/*
 * Policy: ping.
 *
 * (c) 2002, 2003 Pawel Jakub Dawidek <nick@garage.freebsd.pl>
 *
 * $Id: ping.cb,v 1.29 2003/08/12 12:36:30 dawidek Exp $
 */

#include <netinet/in.h>

#include "addons.cbh"

#if CERB_VERSION < 2003032101
#error	Newer CerbNG required for this policy.
#endif


#define PING_PNAME	"ping"
#define PING_PATH	"/sbin/ping"
#define PING_INODE	GET_INODE(PING_PATH)
#define PING_DEV	GET_DEV(PING_PATH)
#define PING_VERBOSE	1


beginrules

REGISTER("ping");

#if CERB_VERSION >= 2003062901
if (INITRUN()) {
	crsysctl("ping");
	crsysctl("ping.pname", PING_PNAME, CTLFLAG_RD);
	crsysctl("ping.path", PING_PATH, CTLFLAG_RD);
	crsysctl("ping.inode", PING_INODE);
#undef	PING_INODE
#define	PING_INODE	CB_SYSCTL("ping.inode")
	crsysctl("ping.dev", PING_DEV);
#undef	PING_DEV
#define	PING_DEV	CB_SYSCTL("ping.dev")
	crsysctl("ping.verbose", PING_VERBOSE);
#undef	PING_VERBOSE
#define	PING_VERBOSE	CB_SYSCTL("ping.verbose")
}
#endif

ADD_SYSCALL(SYS_execve, SYS_socket);

if (syscall == SYS_execve && ruid > 0) {
	if (getinode(arg[0]) == PING_INODE &&
	    getdev(arg[0]) == PING_DEV) {
		reg[1] = call();
		if (reg[1] != 0) {
			return reg[1];
		}
		/* everything is correct, removing uid and gid 0 */
		if (euid == 0) {
			CB_LOGEXT(PING_VERBOSE, LOG_INFO, "Removed uid 0.");
			setpeuid(ruid);
			setpsvuid(ruid);
		}
		return 0;
	}
}

if (finode == PING_INODE && fdev == PING_DEV && euid > 0) {
	if (syscall == SYS_socket) {
		if (arg[0] == AF_INET &&
		    arg[1] == SOCK_RAW &&
		    arg[2] == IPPROTO_ICMP) {
			/* let's change effective uid to 0 */
			reg[0] = sucall();	/* calling socket() */
			CB_LOGEXT(PING_VERBOSE, LOG_INFO, "Opening raw socket "
			    "[ret=%d].", reg[0]);
			return reg[0];
		}
	}
	if (syscall == SYS_execve) {
		CB_LOGEXT(PING_VERBOSE, LOG_WARNING, "Attempt to run %s (%s).",
		    arg[0], realpath(arg[0]));
		return EPERM;
	}
}

endrules