000
-#define CD_EXEC_BG		0x008000
-#define CD_SUDOEDIT_FOLLOW	0x010000
-#define CD_SUDOEDIT_CHECKDIR	0x020000
-#define CD_SET_GROUPS		0x040000
-#define CD_LOGIN_SHELL		0x080000
-#define CD_OVERRIDE_UMASK	0x100000
-#define CD_LOG_SUBCMDS		0x200000
-#define CD_USE_PTRACE		0x400000
-#define CD_FEXECVE		0x800000
+#define CD_SET_UID		0x00000001
+#define CD_SET_EUID		0x00000002
+#define CD_SET_GID		0x00000004
+#define CD_SET_EGID		0x00000008
+#define CD_PRESERVE_GROUPS	0x00000010
+#define CD_INTERCEPT		0x00000020
+#define CD_NOEXEC		0x00000040
+#define CD_SET_PRIORITY		0x00000080
+#define CD_SET_UMASK		0x00000100
+#define CD_SET_TIMEOUT		0x00000200
+#define CD_SUDOEDIT		0x00000400
+#define CD_BACKGROUND		0x00000800
+#define CD_RBAC_ENABLED		0x00001000
+#define CD_USE_PTY		0x00002000
+#define CD_SET_UTMP		0x00004000
+#define CD_EXEC_BG		0x00008000
+#define CD_SUDOEDIT_FOLLOW	0x00010000
+#define CD_SUDOEDIT_CHECKDIR	0x00020000
+#define CD_SET_GROUPS		0x00040000
+#define CD_LOGIN_SHELL		0x00080000
+#define CD_OVERRIDE_UMASK	0x00100000
+#define CD_LOG_SUBCMDS		0x00200000
+#define CD_USE_PTRACE		0x00400000
+#define CD_FEXECVE		0x00800000
+#define CD_INTERCEPT_VERIFY	0x01000000

 struct preserved_fd {
    TAILQ_ENTRY(preserved_fd) entries;