lidsconf.c

关于LINUX安全内核的源代码

/*
#       lidsadm.c --- The Linux Intrusion Detection System Configuration Tool 
#       (C) Huagang Xie 1999-2001 All rights reserved.
#       EMail complaints to xie@gnuchina.org
#
#       This program is free software; you can redistribute it and/or modify
#       it under the terms of the GNU General Public License as published by
#       the Free Software Foundation; either version 2 of the License, or
#       (at your option) any later version.
#
#       This program is distributed in the hope that it will be useful,
#       but WITHOUT ANY WARRANTY; without even the implied warranty of
#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#       GNU General Public License for more details.
#
#       You should have received a copy of the GNU General Public License
#       along with this program; if not, write to the Free Software
#       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
*/

/* ------------------------------------------------------------------------- */

/* Includes */

#ifdef HAVE_CONFIG_H
#include <../config.h>
#endif

/*#define _GNU_SOURCE*/
#include <stdio.h>
#include <limits.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>
#include <linux/capability.h>
#include <linux/kdev_t.h>
#include <string.h>
#include <getopt.h>

#include "lidstools.h"
#include "lids_capflag.h"

#include <linux/lidsif.h>

/*#define DEBUG*/

#define LIDS_STR2(x) #x
#define LIDS_STR(X) LIDS_STR2(X)

#ifdef DEBUG
#define LIDS_DBG(msg...)  printf("LIDS." __FUNCTION__ ".l" LIDS_STR(__LINE__) ": " ##msg)
#else
#define LIDS_DBG(msg...)
#endif



/* ------------------------------------------------------------------------- */


/*  globals */

char lids_type_desc[6][9] = {"DENY","READONLY","APPEND","WRITE","IGNORE","GRANT\0"};
int  lids_type_val[6] = { LIDS_DENY,
			  LIDS_DENY|LIDS_READONLY,
			  LIDS_DENY|LIDS_READONLY|LIDS_APPEND,
			  LIDS_DENY|LIDS_READONLY|LIDS_APPEND|LIDS_WRITE,
			  LIDS_DENY|LIDS_READONLY|LIDS_APPEND|LIDS_WRITE,
			  LIDS_CAP
};

char lids_special_target_val[2] = {0,1};

lids_t lids[1024];
int	last;
int 	bindport[LIDS_PORT_ITEM][2]; 


/* ------------------------------------------------------------------------- */


void exit_error (int status, char *msg)
{
	fprintf (stderr, "lidsconf: %s\n", msg);
	if(status == 3 )
		perror("reason:");
	printf("\n");
	exit (status);
}

void exit_version ()
{
	printf ("lidsconf version " VERSION " for the LIDS project\n");
	exit(1);
}

void exit_normal ()
{
	printf ("lidsconf version " VERSION " for the LIDS project\n"
		"Use 'lidsconf -h' for help\n");
	exit(1);
}

void exit_help ()
{
	entry_t *entry;

	
	printf ("lidsconf version " VERSION " for the LIDS project\n"
		"       Huagang Xie<xie@gnuchina.org>\n"
		"       Philippe Biondi <philippe.biondi@webmotion.net>\n\n"
		"Usage: lidsconf -A [-s subject] -o object [-d] [-t from-to] [-i level] -j ACTION\n"
		"       lidsconf -D [-s file] [-o file] \n"
		"       lidsconf -Z\n"
		"       lidsconf -U\n"
		"       lidsconf -L [-e]\n"
		"       lidsconf -P\n"
		"       lidsconf -v\n"
		"       lidsconf -h\n\n"
		"Commands:\n"
		"       -A,--add	To add an entry\n"
		"       -D,--delete	To delete an entry\n"
		"       -Z,--zero	To delete all entries \n"
		"       -U,--update	To update dev/inode numbers\n"
		"       -L,--list	To list all entries \n"
		"       -P,--passwd	To encrypt a password with RipeMD-160\n"
		"       -v,--version	To show the version\n"
 		"       -h,--help	To list this help \n\n"
		"subject: -s,--subject subj\n"
		"       can be any program, must be a file\n" 
		"object: -o,--object [obj]\n"
		"       can be a file, directory or special device (e.g. MEM, HD, NET, IO,\n"
                "                                                        HIDDEN, KILL)\n"
		"ACTION: -j,--jump\n"
		"       DENY     deny access\n"
		"       READONLY read only\n" 
		"       APPEND   append only\n"
	        "       WRITE    writable\n"
		"       GRANT    grant capability to subject\n"
		"       IGNORE   ignore any permissions set on this object\n"
		
		"OPTION:\n"	
		"      -d,--domain	The object is an EXEC Domain\n"
		"      -i,--inheritance Inheritance level\n"
		"      -t,--time	Time dependency\n"
		"      -e,--extended	Extended list\n"
);

	printf("\nAvailable capabilities:\n");
	for_each_entry(cap_list,entry)
		printf("%20s %s\n",entry->name,entry->desc);
	


	exit(1);
}




void lids_del_all()
{
	FILE *fd;
	
	if((fd = fopen(LIDS_CONF_FILE,"w"))== NULL ) {
		exit_error(3,"cannot open "LIDS_CONF_FILE);
	}
	fwrite(LIDS_CONF_COMMENT,1,strlen(LIDS_CONF_COMMENT),fd);
	fclose(fd);
}

/*
 *	lids_get_str get the ino,dev,filename from the buff.
 *	the format of buffer is "inode:dev:filename"
 */
int lids_get_str(char *buffer,unsigned long * ino,int *dev,char *filename)
{
	char    *p,*q;
	char 	ino_str[1024];
	char 	ino_dev[1024];

	memset(ino_str,'\0',1024);
	memset(ino_dev,'\0',1024);

	p = q = NULL;
	p = strchr(buffer,':');	
	if ( p == NULL ) return -1; 
	*p = '\0';
	strncpy(ino_str,buffer,p-buffer);
	p++;
	q = strchr(p+1,':');
	if ( q == NULL ) return -1; 
	strncpy(ino_dev,p,q-p);

	strcpy(filename,q+1);
	*ino = atol(ino_str);
	*dev = atoi(ino_dev);
	return 0;
}
/*
 * check_format check if the given buf is the valid string for current version
 */
int check_format(char *buf)
{
	int i,j;
	char *p=NULL;

	i=0;
	p = strchr(buf,':');
	while(p!=NULL) {
		p = strchr(p+1,':');
		i++;
	}
	if(i!=8) return -1;
	return 0;
}
/*
 *  lids read conf read /etc/lids.conf into a data structure.
 */ 
void lids_read_conf()
{
	FILE 	*fd;
	int	i=0,type;
	char 	buffer[1024];
	char    *p,*q;
		
	if((fd = fopen(LIDS_CONF_FILE,"r"))== NULL ) {
		exit_error(3,"cannot open "LIDS_CONF_FILE);
	}
	while(fgets(buffer,1024,fd) && i < 1024) {
		if ( buffer[0] == '#' ) continue;
		if ( buffer[strlen(buffer)-1] == '\n' )
			buffer[strlen(buffer)-1] = '\0' ;
		if(check_format(buffer) < 0) {
			printf("syntax error in %s\n", LIDS_CONF_FILE);
			exit(-1);
		}
		p = strchr(buffer,':');	
		if ( p == NULL ) continue; 
		q = strchr(p+1,':');
		if ( q == NULL ) continue; 
		p = strchr(q+1,':');	
		if ( p == NULL || *(p+1) == ':' ) continue; 
		*p = '\0';
		/* get the permission type */
		q = strchr(p+1,':');
		if(q==NULL) continue;
		
		*q='\0';
		lids[i].type = atoi(p+1);

		/* get the inherit level */ 	
		p = strchr(q+1,':');
		if ( p == NULL || *(p+1) == ':' ) continue;
		*p = '\0';
		lids[i].inherit = atoi(q+1);

		/* get the time like :19283-89283 */
		q = rindex(p+1,':');
		*q = '\0';

		if( lids_get_time(q+1,lids[i].time)<0 ) 
			continue;
		
		if (lids_get_str(buffer,&lids[i].s_ino,&lids[i].s_dev,lids[i].s_file) <0 ) continue;
		
		if (lids_get_str(p+1,&lids[i].o_ino,&lids[i].o_dev,lids[i].o_file) <0 ) continue;
		if ((lids[i].type==LIDS_CAP) && (lids[i].o_dev==getentrybyname(cap_list,"CAP_NET_BIND_SERVICE")->val))
			str2data(p+1,lids[i].port,1,LIDS_PORT_ITEM);

#ifdef DEBUG
		printf("inode= %d, dev= %d, file= %s, type= %d, inherit= %d, o_inode= %ld, o_dev= %d, o_file= %s, from:%ld, to_%ld\n",lids[i].s_ino,
                                                                                                                    lids[i].s_dev,
                                                                                                                    lids[i].s_file,
                                                                                                                    lids[i].type,
                                                                                                                    lids[i].inherit,
                                                                                                                    lids[i].o_ino,
                                                                                                                    lids[i].o_dev,
                                                                                                                    lids[i].o_file,
														    lids[i].time[0][0],
														    lids[i].time[1][0]);
#endif
		i++;
	}
	last = i;

	fclose(fd);
}

void lids_write_file()
{
	int i=0;
	FILE *fd;
	
	if((fd = fopen(LIDS_CONF_FILE,"w"))== NULL ) {
		exit_error(3,"cannot open "LIDS_CONF_FILE);
	}
	fwrite(LIDS_CONF_COMMENT,1,strlen(LIDS_CONF_COMMENT),fd);
	for(i=0;i<last;i++) {
		if(lids[i].type != LIDS_DELETE_FLAG ) {
			if(lids[i].type == LIDS_CAP && 
			  lids[i].o_dev==getentrybyname(cap_list,"CAP_NET_BIND_SERVICE")->val)

				fprintf(fd,"%d:%d:%s:%d:%d:%s:%d:%s:%s\n",
					lids[i].s_ino, lids[i].s_dev,
                                        lids[i].s_file, lids[i].type,
                                        lids[i].inherit,
                                        disp_multi_data(lids[i].port,1),
					lids[i].o_dev,
                                        lids[i].o_file, 
					disp_multi_data(lids[i].time,0),0);
			else 
				fprintf(fd,"%d:%d:%s:%d:%d:%d:%d:%s:%s\n",
					lids[i].s_ino, lids[i].s_dev,
                                        lids[i].s_file, lids[i].type,
                                        lids[i].inherit,
                                        lids[i].o_ino, lids[i].o_dev,
                                        lids[i].o_file, 
					disp_multi_data(lids[i].time,0),0);
		}
	}

	fclose(fd);
}
/*
 *	get the str desc number from type number
 */ 
int get_type_str(int type)
{
	int k,j;
	
	k = -1;
	for(j=0;j<6;j++) {
		if(type == lids_type_val[j]) {
			k=j;
			break;
		}
	}
	if(k == -1 ) exit_error(2,"type mismatch in "LIDS_CONF_FILE);
	return k;
}

void lids_list_file(int type)
{
	int i,j,k;
	static char anyfile[] = "Any file";
	char *src,*obj;
	
	lids_read_conf();
#ifdef DEBUG
	printf("last = %d \n",last);
#endif
	if ( type == LIDS_EXTEND) 
		printf("Subj ino,dev   Obj ino,dev  type  ");
	printf("                Subject   ACCESS(inherit)        time        Object\n");
                                                                           
	printf("-----------------------------------------------------\n");
	for(i=0;i<last;i++) {
		src=anyfile;
		obj=anyfile;

		if(*lids[i].s_file)
			src=lids[i].s_file;

		if(*lids[i].o_file)
			obj=lids[i].o_file;

		if( type == LIDS_EXTEND) 
			printf("%6d,%6d %6d,%6d %6d",lids[i].s_ino,lids[i].s_dev,lids[i].o_ino,lids[i].o_dev,lids[i].type);


		printf("%23s  %8s%s:%3d  %s  %20s %s\n",
		       src,
		       lids_type_desc[get_type_str(abs(lids[i].type))],
		       lids[i].type < 0 ? "" : "(domain)",
		       lids[i].inherit,
		       time2str(lids[i].time),
		       obj,
		       strncmp("CAP_NET_BIND_SERVICE",obj,20) ? "" : disp_multi_data(lids[i].port,1) );		
	}
	printf("\n\n");
}
/*
 *	lids_search_file()
 *
 *	lids search the file by given file and type.
 *
 */
int lids_search_file(char *s_file,char *o_file) 
{
	int i ,flag,number=0;

	for ( i = 0; i<last ; i++ ) {
		flag = 0;
		if (*s_file != '\0') {
		 	flag = strcmp(lids[i].s_file , s_file);
		}
		if (*o_file != '\0')
		 	flag |= strcmp(lids[i].o_file , o_file);
		if(!flag) {
			number++;
			lids[i].type = LIDS_DELETE_FLAG;
		}
	}
        printf("delete %d items\n",number);
	return number;
}

/*
 *	lids_search_inode()
 *
 *	lids search the file by given inode , dev  and type.
 *
 */
int lids_search_inode(struct stat s_st,struct stat o_st) 
{
	int i;

	for ( i = 0; i<last ; i++ ) {