Add intercept_type sudoers option to set intercept/log_subcmds mechanism.

plugins/sudoers/def_data.c

@@ -44,6 +44,12 @@ static struct def_values def_data_log_format[] = {
     { NULL, 0 },
 };
 
+static struct def_values def_data_intercept_type[] = {
+    { "dso", dso },
+    { "trace", trace },
+    { NULL, 0 },
+};
+
 struct sudo_defs_types sudo_defs_table[] = {
     {
 	"syslog", T_LOGFAC|T_BOOL,
@@ -657,6 +663,10 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"passprompt_regex", T_LIST|T_SPACE|T_BOOL,
 	N_("List of regular expressions to use when matching a password prompt"),
 	NULL,
+    }, {
+	"intercept_type", T_TUPLE,
+	N_("The mechanism used by the intercept and log_subcmds options: %s"),
+	def_data_intercept_type,
     }, {
 	NULL, 0, NULL
     }

plugins/sudoers/def_data.h

@@ -306,6 +306,8 @@
 #define def_log_passwords       (sudo_defs_table[I_LOG_PASSWORDS].sd_un.flag)
 #define I_PASSPROMPT_REGEX      152
 #define def_passprompt_regex    (sudo_defs_table[I_PASSPROMPT_REGEX].sd_un.list)
+#define I_INTERCEPT_TYPE        153
+#define def_intercept_type      (sudo_defs_table[I_INTERCEPT_TYPE].sd_un.tuple)
 
 enum def_tuple {
     never,
@@ -319,5 +321,7 @@ enum def_tuple {
     tty,
     kernel,
     sudo,
-    json
+    json,
+    dso,
+    trace
 };

plugins/sudoers/def_data.in

@@ -475,3 +475,7 @@ log_passwords
 passprompt_regex
 	T_LIST|T_SPACE|T_BOOL
 	"List of regular expressions to use when matching a password prompt"
+intercept_type
+	T_TUPLE
+	"The mechanism used by the intercept and log_subcmds options: %s"
+	dso trace

plugins/sudoers/defaults.c

@@ -548,8 +548,7 @@ init_defaults(void)
 #endif
     if ((def_rlimit_core = strdup("0,0")) == NULL)
 	goto oom;
-    if (ISSET(sudo_user.flags, CAN_INTERCEPT_SETID))
-	def_intercept_allow_setid = true;
+    def_intercept_type = dso;
     def_netgroup_tuple = false;
     def_sudoedit_checkdir = true;
     def_iolog_mode = S_IRUSR|S_IWUSR;

plugins/sudoers/policy.c

@@ -297,10 +297,24 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
 		goto oom;
 	    continue;
 	}
+	if (MATCHES(*cur, "intercept_ptrace=")) {
+	    int val = sudo_strtobool(*cur + sizeof("intercept_ptrace=") - 1);
+	    if (val == -1) {
+		INVALID("intercept_ptrace=");	/* Not a fatal error. */
+	    } else if (!append_default("intercept_type",
+		    val ? "trace" : "dso", true, NULL, defaults)) {
+		goto oom;
+	    }
+	    continue;
+	}
 	if (MATCHES(*cur, "intercept_setid=")) {
-	    if (parse_bool(*cur, sizeof("intercept_setid") - 1,
-		&sudo_user.flags, CAN_INTERCEPT_SETID) == -1)
-		goto bad;
+	    int val = sudo_strtobool(*cur + sizeof("intercept_setid=") - 1);
+	    if (val == -1) {
+		INVALID("intercept_setid=");	/* Not a fatal error. */
+	    } else if (!append_default("intercept_allow_setid", NULL, val,
+		    NULL, defaults)) {
+		goto oom;
+	    }
 	    continue;
 	}
 #ifdef HAVE_SELINUX
@@ -605,7 +619,7 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
     }
 
     /* Increase the length of command_info as needed, it is *not* checked. */
-    command_info = calloc(70, sizeof(char *));
+    command_info = calloc(71, sizeof(char *));
     if (command_info == NULL)
 	goto oom;
 
@@ -777,6 +791,10 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
 	if ((command_info[info_len++] = strdup("intercept=true")) == NULL)
 	    goto oom;
     }
+    if (def_intercept_type == trace) {
+	if ((command_info[info_len++] = strdup("use_ptrace=true")) == NULL)
+	    goto oom;
+    }
     if (def_noexec) {
 	if ((command_info[info_len++] = strdup("noexec=true")) == NULL)
 	    goto oom;

plugins/sudoers/sudoers.h

@@ -145,7 +145,6 @@ struct sudo_user {
  */
 #define RUNAS_USER_SPECIFIED	0x01
 #define RUNAS_GROUP_SPECIFIED	0x02
-#define CAN_INTERCEPT_SETID	0x04
 
 /*
  * Return values for sudoers_lookup(), also used as arguments for log_auth()