isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add intercept_type sudoers option to set intercept/log_subcmds mechanism.

Browse Source
This commit is contained in:
Todd C. Miller
2022-05-24 13:39:28 -06:00
parent b203753013
commit f053f174bc
13 changed files with 243 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
docs/sudoers.man.in
View File

@@ -25,7 +25,7 @@
.nr BA @BAMAN@
.nr LC @LCMAN@
.nr PS @PSMAN@
.TH "SUDOERS" "@mansectform@" "May 4, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDOERS" "@mansectform@" "May 24, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -3307,18 +3307,20 @@ To prevent this from happening,
will not permit a set-user-ID or set-group-ID program to be run in
intercept mode unless
\fIintercept_allow_setid\fR
is set.
is enable.
This flag has no effect unless the
\fIintercept\fR
flag is enabled or the
\fIINTERCEPT\fR
tag has been set for the command.
This flag is
\fIoff\fR
by default except on Linux systems that support
seccomp(2)
filtering, where it defaults to
\fIon\fR.
\fIon\fR
by default when the
\fIintercept_type\fR
option is set to
\fItrace\fR,
otherwise it default to
\fIoff\fR.
.sp
This setting is only supported by version 1.9.8 or higher.
.TP 18n
@@ -4215,6 +4217,63 @@ option is disabled.
The default is
\fI@editor@\fR.
.TP 18n
intercept_type
The underlying mechanism used by the
\fIintercept\fR
and
\fIlog_subcmds\fR
options.
It has the following possible values:
.PP
.RS 18n
.PD 0
.TP 8n
dso
Preload a dynamic shared object (shared library) that intercepts the
\fBexecl\fR(),
\fBexecle\fR(),
\fBexeclp\fR(),
\fBexecv\fR(),
\fBexecve\fR(),
\fBexecvp\fR(),
and
\fBexecvpe\fR()
library functions.
A value of
\fIdso\fR
is incompatible with
\fBsudo\fR's
SELinux RBAC support.
.PD
.TP 8n
trace
Use
ptrace(2)
to intercept the
execve(2)
system call.
This is only supported on Linux systems where
seccomp(2)
filtering is enabled.
If the
\fI/proc/sys/kernel/seccomp/actions_avail\fR
file is missing or does not contain a
\(lqtrap\(rq
element, setting
\fIintercept_type\fR
to
\fItrace\fR
will have no effect and
\fIdso\fR
will be used instead.
.PP
The default is to use
\fItrace\fR
if it is supported by the system and
\fIdso\fR
if it is not.
.RE
.TP 18n
iolog_dir
The top-level directory to use when constructing the path name for
the input/output log directory.
@@ -6777,7 +6836,7 @@ by default and interferes with file descriptor inheritance.
.sp
Linux systems that support
seccomp(2)
filtering will use a different method involving
filtering can use a different method involving
ptrace(2)
instead of pre-loading a shared library.
This method supports both static and dynamic executables as well as

69
docs/sudoers.mdoc.in
View File

@@ -24,7 +24,7 @@
.nr BA @BAMAN@
.nr LC @LCMAN@
.nr PS @PSMAN@
.Dd May 4, 2022
.Dd May 24, 2022
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -3123,18 +3123,20 @@ To prevent this from happening,
will not permit a set-user-ID or set-group-ID program to be run in
intercept mode unless
.Em intercept_allow_setid
is set.
is enable.
This flag has no effect unless the
.Em intercept
flag is enabled or the
.Em INTERCEPT
tag has been set for the command.
This flag is
.Em off
by default except on Linux systems that support
.Xr seccomp 2
filtering, where it defaults to
.Em on .
.Em on
by default when the
.Em intercept_type
option is set to
.Em trace ,
otherwise it default to
.Em off .
.Pp
This setting is only supported by version 1.9.8 or higher.
.It intercept_authenticate
@@ -3982,6 +3984,57 @@ list or the
option is disabled.
The default is
.Pa @editor@ .
.It intercept_type
The underlying mechanism used by the
.Em intercept
and
.Em log_subcmds
options.
It has the following possible values:
.Bl -tag -width 6n
.It dso
Preload a dynamic shared object (shared library) that intercepts the
.Fn execl ,
.Fn execle ,
.Fn execlp ,
.Fn execv ,
.Fn execve ,
.Fn execvp ,
and
.Fn execvpe
library functions.
A value of
.Em dso
is incompatible with
.Nm sudo Ns 's
SELinux RBAC support.
.It trace
Use
.Xr ptrace 2
to intercept the
.Xr execve 2
system call.
This is only supported on Linux systems where
.Xr seccomp 2
filtering is enabled.
If the
.Pa /proc/sys/kernel/seccomp/actions_avail
file is missing or does not contain a
.Dq trap
element, setting
.Em intercept_type
to
.Em trace
will have no effect and
.Em dso
will be used instead.
.El
.Pp
The default is to use
.Em trace
if it is supported by the system and
.Em dso
if it is not.
.It iolog_dir
The top-level directory to use when constructing the path name for
the input/output log directory.
@@ -6266,7 +6319,7 @@ by default and interferes with file descriptor inheritance.
.Pp
Linux systems that support
.Xr seccomp 2
filtering will use a different method involving
filtering can use a different method involving
.Xr ptrace 2
instead of pre-loading a shared library.
This method supports both static and dynamic executables as well as