// // Sample configuration file. // (C) 1999 Marek Zelem // (C) 1999,2000 Milan Pikula // This comes as a part of the Medusa DS9 package. // /* * This will divide the system into `local' and `network' parts. If * a process is local, it can do almost anything. If it's `network', it * can see only selected files and perform only a few actions. You don't * need to specify which process will be `local' or `network' - a process * becomes `network' when it creates an inet socket (that means that * it will affect both incoming and outgoing connections, both TCP * and UDP (well, raw too..). * * Something more about how this works is noted in * ../Constable/Mlibc/f_getpeername.c * * Special feature: There are some "trusted" binaries, such as "route", * which are not restricted after creating inet socket. We will mark * such processes with bit 0b01 in flags. * * One more special feature: Do not allow the /bin/login to create an * inet socket (Yellow Pages in many distributions), and don't restrict * it, of course. Let's name this feature "login hack" and mark processes * with this feature in flags (bit 0b10). */ /* Virtual spaces Description * * Files: 0b001 local files * 0b010 network read-only files * 0b100 network read-write files * * Processes: 0b00w local process * 0bwr0 network process */ recursive for set "/" vs=0b0000000000000011; // network sees, local has it recursive for set "/medusa" vs=0b0000000000000001; // only local recursive for set "/home" vs=0b0000000000000111; // net can modify and see, local have it recursive for set "/tmp" vs=0b0000000000000111; recursive for set "/var/log" vs=0b0000000000000111; recursive for set "/var/run" vs=0b0000000000000111; recursive for set "/dev/{t,p}ty{,1,2,3,4,5,6,??}" vs=0b0000000000000111; recursive for set "/dev/{zero,null,urandom}" vs=0b0000000000000111; /* this will restrict any process that has something to do with network */ function restrict { if (pid==1) /* don't restrict init */ return 1; fsact |= FS_UNLINK; /* watch the unlinks */ vs = 0b110; vss = 0b110; vsr /= 0b001; /* can read only files that have at least one of the first two virtual spaces set. */ vsw /= 0b011; /* can write only files that have the first virtual space set. */ ecap/=CAP_SETPCAP|CAP_LINUX_IMMUTABLE|CAP_NET_RAW |CAP_IPC_OWNER|CAP_SYS_MODULE |CAP_SYS_RAWIO|CAP_SYS_PTRACE|CAP_SYS_BOOT |CAP_SYS_NICE|CAP_SYS_RESOURCE|CAP_SYS_TIME; procact|=P_KILL; // log_proc "restrict"; } on syscall { if (action == 102) { /* socketcall */ if ( trace1 == 1 /* SYS_SOCKET */ and lpeek trace2 $x /* verify_area() */ and $x == 2 /* PF_INET */ ) { // it opens an inet socket if (flags ?& 0b10) /* login hack? */ { answer = MED_NOT; log "login hack"; } // otherwise, if it is not trusted process and if // it still is `local', restrict it. else if (flags ?! 0b01 && vs ?& 0b01) { log "Process " pid " is restricted now."; restrict; } } } else /* we are not interested in other system calls */ trace_off action; } // trusted programs - they keep their mode (restricted/full) when // they call socket(): for exec "/sbin/{route,ifconfig,ipchains}" flags|=0b01; for exec "/bin/login" { // login hack: mark /bin/login as flags |= 0b10; // the program, which cannot open // the socket procact|=P_EXEC; // and turn on the exec watching to // turn this flag off for logins // successor. } for exec "/usr/sbin/syslogd" { // seems like we trust this (to keep this config small) // reason: both local and network processes wants to use this. vs=0b111; } on exec { // turn off the login hack for logins successor (whoever it is) if( action==0 /* pred execom */ and flags ?& 0b10 ) { flags/=0b10; // turn it off procact /= P_EXEC; // and we don't care about EXEC anymore } } on fork { // we must check, if the `local' process is not trying to make // the inet socket. if (vs ?& 0b001) { trace_on 102; vs/=0b110; // to fix the default 0b111 value } } on kill { // `network' user cannot kill constable or init process if (vs ?! 0b001) if (target_pid==constable_pid or target_pid==1) answer=MED_NOT; } /* network users have different passwords */ for access "/etc/shadow" if(vs ?! 0b001) redirect "/etc/shadow.net"; for access "/etc/passwd" if(vs ?! 0b001) redirect "/etc/passwd.net"; /************************************************************************/ // the portal to another dimension - just a pure 'ps' process. for exec "/bin/pshacker" if (vs ?! 0b110) { vs = 0b111; // local users see the network processes via vss = 0b111; // pshacker } else redirect "/usr/games/trek"; // but network users can // only play startrek.