isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Define protocol for sudo <-> sudo_intercept.so communication.

Browse Source 
Uses google protocol buffers.
This commit is contained in:
Todd C. Miller
2021-08-09 15:50:25 -06:00
parent 5d4120fa5d
commit cede7dd92d
5 changed files with 953 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
MANIFEST
View File

@@ -81,6 +81,7 @@ include/compat/nss_dbdefs.h
include/compat/sha2.h
include/compat/stdbool.h
include/hostcheck.h
include/intercept.pb-c.h
include/log_server.pb-c.h
include/protobuf-c/protobuf-c.h
include/sudo_compat.h
@@ -1107,6 +1108,8 @@ src/exec_nopty.c
src/exec_pty.c
src/get_pty.c
src/hooks.c
src/intercept.pb-c.c
src/intercept.proto
src/limits.c
src/load_plugins.c
src/net_ifs.c

283
include/intercept.pb-c.h Normal file
View File

@@ -0,0 +1,283 @@
/* Generated by the protocol buffer compiler. DO NOT EDIT! */
/* Generated from: intercept.proto */
#ifndef PROTOBUF_C_intercept_2eproto__INCLUDED
#define PROTOBUF_C_intercept_2eproto__INCLUDED
#include <protobuf-c/protobuf-c.h>
PROTOBUF_C__BEGIN_DECLS
#if PROTOBUF_C_VERSION_NUMBER < 1003000
# error This file was generated by a newer version of protoc-c which is incompatible with your libprotobuf-c headers. Please update your headers.
#elif 1003003 < PROTOBUF_C_MIN_COMPILER_VERSION
# error This file was generated by an older version of protoc-c which is incompatible with your libprotobuf-c headers. Please regenerate this file with a newer version of protoc-c.
#endif
typedef struct _InterceptMessage InterceptMessage;
typedef struct _PolicyCheckRequest PolicyCheckRequest;
typedef struct _PolicyAcceptMessage PolicyAcceptMessage;
typedef struct _PolicyRejectMessage PolicyRejectMessage;
typedef struct _PolicyErrorMessage PolicyErrorMessage;
typedef struct _PolicyCheckResult PolicyCheckResult;
/* --- enums --- */
/* --- messages --- */
typedef enum {
INTERCEPT_MESSAGE__TYPE__NOT_SET = 0,
INTERCEPT_MESSAGE__TYPE_POLICY_CHECK_REQ = 1
PROTOBUF_C__FORCE_ENUM_TO_BE_INT_SIZE(INTERCEPT_MESSAGE__TYPE)
} InterceptMessage__TypeCase;
/*
* Intercept message from sudo_intercept.so. Messages on the
* wire are prefixed with a 32-bit size in network byte order.
*/
struct _InterceptMessage
{
ProtobufCMessage base;
InterceptMessage__TypeCase type_case;
union {
PolicyCheckRequest *policy_check_req;
} u;
};
#define INTERCEPT_MESSAGE__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&intercept_message__descriptor) \
, INTERCEPT_MESSAGE__TYPE__NOT_SET, {0} }
/*
* Policy check request from sudo_intercept.so.
* Note that the plugin API only currently supports passing
* the new environment in to the open() function.
*/
struct _PolicyCheckRequest
{
ProtobufCMessage base;
char *command;
size_t n_argv;
char **argv;
size_t n_envp;
char **envp;
};
#define POLICY_CHECK_REQUEST__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&policy_check_request__descriptor) \
, (char *)protobuf_c_empty_string, 0,NULL, 0,NULL }
struct _PolicyAcceptMessage
{
ProtobufCMessage base;
char *run_command;
size_t n_run_argv;
char **run_argv;
size_t n_run_envp;
char **run_envp;
};
#define POLICY_ACCEPT_MESSAGE__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&policy_accept_message__descriptor) \
, (char *)protobuf_c_empty_string, 0,NULL, 0,NULL }
struct _PolicyRejectMessage
{
ProtobufCMessage base;
char *reject_message;
};
#define POLICY_REJECT_MESSAGE__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&policy_reject_message__descriptor) \
, (char *)protobuf_c_empty_string }
struct _PolicyErrorMessage
{
ProtobufCMessage base;
char *error_message;
};
#define POLICY_ERROR_MESSAGE__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&policy_error_message__descriptor) \
, (char *)protobuf_c_empty_string }
typedef enum {
POLICY_CHECK_RESULT__TYPE__NOT_SET = 0,
POLICY_CHECK_RESULT__TYPE_ACCEPT_MSG = 1,
POLICY_CHECK_RESULT__TYPE_REJECT_MSG = 2,
POLICY_CHECK_RESULT__TYPE_ERROR_MSG = 3
PROTOBUF_C__FORCE_ENUM_TO_BE_INT_SIZE(POLICY_CHECK_RESULT__TYPE)
} PolicyCheckResult__TypeCase;
/*
* Policy check result sent back to sudo_intercept.so.
*/
struct _PolicyCheckResult
{
ProtobufCMessage base;
PolicyCheckResult__TypeCase type_case;
union {
PolicyAcceptMessage *accept_msg;
PolicyRejectMessage *reject_msg;
PolicyErrorMessage *error_msg;
} u;
};
#define POLICY_CHECK_RESULT__INIT \
{ PROTOBUF_C_MESSAGE_INIT (&policy_check_result__descriptor) \
, POLICY_CHECK_RESULT__TYPE__NOT_SET, {0} }
/* InterceptMessage methods */
void intercept_message__init
(InterceptMessage *message);
size_t intercept_message__get_packed_size
(const InterceptMessage *message);
size_t intercept_message__pack
(const InterceptMessage *message,
uint8_t *out);
size_t intercept_message__pack_to_buffer
(const InterceptMessage *message,
ProtobufCBuffer *buffer);
InterceptMessage *
intercept_message__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void intercept_message__free_unpacked
(InterceptMessage *message,
ProtobufCAllocator *allocator);
/* PolicyCheckRequest methods */
void policy_check_request__init
(PolicyCheckRequest *message);
size_t policy_check_request__get_packed_size
(const PolicyCheckRequest *message);
size_t policy_check_request__pack
(const PolicyCheckRequest *message,
uint8_t *out);
size_t policy_check_request__pack_to_buffer
(const PolicyCheckRequest *message,
ProtobufCBuffer *buffer);
PolicyCheckRequest *
policy_check_request__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void policy_check_request__free_unpacked
(PolicyCheckRequest *message,
ProtobufCAllocator *allocator);
/* PolicyAcceptMessage methods */
void policy_accept_message__init
(PolicyAcceptMessage *message);
size_t policy_accept_message__get_packed_size
(const PolicyAcceptMessage *message);
size_t policy_accept_message__pack
(const PolicyAcceptMessage *message,
uint8_t *out);
size_t policy_accept_message__pack_to_buffer
(const PolicyAcceptMessage *message,
ProtobufCBuffer *buffer);
PolicyAcceptMessage *
policy_accept_message__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void policy_accept_message__free_unpacked
(PolicyAcceptMessage *message,
ProtobufCAllocator *allocator);
/* PolicyRejectMessage methods */
void policy_reject_message__init
(PolicyRejectMessage *message);
size_t policy_reject_message__get_packed_size
(const PolicyRejectMessage *message);
size_t policy_reject_message__pack
(const PolicyRejectMessage *message,
uint8_t *out);
size_t policy_reject_message__pack_to_buffer
(const PolicyRejectMessage *message,
ProtobufCBuffer *buffer);
PolicyRejectMessage *
policy_reject_message__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void policy_reject_message__free_unpacked
(PolicyRejectMessage *message,
ProtobufCAllocator *allocator);
/* PolicyErrorMessage methods */
void policy_error_message__init
(PolicyErrorMessage *message);
size_t policy_error_message__get_packed_size
(const PolicyErrorMessage *message);
size_t policy_error_message__pack
(const PolicyErrorMessage *message,
uint8_t *out);
size_t policy_error_message__pack_to_buffer
(const PolicyErrorMessage *message,
ProtobufCBuffer *buffer);
PolicyErrorMessage *
policy_error_message__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void policy_error_message__free_unpacked
(PolicyErrorMessage *message,
ProtobufCAllocator *allocator);
/* PolicyCheckResult methods */
void policy_check_result__init
(PolicyCheckResult *message);
size_t policy_check_result__get_packed_size
(const PolicyCheckResult *message);
size_t policy_check_result__pack
(const PolicyCheckResult *message,
uint8_t *out);
size_t policy_check_result__pack_to_buffer
(const PolicyCheckResult *message,
ProtobufCBuffer *buffer);
PolicyCheckResult *
policy_check_result__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data);
void policy_check_result__free_unpacked
(PolicyCheckResult *message,
ProtobufCAllocator *allocator);
/* --- per-message closures --- */
typedef void (*InterceptMessage_Closure)
(const InterceptMessage *message,
void *closure_data);
typedef void (*PolicyCheckRequest_Closure)
(const PolicyCheckRequest *message,
void *closure_data);
typedef void (*PolicyAcceptMessage_Closure)
(const PolicyAcceptMessage *message,
void *closure_data);
typedef void (*PolicyRejectMessage_Closure)
(const PolicyRejectMessage *message,
void *closure_data);
typedef void (*PolicyErrorMessage_Closure)
(const PolicyErrorMessage *message,
void *closure_data);
typedef void (*PolicyCheckResult_Closure)
(const PolicyCheckResult *message,
void *closure_data);
/* --- services --- */
/* --- descriptors --- */
extern const ProtobufCMessageDescriptor intercept_message__descriptor;
extern const ProtobufCMessageDescriptor policy_check_request__descriptor;
extern const ProtobufCMessageDescriptor policy_accept_message__descriptor;
extern const ProtobufCMessageDescriptor policy_reject_message__descriptor;
extern const ProtobufCMessageDescriptor policy_error_message__descriptor;
extern const ProtobufCMessageDescriptor policy_check_result__descriptor;
PROTOBUF_C__END_DECLS
#endif /* PROTOBUF_C_intercept_2eproto__INCLUDED */

38
src/Makefile.in
View File

@@ -43,7 +43,8 @@ INSTALL_OWNER = -o $(install_uid) -g $(install_gid)
INSTALL_BACKUP = @INSTALL_BACKUP@
# Libraries
LT_LIBS = $(top_builddir)/lib/util/libsudo_util.la
LT_LIBS = $(top_builddir)/lib/util/libsudo_util.la \
$(top_builddir)/lib/protobuf-c/libprotobuf-c.la
LIBS = @LIBS@ @SUDO_LIBS@ @GETGROUPS_LIB@ @NET_LIBS@ $(LT_LIBS)
# C preprocessor defines
@@ -121,6 +122,9 @@ TEST_PROGS = check_net_ifs @CHECK_NOEXEC@ check_ttyname
TEST_LIBS = @LIBS@ $(LT_LIBS)
TEST_LDFLAGS = @LDFLAGS@
# Set to non-empty for development mode
DEVEL = @DEVEL@
#### End of system configuration section. ####
SHELL = @SHELL@
@@ -129,8 +133,8 @@ PROGS = @PROGS@
OBJS = conversation.o copy_file.o edit_open.o env_hooks.o exec.o \
exec_common.o exec_monitor.o exec_nopty.o exec_pty.o get_pty.o hooks.o \
limits.o load_plugins.o net_ifs.o parse_args.o preserve_fds.o \
signal.o sudo.o sudo_edit.o tcsetpgrp_nobg.o tgetpass.o \
intercept.pb-c.o limits.o load_plugins.o net_ifs.o parse_args.o \
preserve_fds.o signal.o sudo.o sudo_edit.o tcsetpgrp_nobg.o tgetpass.o \
ttyname.o utmp.o @SUDO_OBJS@
IOBJS = $(OBJS:.o=.i) sesh.i
@@ -149,6 +153,8 @@ LIBOBJDIR = $(top_builddir)/@ac_config_libobj_dir@/
VERSION = @PACKAGE_VERSION@
GENERATED = intercept.pb-c.h intercept.pb-c.c
all: $(PROGS)
depend:
@@ -176,6 +182,20 @@ Makefile: $(srcdir)/Makefile.in
.i.plog:
ifile=$<; rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $${ifile%i}c --i-file $< --output-file $@
$(devdir)/intercept.pb-c.c: $(srcdir)/intercept.proto
@if [ -n "$(DEVEL)" ]; then \
cmd='protoc-c --c_out=$(devdir) --proto_path=$(srcdir) $(srcdir)/intercept.proto'; \
echo "$$cmd"; eval $$cmd; \
cmd='$(scriptdir)/unanon $(devdir)/intercept.pb-c.h $(devdir)/intercept.pb-c.c'; \
echo "$$cmd"; eval $$cmd; \
if [ "$(devdir)" == "$(srcdir)" ]; then \
cmd='mv -f $(devdir)/intercept.pb-c.h $(incdir)/intercept.pb-c.h'; \
else \
cmd='mv -f $(devdir)/intercept.pb-c.h $(top_builddir)/intercept.pb-c.h'; \
fi; \
echo "$$cmd"; eval $$cmd; \
fi
sudo: $(OBJS) $(LT_LIBS) @STATIC_SUDOERS@
$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(OBJS) $(SUDO_LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) @STATIC_SUDOERS@
@@ -298,6 +318,10 @@ mostlyclean: clean
distclean: clean
-rm -rf Makefile .libs sudo_usage.h
@if [ -n "$(DEVEL)" -a "$(devdir)" != "$(srcdir)" ]; then \
cmd='rm -rf $(GENERATED)'; \
echo "$$cmd"; eval $$cmd; \
fi
clobber: distclean
@@ -556,6 +580,14 @@ hooks.i: $(srcdir)/hooks.c $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
$(CC) -E -o $@ $(CPPFLAGS) $<
hooks.plog: hooks.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/hooks.c --i-file $< --output-file $@
intercept.pb-c.o: $(srcdir)/intercept.pb-c.c $(incdir)/intercept.pb-c.h \
$(incdir)/protobuf-c/protobuf-c.h
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/intercept.pb-c.c
intercept.pb-c.i: $(srcdir)/intercept.pb-c.c $(incdir)/intercept.pb-c.h \
$(incdir)/protobuf-c/protobuf-c.h
$(CC) -E -o $@ $(CPPFLAGS) $<
intercept.pb-c.plog: intercept.pb-c.i
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/intercept.pb-c.c --i-file $< --output-file $@
limits.o: $(srcdir)/limits.c $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_event.h $(incdir)/sudo_fatal.h \

585
src/intercept.pb-c.c Normal file
View File

@@ -0,0 +1,585 @@
/* Generated by the protocol buffer compiler. DO NOT EDIT! */
/* Generated from: intercept.proto */
/* Do not generate deprecated warnings for self */
#ifndef PROTOBUF_C__NO_DEPRECATED
#define PROTOBUF_C__NO_DEPRECATED
#endif
#include "intercept.pb-c.h"
void intercept_message__init
(InterceptMessage *message)
{
static const InterceptMessage init_value = INTERCEPT_MESSAGE__INIT;
*message = init_value;
}
size_t intercept_message__get_packed_size
(const InterceptMessage *message)
{
assert(message->base.descriptor == &intercept_message__descriptor);
return protobuf_c_message_get_packed_size ((const ProtobufCMessage*)(message));
}
size_t intercept_message__pack
(const InterceptMessage *message,
uint8_t *out)
{
assert(message->base.descriptor == &intercept_message__descriptor);
return protobuf_c_message_pack ((const ProtobufCMessage*)message, out);
}
size_t intercept_message__pack_to_buffer
(const InterceptMessage *message,
ProtobufCBuffer *buffer)
{
assert(message->base.descriptor == &intercept_message__descriptor);
return protobuf_c_message_pack_to_buffer ((const ProtobufCMessage*)message, buffer);
}
InterceptMessage *
intercept_message__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data)
{
return (InterceptMessage *)
protobuf_c_message_unpack (&intercept_message__descriptor,
allocator, len, data);
}
void intercept_message__free_unpacked
(InterceptMessage *message,
ProtobufCAllocator *allocator)
{
if(!message)
return;
assert(message->base.descriptor == &intercept_message__descriptor);
protobuf_c_message_free_unpacked ((ProtobufCMessage*)message, allocator);
}
void policy_check_request__init
(PolicyCheckRequest *message)
{
static const PolicyCheckRequest init_value = POLICY_CHECK_REQUEST__INIT;
*message = init_value;
}
size_t policy_check_request__get_packed_size
(const PolicyCheckRequest *message)
{
assert(message->base.descriptor == &policy_check_request__descriptor);
return protobuf_c_message_get_packed_size ((const ProtobufCMessage*)(message));
}
size_t policy_check_request__pack
(const PolicyCheckRequest *message,
uint8_t *out)
{
assert(message->base.descriptor == &policy_check_request__descriptor);
return protobuf_c_message_pack ((const ProtobufCMessage*)message, out);
}
size_t policy_check_request__pack_to_buffer
(const PolicyCheckRequest *message,
ProtobufCBuffer *buffer)
{
assert(message->base.descriptor == &policy_check_request__descriptor);
return protobuf_c_message_pack_to_buffer ((const ProtobufCMessage*)message, buffer);
}
PolicyCheckRequest *
policy_check_request__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data)
{
return (PolicyCheckRequest *)
protobuf_c_message_unpack (&policy_check_request__descriptor,
allocator, len, data);
}
void policy_check_request__free_unpacked
(PolicyCheckRequest *message,
ProtobufCAllocator *allocator)
{
if(!message)
return;
assert(message->base.descriptor == &policy_check_request__descriptor);
protobuf_c_message_free_unpacked ((ProtobufCMessage*)message, allocator);
}
void policy_accept_message__init
(PolicyAcceptMessage *message)
{
static const PolicyAcceptMessage init_value = POLICY_ACCEPT_MESSAGE__INIT;
*message = init_value;
}
size_t policy_accept_message__get_packed_size
(const PolicyAcceptMessage *message)
{
assert(message->base.descriptor == &policy_accept_message__descriptor);
return protobuf_c_message_get_packed_size ((const ProtobufCMessage*)(message));
}
size_t policy_accept_message__pack
(const PolicyAcceptMessage *message,
uint8_t *out)
{
assert(message->base.descriptor == &policy_accept_message__descriptor);
return protobuf_c_message_pack ((const ProtobufCMessage*)message, out);
}
size_t policy_accept_message__pack_to_buffer
(const PolicyAcceptMessage *message,
ProtobufCBuffer *buffer)
{
assert(message->base.descriptor == &policy_accept_message__descriptor);
return protobuf_c_message_pack_to_buffer ((const ProtobufCMessage*)message, buffer);
}
PolicyAcceptMessage *
policy_accept_message__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data)
{
return (PolicyAcceptMessage *)
protobuf_c_message_unpack (&policy_accept_message__descriptor,
allocator, len, data);
}
void policy_accept_message__free_unpacked
(PolicyAcceptMessage *message,
ProtobufCAllocator *allocator)
{
if(!message)
return;
assert(message->base.descriptor == &policy_accept_message__descriptor);
protobuf_c_message_free_unpacked ((ProtobufCMessage*)message, allocator);
}
void policy_reject_message__init
(PolicyRejectMessage *message)
{
static const PolicyRejectMessage init_value = POLICY_REJECT_MESSAGE__INIT;
*message = init_value;
}
size_t policy_reject_message__get_packed_size
(const PolicyRejectMessage *message)
{
assert(message->base.descriptor == &policy_reject_message__descriptor);
return protobuf_c_message_get_packed_size ((const ProtobufCMessage*)(message));
}
size_t policy_reject_message__pack
(const PolicyRejectMessage *message,
uint8_t *out)
{
assert(message->base.descriptor == &policy_reject_message__descriptor);
return protobuf_c_message_pack ((const ProtobufCMessage*)message, out);
}
size_t policy_reject_message__pack_to_buffer
(const PolicyRejectMessage *message,
ProtobufCBuffer *buffer)
{
assert(message->base.descriptor == &policy_reject_message__descriptor);
return protobuf_c_message_pack_to_buffer ((const ProtobufCMessage*)message, buffer);
}
PolicyRejectMessage *
policy_reject_message__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data)
{
return (PolicyRejectMessage *)
protobuf_c_message_unpack (&policy_reject_message__descriptor,
allocator, len, data);
}
void policy_reject_message__free_unpacked
(PolicyRejectMessage *message,
ProtobufCAllocator *allocator)
{
if(!message)
return;
assert(message->base.descriptor == &policy_reject_message__descriptor);
protobuf_c_message_free_unpacked ((ProtobufCMessage*)message, allocator);
}
void policy_error_message__init
(PolicyErrorMessage *message)
{
static const PolicyErrorMessage init_value = POLICY_ERROR_MESSAGE__INIT;
*message = init_value;
}
size_t policy_error_message__get_packed_size
(const PolicyErrorMessage *message)
{
assert(message->base.descriptor == &policy_error_message__descriptor);
return protobuf_c_message_get_packed_size ((const ProtobufCMessage*)(message));
}
size_t policy_error_message__pack
(const PolicyErrorMessage *message,
uint8_t *out)
{
assert(message->base.descriptor == &policy_error_message__descriptor);
return protobuf_c_message_pack ((const ProtobufCMessage*)message, out);
}
size_t policy_error_message__pack_to_buffer
(const PolicyErrorMessage *message,
ProtobufCBuffer *buffer)
{
assert(message->base.descriptor == &policy_error_message__descriptor);
return protobuf_c_message_pack_to_buffer ((const ProtobufCMessage*)message, buffer);
}
PolicyErrorMessage *
policy_error_message__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data)
{
return (PolicyErrorMessage *)
protobuf_c_message_unpack (&policy_error_message__descriptor,
allocator, len, data);
}
void policy_error_message__free_unpacked
(PolicyErrorMessage *message,
ProtobufCAllocator *allocator)
{
if(!message)
return;
assert(message->base.descriptor == &policy_error_message__descriptor);
protobuf_c_message_free_unpacked ((ProtobufCMessage*)message, allocator);
}
void policy_check_result__init
(PolicyCheckResult *message)
{
static const PolicyCheckResult init_value = POLICY_CHECK_RESULT__INIT;
*message = init_value;
}
size_t policy_check_result__get_packed_size
(const PolicyCheckResult *message)
{
assert(message->base.descriptor == &policy_check_result__descriptor);
return protobuf_c_message_get_packed_size ((const ProtobufCMessage*)(message));
}
size_t policy_check_result__pack
(const PolicyCheckResult *message,
uint8_t *out)
{
assert(message->base.descriptor == &policy_check_result__descriptor);
return protobuf_c_message_pack ((const ProtobufCMessage*)message, out);
}
size_t policy_check_result__pack_to_buffer
(const PolicyCheckResult *message,
ProtobufCBuffer *buffer)
{
assert(message->base.descriptor == &policy_check_result__descriptor);
return protobuf_c_message_pack_to_buffer ((const ProtobufCMessage*)message, buffer);
}
PolicyCheckResult *
policy_check_result__unpack
(ProtobufCAllocator *allocator,
size_t len,
const uint8_t *data)
{
return (PolicyCheckResult *)
protobuf_c_message_unpack (&policy_check_result__descriptor,
allocator, len, data);
}
void policy_check_result__free_unpacked
(PolicyCheckResult *message,
ProtobufCAllocator *allocator)
{
if(!message)
return;
assert(message->base.descriptor == &policy_check_result__descriptor);
protobuf_c_message_free_unpacked ((ProtobufCMessage*)message, allocator);
}
static const ProtobufCFieldDescriptor intercept_message__field_descriptors[1] =
{
{
"policy_check_req",
1,
PROTOBUF_C_LABEL_NONE,
PROTOBUF_C_TYPE_MESSAGE,
offsetof(InterceptMessage, type_case),
offsetof(InterceptMessage, u.policy_check_req),
&policy_check_request__descriptor,
NULL,
0 | PROTOBUF_C_FIELD_FLAG_ONEOF, /* flags */
0,NULL,NULL /* reserved1,reserved2, etc */
},
};
static const unsigned intercept_message__field_indices_by_name[] = {
0, /* field[0] = policy_check_req */
};
static const ProtobufCIntRange intercept_message__number_ranges[1 + 1] =
{
{ 1, 0 },
{ 0, 1 }
};
const ProtobufCMessageDescriptor intercept_message__descriptor =
{
PROTOBUF_C__MESSAGE_DESCRIPTOR_MAGIC,
"InterceptMessage",
"InterceptMessage",
"InterceptMessage",
"",
sizeof(InterceptMessage),
1,
intercept_message__field_descriptors,
intercept_message__field_indices_by_name,
1, intercept_message__number_ranges,
(ProtobufCMessageInit) intercept_message__init,
NULL,NULL,NULL /* reserved[123] */
};
static const ProtobufCFieldDescriptor policy_check_request__field_descriptors[3] =
{
{
"command",
1,
PROTOBUF_C_LABEL_NONE,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
offsetof(PolicyCheckRequest, command),
NULL,
&protobuf_c_empty_string,
0, /* flags */
0,NULL,NULL /* reserved1,reserved2, etc */
},
{
"argv",
2,
PROTOBUF_C_LABEL_REPEATED,
PROTOBUF_C_TYPE_STRING,
offsetof(PolicyCheckRequest, n_argv),
offsetof(PolicyCheckRequest, argv),
NULL,
&protobuf_c_empty_string,
0, /* flags */
0,NULL,NULL /* reserved1,reserved2, etc */
},
{
"envp",
3,
PROTOBUF_C_LABEL_REPEATED,
PROTOBUF_C_TYPE_STRING,
offsetof(PolicyCheckRequest, n_envp),
offsetof(PolicyCheckRequest, envp),
NULL,
&protobuf_c_empty_string,
0, /* flags */
0,NULL,NULL /* reserved1,reserved2, etc */
},
};
static const unsigned policy_check_request__field_indices_by_name[] = {
1, /* field[1] = argv */
0, /* field[0] = command */
2, /* field[2] = envp */
};
static const ProtobufCIntRange policy_check_request__number_ranges[1 + 1] =
{
{ 1, 0 },
{ 0, 3 }
};
const ProtobufCMessageDescriptor policy_check_request__descriptor =
{
PROTOBUF_C__MESSAGE_DESCRIPTOR_MAGIC,
"PolicyCheckRequest",
"PolicyCheckRequest",
"PolicyCheckRequest",
"",
sizeof(PolicyCheckRequest),
3,
policy_check_request__field_descriptors,
policy_check_request__field_indices_by_name,
1, policy_check_request__number_ranges,
(ProtobufCMessageInit) policy_check_request__init,
NULL,NULL,NULL /* reserved[123] */
};
static const ProtobufCFieldDescriptor policy_accept_message__field_descriptors[3] =
{
{
"run_command",
1,
PROTOBUF_C_LABEL_NONE,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
offsetof(PolicyAcceptMessage, run_command),
NULL,
&protobuf_c_empty_string,
0, /* flags */
0,NULL,NULL /* reserved1,reserved2, etc */
},
{
"run_argv",
2,
PROTOBUF_C_LABEL_REPEATED,
PROTOBUF_C_TYPE_STRING,
offsetof(PolicyAcceptMessage, n_run_argv),
offsetof(PolicyAcceptMessage, run_argv),
NULL,
&protobuf_c_empty_string,
0, /* flags */
0,NULL,NULL /* reserved1,reserved2, etc */
},
{
"run_envp",
3,
PROTOBUF_C_LABEL_REPEATED,
PROTOBUF_C_TYPE_STRING,
offsetof(PolicyAcceptMessage, n_run_envp),
offsetof(PolicyAcceptMessage, run_envp),
NULL,
&protobuf_c_empty_string,
0, /* flags */
0,NULL,NULL /* reserved1,reserved2, etc */
},
};
static const unsigned policy_accept_message__field_indices_by_name[] = {
1, /* field[1] = run_argv */
0, /* field[0] = run_command */
2, /* field[2] = run_envp */
};
static const ProtobufCIntRange policy_accept_message__number_ranges[1 + 1] =
{
{ 1, 0 },
{ 0, 3 }
};
const ProtobufCMessageDescriptor policy_accept_message__descriptor =
{
PROTOBUF_C__MESSAGE_DESCRIPTOR_MAGIC,
"PolicyAcceptMessage",
"PolicyAcceptMessage",
"PolicyAcceptMessage",
"",
sizeof(PolicyAcceptMessage),
3,
policy_accept_message__field_descriptors,
policy_accept_message__field_indices_by_name,
1, policy_accept_message__number_ranges,
(ProtobufCMessageInit) policy_accept_message__init,
NULL,NULL,NULL /* reserved[123] */
};
static const ProtobufCFieldDescriptor policy_reject_message__field_descriptors[1] =
{
{
"reject_message",
1,
PROTOBUF_C_LABEL_NONE,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
offsetof(PolicyRejectMessage, reject_message),
NULL,
&protobuf_c_empty_string,
0, /* flags */
0,NULL,NULL /* reserved1,reserved2, etc */
},
};
static const unsigned policy_reject_message__field_indices_by_name[] = {
0, /* field[0] = reject_message */
};
static const ProtobufCIntRange policy_reject_message__number_ranges[1 + 1] =
{
{ 1, 0 },
{ 0, 1 }
};
const ProtobufCMessageDescriptor policy_reject_message__descriptor =
{
PROTOBUF_C__MESSAGE_DESCRIPTOR_MAGIC,
"PolicyRejectMessage",
"PolicyRejectMessage",
"PolicyRejectMessage",
"",
sizeof(PolicyRejectMessage),
1,
policy_reject_message__field_descriptors,
policy_reject_message__field_indices_by_name,
1, policy_reject_message__number_ranges,
(ProtobufCMessageInit) policy_reject_message__init,
NULL,NULL,NULL /* reserved[123] */
};
static const ProtobufCFieldDescriptor policy_error_message__field_descriptors[1] =
{
{
"error_message",
1,
PROTOBUF_C_LABEL_NONE,
PROTOBUF_C_TYPE_STRING,
0, /* quantifier_offset */
offsetof(PolicyErrorMessage, error_message),
NULL,
&protobuf_c_empty_string,
0, /* flags */
0,NULL,NULL /* reserved1,reserved2, etc */
},
};
static const unsigned policy_error_message__field_indices_by_name[] = {
0, /* field[0] = error_message */
};
static const ProtobufCIntRange policy_error_message__number_ranges[1 + 1] =
{
{ 1, 0 },
{ 0, 1 }
};
const ProtobufCMessageDescriptor policy_error_message__descriptor =
{
PROTOBUF_C__MESSAGE_DESCRIPTOR_MAGIC,
"PolicyErrorMessage",
"PolicyErrorMessage",
"PolicyErrorMessage",
"",
sizeof(PolicyErrorMessage),
1,
policy_error_message__field_descriptors,
policy_error_message__field_indices_by_name,
1, policy_error_message__number_ranges,
(ProtobufCMessageInit) policy_error_message__init,
NULL,NULL,NULL /* reserved[123] */
};
static const ProtobufCFieldDescriptor policy_check_result__field_descriptors[3] =
{
{
"accept_msg",
1,
PROTOBUF_C_LABEL_NONE,
PROTOBUF_C_TYPE_MESSAGE,
offsetof(PolicyCheckResult, type_case),
offsetof(PolicyCheckResult, u.accept_msg),
&policy_accept_message__descriptor,
NULL,
0 | PROTOBUF_C_FIELD_FLAG_ONEOF, /* flags */
0,NULL,NULL /* reserved1,reserved2, etc */
},
{
"reject_msg",
2,
PROTOBUF_C_LABEL_NONE,
PROTOBUF_C_TYPE_MESSAGE,
offsetof(PolicyCheckResult, type_case),
offsetof(PolicyCheckResult, u.reject_msg),
&policy_reject_message__descriptor,
NULL,
0 | PROTOBUF_C_FIELD_FLAG_ONEOF, /* flags */
0,NULL,NULL /* reserved1,reserved2, etc */
},
{
"error_msg",
3,
PROTOBUF_C_LABEL_NONE,
PROTOBUF_C_TYPE_MESSAGE,
offsetof(PolicyCheckResult, type_case),
offsetof(PolicyCheckResult, u.error_msg),
&policy_error_message__descriptor,
NULL,
0 | PROTOBUF_C_FIELD_FLAG_ONEOF, /* flags */
0,NULL,NULL /* reserved1,reserved2, etc */
},
};
static const unsigned policy_check_result__field_indices_by_name[] = {
0, /* field[0] = accept_msg */
2, /* field[2] = error_msg */
1, /* field[1] = reject_msg */
};
static const ProtobufCIntRange policy_check_result__number_ranges[1 + 1] =
{
{ 1, 0 },
{ 0, 3 }
};
const ProtobufCMessageDescriptor policy_check_result__descriptor =
{
PROTOBUF_C__MESSAGE_DESCRIPTOR_MAGIC,
"PolicyCheckResult",
"PolicyCheckResult",
"PolicyCheckResult",
"",
sizeof(PolicyCheckResult),
3,
policy_check_result__field_descriptors,
policy_check_result__field_indices_by_name,
1, policy_check_result__number_ranges,
(ProtobufCMessageInit) policy_check_result__init,
NULL,NULL,NULL /* reserved[123] */
};

47
src/intercept.proto Normal file
View File

@@ -0,0 +1,47 @@
syntax = "proto3";
/*
* Intercept message from sudo_intercept.so. Messages on the
* wire are prefixed with a 32-bit size in network byte order.
*/
message InterceptMessage {
oneof type {
PolicyCheckRequest policy_check_req = 1;
}
}
/*
* Policy check request from sudo_intercept.so.
* Note that the plugin API only currently supports passing
* the new environment in to the open() function.
*/
message PolicyCheckRequest {
string command = 1;
repeated string argv = 2;
repeated string envp = 3;
}
message PolicyAcceptMessage {
string run_command = 1;
repeated string run_argv = 2;
repeated string run_envp = 3;
}
message PolicyRejectMessage {
string reject_message = 1;
}
message PolicyErrorMessage {
string error_message = 1;
}
/*
* Policy check result sent back to sudo_intercept.so.
*/
message PolicyCheckResult {
oneof type {
PolicyAcceptMessage accept_msg = 1;
PolicyRejectMessage reject_msg = 2;
PolicyErrorMessage error_msg = 3;
}
}