/*
 * Policy: noexec-by-dir.
 *
 * (c) 2002, 2003 Pawel Jakub Dawidek <nick@garage.freebsd.pl>
 *
 * $Id: noexec-by-dir.cb,v 1.12 2003/08/12 12:36:30 dawidek Exp $
 */

#include "addons.cbh"

#if CERB_VERSION < 2003032101
#error	Newer CerbNG required for this policy.
#endif

#define	NOEXEC_BY_DIR_VERBOSE	1


beginrules

REGISTER("noexec-by-dir");

#if CERB_VERSION >= 2003062901
if (INITRUN()) {
	crsysctl("noexec_by_dir");
	crsysctl("noexec_by_dir.verbose", NOEXEC_BY_DIR_VERBOSE);
#undef	NOEXEC_BY_DIR_VERBOSE
#define	NOEXEC_BY_DIR_VERBOSE	CB_SYSCTL("noexec_by_dir.verbose")
}
#endif

ADD_SYSCALL(SYS_execve);

if (syscall == SYS_execve && ruid >= 1000) {
	rmenv("LD_*");
	reg[0] = realpath(arg[0]);
	if (reg[0] @ "/usr/home/*" || reg[0] @ "/tmp/*" ||
	    reg[0] @ "/var/tmp/*" || reg[0] == MKNULL(CB_STR_T)) {
		CB_LOGEXT(NOEXEC_BY_DIR_VERBOSE, LOG_WARNING, "!WARN! Don't "
		    "have permission to run %s (%s).", arg[0], reg[0]);
		return EPERM;
	}
	arg[0] = reg[0]; /* race prevention */
}

endrules