diff options
Diffstat (limited to 'tests/fstest/perm_checker.c')
-rw-r--r-- | tests/fstest/perm_checker.c | 399 |
1 files changed, 0 insertions, 399 deletions
diff --git a/tests/fstest/perm_checker.c b/tests/fstest/perm_checker.c deleted file mode 100644 index 86d2cdce..00000000 --- a/tests/fstest/perm_checker.c +++ /dev/null @@ -1,399 +0,0 @@ -/* - * Copyright (C) 2008 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -// A simple file permissions checker. See associated README. - -#define _GNU_SOURCE - -#include <stdio.h> -#include <stdlib.h> -#include <stdarg.h> -#include <string.h> -#include <ctype.h> -#include <sys/types.h> -#include <dirent.h> -#include <errno.h> - -#include <sys/stat.h> -#include <unistd.h> -#include <time.h> - -#include <pwd.h> -#include <grp.h> - -#include <linux/kdev_t.h> - -#define PERMS(M) (M & ~S_IFMT) -#define MAX_NAME_LEN 4096 -#define MAX_UID_LEN 256 -#define MAX_GID_LEN MAX_UID_LEN - -enum perm_rule_type {EXACT_FILE = 0, EXACT_DIR, WILDCARD, RECURSIVE, - NUM_PR_TYPES}; - -struct perm_rule { - char *rule_text; - int rule_line; - char *spec; - mode_t min_mode; - mode_t max_mode; - uid_t min_uid; - uid_t max_uid; - gid_t min_gid; - gid_t max_gid; - enum perm_rule_type type; - struct perm_rule *next; -}; - -typedef struct perm_rule perm_rule_t; - -static perm_rule_t *rules[NUM_PR_TYPES]; - -static uid_t str2uid(char *str, int line_num) -{ - struct passwd *pw; - - if (isdigit(str[0])) - return (uid_t) atol(str); - - if (!(pw = getpwnam(str))) { - printf("# ERROR # Invalid uid '%s' reading line %d\n", str, line_num); - exit(255); - } - return pw->pw_uid; -} - -static gid_t str2gid(char *str, int line_num) -{ - struct group *gr; - - if (isdigit(str[0])) - return (uid_t) atol(str); - - if (!(gr = getgrnam(str))) { - printf("# ERROR # Invalid gid '%s' reading line %d\n", str, line_num); - exit(255); - } - return gr->gr_gid; -} - -static int read_rules(FILE *fp) -{ - char spec[MAX_NAME_LEN + 5]; // Allows for "/..." suffix + terminator - char min_uid_buf[MAX_UID_LEN + 1], max_uid_buf[MAX_UID_LEN + 1]; - char min_gid_buf[MAX_GID_LEN + 1], max_gid_buf[MAX_GID_LEN + 1]; - char rule_text_buf[MAX_NAME_LEN + 2*MAX_UID_LEN + 2*MAX_GID_LEN + 9]; - unsigned long min_mode, max_mode; - perm_rule_t *pr; - int res; - int num_rules = 0, num_lines = 0; - - // Note: Use of an unsafe C function here is OK, since this is a test - while ((res = fscanf(fp, "%s %lo %lo %s %s %s %s\n", spec, - &min_mode, &max_mode, min_uid_buf, max_uid_buf, - min_gid_buf, max_gid_buf)) != EOF) { - num_lines++; - if (res < 7) { - printf("# WARNING # Invalid rule on line number %d\n", num_lines); - continue; - } - if (!(pr = malloc(sizeof(perm_rule_t)))) { - printf("Out of memory.\n"); - exit(255); - } - if (snprintf(rule_text_buf, sizeof(rule_text_buf), - "%s %lo %lo %s %s %s %s", spec, min_mode, max_mode, - min_uid_buf, max_uid_buf, min_gid_buf, max_gid_buf) - >= (long int) sizeof(rule_text_buf)) { - // This should never happen, but just in case... - printf("# ERROR # Maximum length limits exceeded on line %d\n", - num_lines); - exit(255); - } - pr->rule_text = strndup(rule_text_buf, sizeof(rule_text_buf)); - pr->rule_line = num_lines; - if (strstr(spec, "/...")) { - pr->spec = strndup(spec, strlen(spec) - 3); - pr->type = RECURSIVE; - } else if (spec[strlen(spec) - 1] == '*') { - pr->spec = strndup(spec, strlen(spec) - 1); - pr->type = WILDCARD; - } else if (spec[strlen(spec) - 1] == '/') { - pr->spec = strdup(spec); - pr->type = EXACT_DIR; - } else { - pr->spec = strdup(spec); - pr->type = EXACT_FILE; - } - if ((pr->spec == NULL) || (pr->rule_text == NULL)) { - printf("Out of memory.\n"); - exit(255); - } - pr->min_mode = min_mode; - pr->max_mode = max_mode; - pr->min_uid = str2uid(min_uid_buf, num_lines); - pr->max_uid = str2uid(max_uid_buf, num_lines); - pr->min_gid = str2gid(min_gid_buf, num_lines); - pr->max_gid = str2gid(max_gid_buf, num_lines); - - // Add the rule to the appropriate set - pr->next = rules[pr->type]; - rules[pr->type] = pr; - num_rules++; -#if 0 // Useful for debugging - printf("rule #%d: type = %d spec = %s min_mode = %o max_mode = %o " - "min_uid = %d max_uid = %d min_gid = %d max_gid = %d\n", - num_rules, pr->type, pr->spec, pr->min_mode, pr->max_mode, - pr->min_uid, pr->max_uid, pr->min_gid, pr->max_gid); -#endif - } - return num_lines - num_rules; -} - -static void print_failed_rule(const perm_rule_t *pr) -{ - printf("# INFO # Failed rule #%d: %s\n", pr->rule_line, pr->rule_text); -} - -static void print_new_rule(const char *name, mode_t mode, uid_t uid, gid_t gid) -{ - struct passwd *pw; - struct group *gr; - gr = getgrgid(gid); - pw = getpwuid(uid); - printf("%s %4o %4o %s %d %s %d\n", name, mode, mode, pw->pw_name, uid, - gr->gr_name, gid); -} - -// Returns 1 if the rule passes, prints the failure and returns 0 if not -static int pass_rule(const perm_rule_t *pr, mode_t mode, uid_t uid, gid_t gid) -{ - if (((pr->min_mode & mode) == pr->min_mode) && - ((pr->max_mode | mode) == pr->max_mode) && - (pr->min_gid <= gid) && (pr->max_gid >= gid) && - (pr->min_uid <= uid) && (pr->max_uid >= uid)) - return 1; - print_failed_rule(pr); - return 0; -} - -// Returns 0 on success -static int validate_file(const char *name, mode_t mode, uid_t uid, gid_t gid) -{ - perm_rule_t *pr; - int rules_matched = 0; - int retval = 0; - - pr = rules[EXACT_FILE]; - while (pr != NULL) { - if (strcmp(name, pr->spec) == 0) { - if (!pass_rule(pr, mode, uid, gid)) - retval++; - else - rules_matched++; // Exact match found - } - pr = pr->next; - } - - if ((retval + rules_matched) > 1) - printf("# WARNING # Multiple exact rules for file: %s\n", name); - - // If any exact rule matched or failed, we are done with this file - if (retval) - print_new_rule(name, mode, uid, gid); - if (rules_matched || retval) - return retval; - - pr = rules[WILDCARD]; - while (pr != NULL) { - // Check if the spec is a prefix of the filename, and that the file - // is actually in the same directory as the wildcard. - if ((strstr(name, pr->spec) == name) && - (!strchr(name + strlen(pr->spec), '/'))) { - if (!pass_rule(pr, mode, uid, gid)) - retval++; - else - rules_matched++; - } - pr = pr->next; - } - - pr = rules[RECURSIVE]; - while (pr != NULL) { - if (strstr(name, pr->spec) == name) { - if (!pass_rule(pr, mode, uid, gid)) - retval++; - else - rules_matched++; - } - pr = pr->next; - } - - if (!rules_matched) - retval++; // In case no rules either matched or failed, be sure to fail - - if (retval) - print_new_rule(name, mode, uid, gid); - - return retval; -} - -// Returns 0 on success -static int validate_link(const char *name, mode_t mode, uid_t uid, gid_t gid) -{ - perm_rule_t *pr; - int rules_matched = 0; - int retval = 0; - - // For now, we match links against "exact" file rules only - pr = rules[EXACT_FILE]; - while (pr != NULL) { - if (strcmp(name, pr->spec) == 0) { - if (!pass_rule(pr, mode, uid, gid)) - retval++; - else - rules_matched++; // Exact match found - } - pr = pr->next; - } - - if ((retval + rules_matched) > 1) - printf("# WARNING # Multiple exact rules for link: %s\n", name); - if (retval) - print_new_rule(name, mode, uid, gid); - - // Note: Unlike files, if no rules matches for links, retval = 0 (success). - return retval; -} - -// Returns 0 on success -static int validate_dir(const char *name, mode_t mode, uid_t uid, gid_t gid) -{ - perm_rule_t *pr; - int rules_matched = 0; - int retval = 0; - - pr = rules[EXACT_DIR]; - while (pr != NULL) { - if (strcmp(name, pr->spec) == 0) { - if (!pass_rule(pr, mode, uid, gid)) - retval++; - else - rules_matched++; // Exact match found - } - pr = pr->next; - } - - if ((retval + rules_matched) > 1) - printf("# WARNING # Multiple exact rules for directory: %s\n", name); - - // If any exact rule matched or failed, we are done with this directory - if (retval) - print_new_rule(name, mode, uid, gid); - if (rules_matched || retval) - return retval; - - pr = rules[RECURSIVE]; - while (pr != NULL) { - if (strstr(name, pr->spec) == name) { - if (!pass_rule(pr, mode, uid, gid)) - retval++; - else - rules_matched++; - } - pr = pr->next; - } - - if (!rules_matched) - retval++; // In case no rules either matched or failed, be sure to fail - - if (retval) - print_new_rule(name, mode, uid, gid); - - return retval; -} - -// Returns 0 on success -static int check_path(const char *name) -{ - char namebuf[MAX_NAME_LEN + 1]; - char tmp[MAX_NAME_LEN + 1]; - DIR *d; - struct dirent *de; - struct stat s; - int err; - int retval = 0; - - err = lstat(name, &s); - if (err < 0) { - if (errno != ENOENT) - { - perror(name); - return 1; - } - return 0; // File doesn't exist anymore - } - - if (S_ISDIR(s.st_mode)) { - if (name[strlen(name) - 1] != '/') - snprintf(namebuf, sizeof(namebuf), "%s/", name); - else - snprintf(namebuf, sizeof(namebuf), "%s", name); - - retval |= validate_dir(namebuf, PERMS(s.st_mode), s.st_uid, s.st_gid); - d = opendir(namebuf); - if(d == 0) { - printf("%s : opendir failed: %s\n", namebuf, strerror(errno)); - return 1; - } - - while ((de = readdir(d)) != 0) { - if (!strcmp(de->d_name, ".") || !strcmp(de->d_name, "..")) - continue; - snprintf(tmp, sizeof(tmp), "%s%s", namebuf, de->d_name); - retval |= check_path(tmp); - } - closedir(d); - return retval; - } else if (S_ISLNK(s.st_mode)) { - return validate_link(name, PERMS(s.st_mode), s.st_uid, s.st_gid); - } else { - return validate_file(name, PERMS(s.st_mode), s.st_uid, s.st_gid); - } -} - -int main(int argc, char **argv) -{ - FILE *fp; - int i; - - // Initialize ruleset pointers - for (i = 0; i < NUM_PR_TYPES; i++) - rules[i] = NULL; - - if (!(fp = fopen("/etc/perm_checker.conf", "r"))) { - printf("Error opening /etc/perm_checker.conf\n"); - exit(255); - } - read_rules(fp); - fclose(fp); - - if (check_path("/")) - return 255; - - printf("Passed.\n"); - return 0; -} |