/*
 * Policy: degrade-unknown-sugids.
 *
 * (c) 2002, 2003 Pawel Jakub Dawidek <nick@garage.freebsd.pl>
 *
 * $Id: degrade-unknown-sugids.cb,v 1.11 2003/08/12 12:36:30 dawidek Exp $
 */

#include "addons.cbh"

#if CERB_VERSION < 2003032101
#error	Newer CerbNG required for this policy.
#endif

#define DUS_VERBOSE	1


beginrules

REGISTER("degrade-unknown-sugids");

#if CERB_VERSION >= 2003062901
if (INITRUN()) {
	crsysctl("degrade_unknown_sugids");
	crsysctl("degrade_unknown_sugids.verbose", DUS_VERBOSE);
#undef	DUS_VERBOSE
#define	DUS_VERBOSE	CB_SYSCTL("degrade_unknown_sugids.verbose")
}
#endif

ADD_SYSCALL(SYS_execve);

/*
 * Remove suid bits from unknown applications.
 */
if (syscall == SYS_execve && ruid > 0) {
	reg[2] = getmode(arg[0]);
	if ((reg[2] & (S_ISUID | S_ISGID)) != 0) {
		reg[0] = arg[0];
		reg[1] = call();
		if (reg[1] != 0) {
			return reg[1];
		}
		/* Removing uid and gid 0 */
		if ((reg[2] & S_ISUID) != 0) {
			setpeuid(ruid);
			setpsvuid(ruid);
			CB_LOGEXT(DUS_VERBOSE, LOG_INFO, "Removed suid "
			    "privileges from %s (%s).", reg[0],
			    realpath(reg[0]));
		}
		if ((reg[2] & S_ISGID) != 0) {
			setpegid(rgid);
			setpsvgid(rgid);
			CB_LOGEXT(DUS_VERBOSE, LOG_INFO, "Removed sgid "
			    "privileges from %s (%s).", reg[0],
			    realpath(reg[0]));
		}
		return 0;
	}
}

endrules