Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- * rigid syslog
- * Permit syslog() calls only with allowed facility and severity.
- *
- * Environment variable examples:
- *
- * Permit whitelisted program identifier names:
- * trailing star examined as wildcard.
- *
- * RGDLOG_PROGNAME=myprog1,myprog2,myprog*
- *
- * Deny blacklisted program identifier names:
- * blacklist is prior than whitelist,
- * unset to use only whitelist.
- *
- * RGDLOG_PROGNAME_NO=cron,sshd,exim*
- *
- * Coma-separated list of allowed facilities and severities:
- * see <syslog.h> for meaning of values.
- *
- * RGDLOG_FACILITY=1,17,18,19
- * RGDLOG_SEVERITY=3,4,5
- */
- #include <stdlib.h>
- #include <stdio.h>
- #include <dlfcn.h>
- #include <string.h>
- #include <sys/socket.h>
- #include <limits.h>
- #include <errno.h>
- // gcc -O0 -ldl -shared rgdlog.c -o rgdlog.so
- int session_facility = 0;
- char *rgdlog_progname;
- char *rgdlog_progname_no;
- char *rgdlog_facility;
- char *rgdlog_severity;
- __attribute__ ((constructor)) void f() {
- /*
- if(getenv("RGDLOG_FACILITY")==NULL || getenv("RGDLOG_SEVERITY")==NULL) {
- fprintf(stderr, "In order to apply rigidlog, set and export RGDLOG_FACILITY and RGDLOG_SEVERITY environments.\n");
- exit(1);
- }
- */
- // Save initial environment
- rgdlog_progname = getenv("RGDLOG_PROGNAME");
- rgdlog_progname_no = getenv("RGDLOG_PROGNAME_NO");
- rgdlog_facility = getenv("RGDLOG_FACILITY");
- rgdlog_severity = getenv("RGDLOG_SEVERITY");
- }
- void openlog(const char *ident, int option, int facility)
- {
- static void (*real_openlog)(const char *ident, int option, int facility) = NULL;
- if (real_openlog == NULL) {
- void *handle = dlopen("/lib/libc.so.6", RTLD_LAZY);
- if (handle == NULL) {
- fprintf(stderr, "dlopen: %s\n", dlerror());
- exit(1);
- }
- real_openlog = dlsym(handle, "openlog");
- if (real_openlog == NULL) {
- fprintf(stderr, "dlsym: %s\n", dlerror());
- exit(1);
- }
- }
- char *s, *s2;
- char permit = 1;
- session_facility = facility >> 3;
- //fprintf(stderr, "openlog(\"%s\", %d, %d)\n", ident, option, facility);
- if(rgdlog_progname != NULL) {
- permit = 0;
- s = strtok(rgdlog_progname, ",");
- while(s != NULL) {
- if(strcmp(s, ident) == 0) {
- permit = 1;
- break;
- }
- else if(s[strlen(s)-1]=='*') {
- s2 = strdup(ident);
- s[strlen(s)-1] = s2[strlen(s)-1] = 0;
- if(strcmp(s, s2) == 0) {
- permit = 1;
- break;
- }
- }
- s = strtok(NULL, ",");
- }
- }
- if(rgdlog_progname_no != NULL) {
- s = strtok(rgdlog_progname_no, ",");
- while(s != NULL) {
- if(strcmp(s, ident) == 0) {
- permit = 0;
- break;
- }
- else if(s[strlen(s)-1]=='*') {
- s2 = strdup(ident);
- s[strlen(s)-1] = s2[strlen(s)-1] = 0;
- if(strcmp(s, s2) == 0) {
- permit = 0;
- break;
- }
- }
- s = strtok(NULL, ",");
- }
- }
- if(!permit) {
- fprintf(stderr, "rgdlog: syslog program name \"%s\" prohibited.\n", ident);
- return;
- }
- real_openlog(ident, option, facility);
- }
- //void syslog(int priority, const char *format, ...)
- void syslog(int priority, const char *format, const char *hellip)
- {
- static void (*real_syslog)(int priority, const char *format, ...) = NULL;
- if (real_syslog == NULL) {
- void *handle = dlopen("/lib/libc.so.6", RTLD_LAZY);
- if (handle == NULL) {
- fprintf(stderr, "dlsys: %s\n", dlerror());
- exit(1);
- }
- real_syslog = dlsym(handle, "syslog");
- if (real_syslog == NULL) {
- fprintf(stderr, "dlsym: %s\n", dlerror());
- exit(1);
- }
- }
- int facility, severity;
- char *s;
- char permit;
- facility = priority >> 3;
- if(facility == 0) facility = session_facility;
- severity = priority & 7;
- //fprintf(stderr, "syslog(%d /* facility=%d, severity=%d */, \"%s\", \"%s\")\n", priority, facility, severity, format, hellip);
- if(rgdlog_facility != NULL) {
- permit = 0;
- s = strtok(rgdlog_facility, ",");
- while(s != NULL) {
- if(atoi(s) == facility) {
- permit = 1;
- break;
- }
- s = strtok(NULL, ",");
- }
- if(!permit) {
- fprintf(stderr, "rgdlog: syslog facility %d prohibited.\n", facility);
- return;
- }
- }
- if(rgdlog_severity != NULL) {
- permit = 0;
- s = strtok(rgdlog_severity, ",");
- while(s != NULL) {
- if(atoi(s) == severity) {
- permit = 1;
- break;
- }
- s = strtok(NULL, ",");
- }
- if(!permit) {
- fprintf(stderr, "rgdlog: syslog severity %d prohibited.\n", severity);
- return;
- }
- }
- /* permit syslog() */
- real_syslog(priority, format, hellip);
- }
- int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen)
- {
- static int (*real_connect)(int sockfd, const struct sockaddr *addr, socklen_t addrlen) = NULL;
- if (real_connect == NULL) {
- void *handle = dlopen("/lib/libc.so.6", RTLD_LAZY);
- if (handle == NULL) {
- fprintf(stderr, "dlsys: %s\n", dlerror());
- exit(1);
- }
- real_connect = dlsym(handle, "connect");
- if (real_connect == NULL) {
- fprintf(stderr, "dlsym: %s\n", dlerror());
- exit(1);
- }
- }
- char path[PATH_MAX];
- realpath(addr->sa_data, path);
- if(addr->sa_family == AF_FILE && strcmp(path, "/dev/log")==0) {
- fprintf(stderr, "rgdlog: bare syslog connection attempt prevented.\n");
- errno = EACCES;
- return -1;
- }
- return real_connect(sockfd, addr, addrlen);
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement