Call the approval plugin after the policy plugin accepts a command.
Previously, for intercepted commands we only called the policy plugin.
This commit is contained in:
Todd C. Miller
16
src/exec.c
16
src/exec.c
@@ -582,8 +582,6 @@ intercept_check_policy(PolicyCheckRequest *req,
|
|||||||
|
|
||||||
switch (ok) {
|
switch (ok) {
|
||||||
case 1:
|
case 1:
|
||||||
/* TODO: call approval plugin too */
|
|
||||||
|
|
||||||
/* Extract command path from command_info[] */
|
/* Extract command path from command_info[] */
|
||||||
if (command_info != NULL) {
|
if (command_info != NULL) {
|
||||||
for (n = 0; command_info[n] != NULL; n++) {
|
for (n = 0; command_info[n] != NULL; n++) {
|
||||||
@@ -640,11 +638,16 @@ intercept_check_policy(PolicyCheckRequest *req,
|
|||||||
}
|
}
|
||||||
closure->run_envp[n] = NULL;
|
closure->run_envp[n] = NULL;
|
||||||
|
|
||||||
/* Audit the event twice: once for the plugin, once for sudo. */
|
|
||||||
audit_accept(policy_plugin.name, SUDO_POLICY_PLUGIN, command_info,
|
audit_accept(policy_plugin.name, SUDO_POLICY_PLUGIN, command_info,
|
||||||
closure->run_argv, closure->run_envp);
|
closure->run_argv, closure->run_envp);
|
||||||
audit_accept("sudo", SUDO_FRONT_END, command_info,
|
|
||||||
closure->run_argv, closure->run_envp);
|
/* Call approval plugins and audit the result. */
|
||||||
|
if (!approval_check(command_info, closure->run_argv, closure->run_envp))
|
||||||
|
debug_return_int(0);
|
||||||
|
|
||||||
|
/* Audit the event again for the sudo front-end. */
|
||||||
|
audit_accept("sudo", SUDO_FRONT_END, command_info, closure->run_argv,
|
||||||
|
closure->run_envp);
|
||||||
debug_return_int(1);
|
debug_return_int(1);
|
||||||
case 0:
|
case 0:
|
||||||
if (*errstr == NULL)
|
if (*errstr == NULL)
|
||||||
@@ -743,8 +746,7 @@ intercept_read(int fd, struct intercept_closure *closure)
|
|||||||
ret = true;
|
ret = true;
|
||||||
|
|
||||||
done:
|
done:
|
||||||
// XXX
|
intercept_message__free_unpacked(msg, NULL);
|
||||||
//intercept_message__free_unpacked(msg, NULL);
|
|
||||||
free(buf);
|
free(buf);
|
||||||
debug_return_bool(ret);
|
debug_return_bool(ret);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -123,14 +123,12 @@ static void iolog_show_version(int verbose, int argc, char * const argv[],
|
|||||||
static void unlink_plugin(struct plugin_container_list *plugin_list, struct plugin_container *plugin);
|
static void unlink_plugin(struct plugin_container_list *plugin_list, struct plugin_container *plugin);
|
||||||
static void free_plugin_container(struct plugin_container *plugin, bool ioplugin);
|
static void free_plugin_container(struct plugin_container *plugin, bool ioplugin);
|
||||||
|
|
||||||
/* Audit plugin convenience functions. */
|
/* Audit plugin convenience functions (some are public). */
|
||||||
static void audit_open(void);
|
static void audit_open(void);
|
||||||
static void audit_close(int exit_status, int error);
|
static void audit_close(int exit_status, int error);
|
||||||
static void audit_show_version(int verbose);
|
static void audit_show_version(int verbose);
|
||||||
|
|
||||||
/* Approval plugin convenience functions. */
|
/* Approval plugin convenience functions (some are public). */
|
||||||
static bool approval_check(char * const command_info[], char * const run_argv[],
|
|
||||||
char * const run_envp[]);
|
|
||||||
static void approval_show_version(int verbose);
|
static void approval_show_version(int verbose);
|
||||||
|
|
||||||
sudo_dso_public int main(int argc, char *argv[], char *envp[]);
|
sudo_dso_public int main(int argc, char *argv[], char *envp[]);
|
||||||
@@ -1832,7 +1830,7 @@ approval_show_version(int verbose)
|
|||||||
* This is a "one-shot" plugin that has no open/close and is only
|
* This is a "one-shot" plugin that has no open/close and is only
|
||||||
* called if the policy plugin accepts the command first.
|
* called if the policy plugin accepts the command first.
|
||||||
*/
|
*/
|
||||||
static bool
|
bool
|
||||||
approval_check(char * const command_info[], char * const run_argv[],
|
approval_check(char * const command_info[], char * const run_argv[],
|
||||||
char * const run_envp[])
|
char * const run_envp[])
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -230,6 +230,8 @@ bool audit_reject(const char *plugin_name, unsigned int plugin_type,
|
|||||||
const char *audit_msg, char * const command_info[]);
|
const char *audit_msg, char * const command_info[]);
|
||||||
bool audit_error(const char *plugin_name, unsigned int plugin_type,
|
bool audit_error(const char *plugin_name, unsigned int plugin_type,
|
||||||
const char *audit_msg, char * const command_info[]);
|
const char *audit_msg, char * const command_info[]);
|
||||||
|
bool approval_check(char * const command_info[], char * const run_argv[],
|
||||||
|
char * const run_envp[]);
|
||||||
extern const char *list_user;
|
extern const char *list_user;
|
||||||
extern struct user_details user_details;
|
extern struct user_details user_details;
|
||||||
extern int sudo_debug_instance;
|
extern int sudo_debug_instance;
|
||||||
|
|||||||
Reference in New Issue
Block a user